Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

03/03/2021, 11:53

210303-jg1rqnnv7a 10

03/03/2021, 11:35

210303-3hqbhblvcn 10

Analysis

  • max time kernel
    151s
  • max time network
    12s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    03/03/2021, 11:53

General

  • Target

    KMSAuto Net.exe

  • Size

    2.1MB

  • MD5

    26d067caae83528460ed322ae8cf7ab9

  • SHA1

    470f0522a5debbbeb0a8d5c3e0a3dc1af6a1344f

  • SHA256

    564c6d1973910e06c66670708fdc809d7391d03fd65d5e71d6d154f898429c93

  • SHA512

    7f8c96f52f9e01985da14169c836cf0a7878580c312b6ba4b22b7b36fd2324b64deedab8f21221cae744ce0c3c55e6e0bfbcb4c78ffd8cac03b2c1c5fa9e0e81

Score
10/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt

Ransom Note
******************************ATTENTION!****************************** All your important files have been encrypted by STEEL Ransomware! For encryption we use reliable algorithms! You can read more here: https://en.wikipedia.org/wiki/RSA_(cryptosystem) https://en.wikipedia.org/wiki/Advanced_Encryption_Standard Many of your documents, photos, videos, images and other files are no longer accessible because they have been encrypted. It means that your files are not damaged, but modified. The reverse process is called decryption. We use strong algorithms so it impossible to crack key. You can easily restore all your files. We guarantee that all your files will be successfully decrypted after paying. We can decrypt 2 files for free (size <2mb) as proof that we can decrypt your files. Warning! After 7 days price will be doubled! How to decrypt files ? 1) Contact us via email [email protected] 2) Pay $350 on our monero wallet (we will send you wallet address) 3) Send your personal key to our email (It's located at the end of this document) 4) Get decryption key and program 5) Decrypt all your files ******************************????????!****************************** ??? ???? ????? ??????????? STEEL Ransomware! ??? ?????????? ???????????? ???????? ????????? ??????????. ?? ?????? ???????????? ????????? ?????: https://en.wikipedia.org/wiki/RSA_(cryptosystem) https://en.wikipedia.org/wiki/Advanced_Encryption_Standard ???? ?????????, ?????, ????, ???????? ? ?????? ????? ?????? ??????????, ?????? ??? ??? ???????????. ??? ??????, ??? ???? ????? ?? ??????????, ?? ??????????????. ???????? ??????? ?????????? ????????????. ???????? ??? ????????? ????? ???????????? ??????????! ?? ?????? ????? ???????????? ??? ?????. ?? ???????????, ??? ??? ???? ????? ????? ??????? ???????????? ????? ??????. ? ???????? ?????????????? ??????????? ?????- ??????? ?? ????? ????????? ???????????? 2 ????? ???????? ?? ????? 2 ??. ????????! ????? 7 ???? ???? ????? ???????! ??? ???????????? ?????? 1)????????? ? ???? ????? e-mail [email protected] 2)???????? 350 USD ?? monero ???????, ??????? ?? ?????? ??? 3)????????? ??? ????, ????????????? ? ????? ????? ?????????. 4)???????? ?????????-?????????? ? ???? 5)??????????? ???? ????? YOUR PERSONAL KEY HERE: ----------BEGIN STEEL KEY---------- m7uF2wMnEjZPWZk77en5lFKHnG8KBKeyUEWu+GtXV78SwEe8zRQuZTzzUdMTqqzo E2I6x+m2H7qwwjjz0jgLsosvd4/NCsHkiFvUlBolGNVljggix9dsPP9pXtoHSGCA ZCl0l/uBXuWxKWoWbwg5Ng6jP2B7Px1HaNxnXrI5X/YDqN+YamL4soTKtxV+HXa0 g4DOIIBnaNx6btQx/9+lu4GAEcxnhnkb3eB5s1t3gpBcvgnz6FDItM0Pz7evQDPL qUQJLJDtSofdkF5xfCEDSTDpxnhWf31R9WODWL7zNFi/njGEaslO13tuvj1OiDRM MCUf5o0FB5W5U5eXxB7fBw== ----------END STEEL KEY----------

Signatures

  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Loads dropped DLL 6 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe
    "C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe
      "C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1032
      • C:\Users\Admin\AppData\Local\Temp\loader.exe
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        3⤵
        • Executes dropped EXE
        • Modifies extensions of user files
        • Loads dropped DLL
        • Enumerates connected drives
        • Suspicious behavior: EnumeratesProcesses
        PID:1780
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\selfdstr.bat" "
      2⤵
        PID:1184
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:2028
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UnpublishUnlock.asp
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1224

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1092-384-0x000007FEF7510000-0x000007FEF778A000-memory.dmp

      Filesize

      2.5MB

    • memory/1780-25-0x0000000003480000-0x0000000003491000-memory.dmp

      Filesize

      68KB

    • memory/1780-24-0x0000000000270000-0x0000000000271000-memory.dmp

      Filesize

      4KB

    • memory/1780-23-0x00000000006BD000-0x00000000006BE000-memory.dmp

      Filesize

      4KB

    • memory/1780-26-0x0000000003890000-0x00000000038A1000-memory.dmp

      Filesize

      68KB

    • memory/1780-27-0x0000000003480000-0x0000000003491000-memory.dmp

      Filesize

      68KB

    • memory/1784-12-0x00000000007C0000-0x00000000007C1000-memory.dmp

      Filesize

      4KB

    • memory/1784-13-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

    • memory/1784-2-0x00000000760D1000-0x00000000760D3000-memory.dmp

      Filesize

      8KB

    • memory/2028-382-0x000007FEFBA51000-0x000007FEFBA53000-memory.dmp

      Filesize

      8KB