Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
03/03/2021, 11:53
General
-
Target
KMSAuto Net.exe
-
Size
2.1MB
-
MD5
26d067caae83528460ed322ae8cf7ab9
-
SHA1
470f0522a5debbbeb0a8d5c3e0a3dc1af6a1344f
-
SHA256
564c6d1973910e06c66670708fdc809d7391d03fd65d5e71d6d154f898429c93
-
SHA512
7f8c96f52f9e01985da14169c836cf0a7878580c312b6ba4b22b7b36fd2324b64deedab8f21221cae744ce0c3c55e6e0bfbcb4c78ffd8cac03b2c1c5fa9e0e81
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt
Ransom Note
******************************ATTENTION!******************************
All your important files have been encrypted by STEEL Ransomware!
For encryption we use reliable algorithms! You can read more here:
https://en.wikipedia.org/wiki/RSA_(cryptosystem)
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
Many of your documents, photos, videos, images and other files are no longer
accessible because they have been encrypted. It means that your files are not
damaged, but modified. The reverse process is called decryption.
We use strong algorithms so it impossible to crack key. You can easily restore all your files.
We guarantee that all your files will be successfully decrypted after paying.
We can decrypt 2 files for free (size <2mb) as proof that we can decrypt your files.
Warning! After 7 days price will be doubled!
How to decrypt files ?
1) Contact us via email [email protected]
2) Pay $350 on our monero wallet (we will send you wallet address)
3) Send your personal key to our email (It's located at the end of this document)
4) Get decryption key and program
5) Decrypt all your files
******************************????????!******************************
??? ???? ????? ??????????? STEEL Ransomware!
??? ?????????? ???????????? ???????? ????????? ??????????.
?? ?????? ???????????? ????????? ?????:
https://en.wikipedia.org/wiki/RSA_(cryptosystem)
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
???? ?????????, ?????, ????, ???????? ? ?????? ????? ?????? ??????????,
?????? ??? ??? ???????????. ??? ??????, ??? ???? ????? ?? ??????????, ??
??????????????. ???????? ??????? ?????????? ????????????.
???????? ??? ????????? ????? ???????????? ??????????! ?? ?????? ?????
???????????? ??? ?????. ?? ???????????, ??? ??? ???? ????? ????? ???????
???????????? ????? ??????. ? ???????? ?????????????? ??????????? ?????-
??????? ?? ????? ????????? ???????????? 2 ????? ???????? ?? ????? 2 ??.
????????! ????? 7 ???? ???? ????? ???????!
??? ???????????? ??????
1)????????? ? ???? ????? e-mail [email protected]
2)???????? 350 USD ?? monero ???????, ??????? ?? ?????? ???
3)????????? ??? ????, ????????????? ? ????? ????? ?????????.
4)???????? ?????????-?????????? ? ????
5)??????????? ???? ?????
YOUR PERSONAL KEY HERE:
----------BEGIN STEEL KEY----------
m7uF2wMnEjZPWZk77en5lFKHnG8KBKeyUEWu+GtXV78SwEe8zRQuZTzzUdMTqqzo
E2I6x+m2H7qwwjjz0jgLsosvd4/NCsHkiFvUlBolGNVljggix9dsPP9pXtoHSGCA
ZCl0l/uBXuWxKWoWbwg5Ng6jP2B7Px1HaNxnXrI5X/YDqN+YamL4soTKtxV+HXa0
g4DOIIBnaNx6btQx/9+lu4GAEcxnhnkb3eB5s1t3gpBcvgnz6FDItM0Pz7evQDPL
qUQJLJDtSofdkF5xfCEDSTDpxnhWf31R9WODWL7zNFi/njGEaslO13tuvj1OiDRM
MCUf5o0FB5W5U5eXxB7fBw==
----------END STEEL KEY----------
Signatures
-
Executes dropped EXE 2 IoCs
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
-
Loads dropped DLL 6 IoCs
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe"C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe"C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\selfdstr.bat" "2⤵
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UnpublishUnlock.asp1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB