Resubmissions

03-03-2021 11:53

210303-jg1rqnnv7a 10

03-03-2021 11:35

210303-3hqbhblvcn 10

Analysis

  • max time kernel
    151s
  • max time network
    12s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    03-03-2021 11:53

General

  • Target

    KMSAuto Net.exe

  • Size

    2MB

  • MD5

    26d067caae83528460ed322ae8cf7ab9

  • SHA1

    470f0522a5debbbeb0a8d5c3e0a3dc1af6a1344f

  • SHA256

    564c6d1973910e06c66670708fdc809d7391d03fd65d5e71d6d154f898429c93

  • SHA512

    7f8c96f52f9e01985da14169c836cf0a7878580c312b6ba4b22b7b36fd2324b64deedab8f21221cae744ce0c3c55e6e0bfbcb4c78ffd8cac03b2c1c5fa9e0e81

Score
10/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt

Ransom Note
******************************ATTENTION!****************************** All your important files have been encrypted by STEEL Ransomware! For encryption we use reliable algorithms! You can read more here: https://en.wikipedia.org/wiki/RSA_(cryptosystem) https://en.wikipedia.org/wiki/Advanced_Encryption_Standard Many of your documents, photos, videos, images and other files are no longer accessible because they have been encrypted. It means that your files are not damaged, but modified. The reverse process is called decryption. We use strong algorithms so it impossible to crack key. You can easily restore all your files. We guarantee that all your files will be successfully decrypted after paying. We can decrypt 2 files for free (size <2mb) as proof that we can decrypt your files. Warning! After 7 days price will be doubled! How to decrypt files ? 1) Contact us via email x_coded@protonmail.com 2) Pay $350 on our monero wallet (we will send you wallet address) 3) Send your personal key to our email (It's located at the end of this document) 4) Get decryption key and program 5) Decrypt all your files ******************************????????!****************************** ??? ???? ????? ??????????? STEEL Ransomware! ??? ?????????? ???????????? ???????? ????????? ??????????. ?? ?????? ???????????? ????????? ?????: https://en.wikipedia.org/wiki/RSA_(cryptosystem) https://en.wikipedia.org/wiki/Advanced_Encryption_Standard ???? ?????????, ?????, ????, ???????? ? ?????? ????? ?????? ??????????, ?????? ??? ??? ???????????. ??? ??????, ??? ???? ????? ?? ??????????, ?? ??????????????. ???????? ??????? ?????????? ????????????. ???????? ??? ????????? ????? ???????????? ??????????! ?? ?????? ????? ???????????? ??? ?????. ?? ???????????, ??? ??? ???? ????? ????? ??????? ???????????? ????? ??????. ? ???????? ?????????????? ??????????? ?????- ??????? ?? ????? ????????? ???????????? 2 ????? ???????? ?? ????? 2 ??. ????????! ????? 7 ???? ???? ????? ???????! ??? ???????????? ?????? 1)????????? ? ???? ????? e-mail X_coded@protonmail.com 2)???????? 350 USD ?? monero ???????, ??????? ?? ?????? ??? 3)????????? ??? ????, ????????????? ? ????? ????? ?????????. 4)???????? ?????????-?????????? ? ???? 5)??????????? ???? ????? YOUR PERSONAL KEY HERE: ----------BEGIN STEEL KEY---------- m7uF2wMnEjZPWZk77en5lFKHnG8KBKeyUEWu+GtXV78SwEe8zRQuZTzzUdMTqqzo E2I6x+m2H7qwwjjz0jgLsosvd4/NCsHkiFvUlBolGNVljggix9dsPP9pXtoHSGCA ZCl0l/uBXuWxKWoWbwg5Ng6jP2B7Px1HaNxnXrI5X/YDqN+YamL4soTKtxV+HXa0 g4DOIIBnaNx6btQx/9+lu4GAEcxnhnkb3eB5s1t3gpBcvgnz6FDItM0Pz7evQDPL qUQJLJDtSofdkF5xfCEDSTDpxnhWf31R9WODWL7zNFi/njGEaslO13tuvj1OiDRM MCUf5o0FB5W5U5eXxB7fBw== ----------END STEEL KEY----------
Emails

