Analysis
-
max time kernel
151s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
03-03-2021 11:53
Static task
static1
Behavioral task
behavioral1
Sample
KMSAuto Net.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
KMSAuto Net.exe
Resource
win10v20201028
General
-
Target
KMSAuto Net.exe
-
Size
2MB
-
MD5
26d067caae83528460ed322ae8cf7ab9
-
SHA1
470f0522a5debbbeb0a8d5c3e0a3dc1af6a1344f
-
SHA256
564c6d1973910e06c66670708fdc809d7391d03fd65d5e71d6d154f898429c93
-
SHA512
7f8c96f52f9e01985da14169c836cf0a7878580c312b6ba4b22b7b36fd2324b64deedab8f21221cae744ce0c3c55e6e0bfbcb4c78ffd8cac03b2c1c5fa9e0e81
Malware Config
Extracted
C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt
x_coded@protonmail.com
X_coded@protonmail.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
SWEfghd678hfjbbhbGFrca.exeloader.exepid process 1032 SWEfghd678hfjbbhbGFrca.exe 1780 loader.exe -
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
loader.exedescription ioc process File created C:\Users\Admin\Pictures\OpenEnter.tif.xFjdo loader.exe File created C:\Users\Admin\Pictures\RenameConnect.tif.xFjdo loader.exe File created C:\Users\Admin\Pictures\WatchRename.png.xFjdo loader.exe File created C:\Users\Admin\Pictures\DisconnectMeasure.tiff.xFjdo loader.exe File created C:\Users\Admin\Pictures\EnterRequest.raw.xFjdo loader.exe File created C:\Users\Admin\Pictures\ExportGroup.png.xFjdo loader.exe File created C:\Users\Admin\Pictures\FindAdd.png.xFjdo loader.exe -
Loads dropped DLL 6 IoCs
Processes:
KMSAuto Net.exeSWEfghd678hfjbbhbGFrca.exeloader.exepid process 1784 KMSAuto Net.exe 1032 SWEfghd678hfjbbhbGFrca.exe 1032 SWEfghd678hfjbbhbGFrca.exe 1032 SWEfghd678hfjbbhbGFrca.exe 1032 SWEfghd678hfjbbhbGFrca.exe 1780 loader.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
loader.exedescription ioc process File opened (read-only) \??\A: loader.exe File opened (read-only) \??\B: loader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_Classes\Local Settings rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2028 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
loader.exepid process 1780 loader.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
rundll32.exepid process 1224 rundll32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
KMSAuto Net.exeSWEfghd678hfjbbhbGFrca.exedescription pid process target process PID 1784 wrote to memory of 1032 1784 KMSAuto Net.exe SWEfghd678hfjbbhbGFrca.exe PID 1784 wrote to memory of 1032 1784 KMSAuto Net.exe SWEfghd678hfjbbhbGFrca.exe PID 1784 wrote to memory of 1032 1784 KMSAuto Net.exe SWEfghd678hfjbbhbGFrca.exe PID 1784 wrote to memory of 1032 1784 KMSAuto Net.exe SWEfghd678hfjbbhbGFrca.exe PID 1784 wrote to memory of 1184 1784 KMSAuto Net.exe cmd.exe PID 1784 wrote to memory of 1184 1784 KMSAuto Net.exe cmd.exe PID 1784 wrote to memory of 1184 1784 KMSAuto Net.exe cmd.exe PID 1784 wrote to memory of 1184 1784 KMSAuto Net.exe cmd.exe PID 1032 wrote to memory of 1780 1032 SWEfghd678hfjbbhbGFrca.exe loader.exe PID 1032 wrote to memory of 1780 1032 SWEfghd678hfjbbhbGFrca.exe loader.exe PID 1032 wrote to memory of 1780 1032 SWEfghd678hfjbbhbGFrca.exe loader.exe PID 1032 wrote to memory of 1780 1032 SWEfghd678hfjbbhbGFrca.exe loader.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe"C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe"C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\selfdstr.bat" "2⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UnpublishUnlock.asp1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\libeay32.dllMD5
ec82afce1ecb9ea8083e366ba4676762
SHA149c610f556e1ff28759448181dc3cfb378429134
SHA256a053c2efd71c874486ca0abd39cee5b07450cefe1e7723ce8813630b9ce1b9f1
SHA512be57b8ab59d7d725041eef30b08426cd4a2ff5aebbd00932ee55a11f88f8a0a6cffa4939669a0a35f395bd022ee388d01e9cce96e89516c1257d283135a649de
-
C:\Users\Admin\AppData\Local\Temp\loader.exeMD5
549e20cd5baca7c1b01209933b563e2a
SHA1a27d9eeffd06e35ef75ca1a7157340c11d426dad
SHA256b120e15d64df566cfddd73032c0338a6fe332d1a583282746e20e6c8a80edd6c
SHA51211be05ea25439ea490bdcc013ac48a62616ad5a4c384819bb9ac083f250f417072111e26b2e8be41b7f403c8ed1a8a37c6601ec22be6e9409a6b5e5703368218
-
C:\Users\Admin\AppData\Local\Temp\selfdstr.batMD5
988ec406a5c0022b37fd5a1d2b4edef9
SHA1a29c6a34c03bb184ae133364f0f6d1cf45932036
SHA2560ad086c508fbfcddf656e24bc88190ff070dccb5b88577e6514d164072ee3d85
SHA512a31778f252e810e22b367c05d4daeb53ad7c1aa28573f0c90a710d7227b9e431a78734dfc7745ad3b5e9fe4bfe6247dd0f44dc1d6791dab61c6fee7c6a6964ce
-
C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exeMD5
734ebe963716a9ba20ffb75dceff80ea
SHA18f98635aa27f50340ebd380ec4743855734f2a35
SHA25655388fde35f487317a3e763f706fe03e39a87d1ba35f40ac9ec85e589d175ebf
SHA51219fc995018a40a5a323cd962d991a83c58b170b1c6492b36cba85578d491465669666a002179aa2d461ab45bfbb568f6916ab04ea1dcd23778db3a0adb498d0a
-
C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exeMD5
734ebe963716a9ba20ffb75dceff80ea
SHA18f98635aa27f50340ebd380ec4743855734f2a35
SHA25655388fde35f487317a3e763f706fe03e39a87d1ba35f40ac9ec85e589d175ebf
SHA51219fc995018a40a5a323cd962d991a83c58b170b1c6492b36cba85578d491465669666a002179aa2d461ab45bfbb568f6916ab04ea1dcd23778db3a0adb498d0a
-
C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txtMD5
561a2373196fbccdb31b026c385d76db
SHA14bda9df6e3b3882ab1900d008510b64f5ea80996
SHA25668287c102ab02a329b7d5b1f1a87afdba92d276f696bd4baeca1056bf0e5c818
SHA512c323cf4c57bcda5e294a854ff58b9d894fcd61e1dbadcdc027200a052c738db464911491ffb6bfc19579ac1def0b43ab12815b26d568c622ce3711022a4a8a42
-
\Users\Admin\AppData\Local\Temp\libeay32.dllMD5
ec82afce1ecb9ea8083e366ba4676762
SHA149c610f556e1ff28759448181dc3cfb378429134
SHA256a053c2efd71c874486ca0abd39cee5b07450cefe1e7723ce8813630b9ce1b9f1
SHA512be57b8ab59d7d725041eef30b08426cd4a2ff5aebbd00932ee55a11f88f8a0a6cffa4939669a0a35f395bd022ee388d01e9cce96e89516c1257d283135a649de
-
\Users\Admin\AppData\Local\Temp\loader.exeMD5
549e20cd5baca7c1b01209933b563e2a
SHA1a27d9eeffd06e35ef75ca1a7157340c11d426dad
SHA256b120e15d64df566cfddd73032c0338a6fe332d1a583282746e20e6c8a80edd6c
SHA51211be05ea25439ea490bdcc013ac48a62616ad5a4c384819bb9ac083f250f417072111e26b2e8be41b7f403c8ed1a8a37c6601ec22be6e9409a6b5e5703368218
-
\Users\Admin\AppData\Local\Temp\loader.exeMD5
549e20cd5baca7c1b01209933b563e2a
SHA1a27d9eeffd06e35ef75ca1a7157340c11d426dad
SHA256b120e15d64df566cfddd73032c0338a6fe332d1a583282746e20e6c8a80edd6c
SHA51211be05ea25439ea490bdcc013ac48a62616ad5a4c384819bb9ac083f250f417072111e26b2e8be41b7f403c8ed1a8a37c6601ec22be6e9409a6b5e5703368218
-
\Users\Admin\AppData\Local\Temp\loader.exeMD5
549e20cd5baca7c1b01209933b563e2a
SHA1a27d9eeffd06e35ef75ca1a7157340c11d426dad
SHA256b120e15d64df566cfddd73032c0338a6fe332d1a583282746e20e6c8a80edd6c
SHA51211be05ea25439ea490bdcc013ac48a62616ad5a4c384819bb9ac083f250f417072111e26b2e8be41b7f403c8ed1a8a37c6601ec22be6e9409a6b5e5703368218
-
\Users\Admin\AppData\Local\Temp\loader.exeMD5
549e20cd5baca7c1b01209933b563e2a
SHA1a27d9eeffd06e35ef75ca1a7157340c11d426dad
SHA256b120e15d64df566cfddd73032c0338a6fe332d1a583282746e20e6c8a80edd6c
SHA51211be05ea25439ea490bdcc013ac48a62616ad5a4c384819bb9ac083f250f417072111e26b2e8be41b7f403c8ed1a8a37c6601ec22be6e9409a6b5e5703368218
-
\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exeMD5
734ebe963716a9ba20ffb75dceff80ea
SHA18f98635aa27f50340ebd380ec4743855734f2a35
SHA25655388fde35f487317a3e763f706fe03e39a87d1ba35f40ac9ec85e589d175ebf
SHA51219fc995018a40a5a323cd962d991a83c58b170b1c6492b36cba85578d491465669666a002179aa2d461ab45bfbb568f6916ab04ea1dcd23778db3a0adb498d0a
-
memory/1032-4-0x0000000000000000-mapping.dmp
-
memory/1092-384-0x000007FEF7510000-0x000007FEF778A000-memory.dmpFilesize
2MB
-
memory/1184-8-0x0000000000000000-mapping.dmp
-
memory/1780-25-0x0000000003480000-0x0000000003491000-memory.dmpFilesize
68KB
-
memory/1780-24-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/1780-23-0x00000000006BD000-0x00000000006BE000-memory.dmpFilesize
4KB
-
memory/1780-26-0x0000000003890000-0x00000000038A1000-memory.dmpFilesize
68KB
-
memory/1780-27-0x0000000003480000-0x0000000003491000-memory.dmpFilesize
68KB
-
memory/1780-18-0x0000000000000000-mapping.dmp
-
memory/1784-12-0x00000000007C0000-0x00000000007C1000-memory.dmpFilesize
4KB
-
memory/1784-13-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1784-2-0x00000000760D1000-0x00000000760D3000-memory.dmpFilesize
8KB
-
memory/2028-382-0x000007FEFBA51000-0x000007FEFBA53000-memory.dmpFilesize
8KB