x_coded@protonmail.com

X_coded@protonmail.com

Signatures

  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Loads dropped DLL 6 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe
    "C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe
      "C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1032
      • C:\Users\Admin\AppData\Local\Temp\loader.exe
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        3⤵
        • Executes dropped EXE
        • Modifies extensions of user files
        • Loads dropped DLL
        • Enumerates connected drives
        • Suspicious behavior: EnumeratesProcesses
        PID:1780
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\selfdstr.bat" "
      2⤵
        PID:1184
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:2028
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UnpublishUnlock.asp
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1224

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\libeay32.dll
      MD5

      ec82afce1ecb9ea8083e366ba4676762

      SHA1

      49c610f556e1ff28759448181dc3cfb378429134

      SHA256

      a053c2efd71c874486ca0abd39cee5b07450cefe1e7723ce8813630b9ce1b9f1

      SHA512

      be57b8ab59d7d725041eef30b08426cd4a2ff5aebbd00932ee55a11f88f8a0a6cffa4939669a0a35f395bd022ee388d01e9cce96e89516c1257d283135a649de

    • C:\Users\Admin\AppData\Local\Temp\loader.exe
      MD5

      549e20cd5baca7c1b01209933b563e2a

      SHA1

      a27d9eeffd06e35ef75ca1a7157340c11d426dad

      SHA256

      b120e15d64df566cfddd73032c0338a6fe332d1a583282746e20e6c8a80edd6c

      SHA512

      11be05ea25439ea490bdcc013ac48a62616ad5a4c384819bb9ac083f250f417072111e26b2e8be41b7f403c8ed1a8a37c6601ec22be6e9409a6b5e5703368218

    • C:\Users\Admin\AppData\Local\Temp\selfdstr.bat
      MD5

      988ec406a5c0022b37fd5a1d2b4edef9

      SHA1

      a29c6a34c03bb184ae133364f0f6d1cf45932036

      SHA256

      0ad086c508fbfcddf656e24bc88190ff070dccb5b88577e6514d164072ee3d85

      SHA512

      a31778f252e810e22b367c05d4daeb53ad7c1aa28573f0c90a710d7227b9e431a78734dfc7745ad3b5e9fe4bfe6247dd0f44dc1d6791dab61c6fee7c6a6964ce

    • C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe
      MD5

      734ebe963716a9ba20ffb75dceff80ea

      SHA1

      8f98635aa27f50340ebd380ec4743855734f2a35

      SHA256

      55388fde35f487317a3e763f706fe03e39a87d1ba35f40ac9ec85e589d175ebf

      SHA512

      19fc995018a40a5a323cd962d991a83c58b170b1c6492b36cba85578d491465669666a002179aa2d461ab45bfbb568f6916ab04ea1dcd23778db3a0adb498d0a

    • C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe
      MD5

      734ebe963716a9ba20ffb75dceff80ea

      SHA1

      8f98635aa27f50340ebd380ec4743855734f2a35

      SHA256

      55388fde35f487317a3e763f706fe03e39a87d1ba35f40ac9ec85e589d175ebf

      SHA512

      19fc995018a40a5a323cd962d991a83c58b170b1c6492b36cba85578d491465669666a002179aa2d461ab45bfbb568f6916ab04ea1dcd23778db3a0adb498d0a

    • C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt
      MD5

      561a2373196fbccdb31b026c385d76db

      SHA1

      4bda9df6e3b3882ab1900d008510b64f5ea80996

      SHA256

      68287c102ab02a329b7d5b1f1a87afdba92d276f696bd4baeca1056bf0e5c818

      SHA512

      c323cf4c57bcda5e294a854ff58b9d894fcd61e1dbadcdc027200a052c738db464911491ffb6bfc19579ac1def0b43ab12815b26d568c622ce3711022a4a8a42

    • \Users\Admin\AppData\Local\Temp\libeay32.dll
      MD5

      ec82afce1ecb9ea8083e366ba4676762

      SHA1

      49c610f556e1ff28759448181dc3cfb378429134

      SHA256

      a053c2efd71c874486ca0abd39cee5b07450cefe1e7723ce8813630b9ce1b9f1

      SHA512

      be57b8ab59d7d725041eef30b08426cd4a2ff5aebbd00932ee55a11f88f8a0a6cffa4939669a0a35f395bd022ee388d01e9cce96e89516c1257d283135a649de

    • \Users\Admin\AppData\Local\Temp\loader.exe
      MD5

      549e20cd5baca7c1b01209933b563e2a

      SHA1

      a27d9eeffd06e35ef75ca1a7157340c11d426dad

      SHA256

      b120e15d64df566cfddd73032c0338a6fe332d1a583282746e20e6c8a80edd6c

      SHA512

      11be05ea25439ea490bdcc013ac48a62616ad5a4c384819bb9ac083f250f417072111e26b2e8be41b7f403c8ed1a8a37c6601ec22be6e9409a6b5e5703368218

    • \Users\Admin\AppData\Local\Temp\loader.exe
      MD5

      549e20cd5baca7c1b01209933b563e2a

      SHA1

      a27d9eeffd06e35ef75ca1a7157340c11d426dad

      SHA256

      b120e15d64df566cfddd73032c0338a6fe332d1a583282746e20e6c8a80edd6c

      SHA512

      11be05ea25439ea490bdcc013ac48a62616ad5a4c384819bb9ac083f250f417072111e26b2e8be41b7f403c8ed1a8a37c6601ec22be6e9409a6b5e5703368218

    • \Users\Admin\AppData\Local\Temp\loader.exe
      MD5

      549e20cd5baca7c1b01209933b563e2a

      SHA1

      a27d9eeffd06e35ef75ca1a7157340c11d426dad

      SHA256

      b120e15d64df566cfddd73032c0338a6fe332d1a583282746e20e6c8a80edd6c

      SHA512

      11be05ea25439ea490bdcc013ac48a62616ad5a4c384819bb9ac083f250f417072111e26b2e8be41b7f403c8ed1a8a37c6601ec22be6e9409a6b5e5703368218

    • \Users\Admin\AppData\Local\Temp\loader.exe
      MD5

      549e20cd5baca7c1b01209933b563e2a

      SHA1

      a27d9eeffd06e35ef75ca1a7157340c11d426dad

      SHA256

      b120e15d64df566cfddd73032c0338a6fe332d1a583282746e20e6c8a80edd6c

      SHA512

      11be05ea25439ea490bdcc013ac48a62616ad5a4c384819bb9ac083f250f417072111e26b2e8be41b7f403c8ed1a8a37c6601ec22be6e9409a6b5e5703368218

    • \Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe
      MD5

      734ebe963716a9ba20ffb75dceff80ea

      SHA1

      8f98635aa27f50340ebd380ec4743855734f2a35

      SHA256

      55388fde35f487317a3e763f706fe03e39a87d1ba35f40ac9ec85e589d175ebf

      SHA512

      19fc995018a40a5a323cd962d991a83c58b170b1c6492b36cba85578d491465669666a002179aa2d461ab45bfbb568f6916ab04ea1dcd23778db3a0adb498d0a

    • memory/1032-4-0x0000000000000000-mapping.dmp
    • memory/1092-384-0x000007FEF7510000-0x000007FEF778A000-memory.dmp
      Filesize

      2MB

    • memory/1184-8-0x0000000000000000-mapping.dmp
    • memory/1780-25-0x0000000003480000-0x0000000003491000-memory.dmp
      Filesize

      68KB

    • memory/1780-24-0x0000000000270000-0x0000000000271000-memory.dmp
      Filesize

      4KB

    • memory/1780-23-0x00000000006BD000-0x00000000006BE000-memory.dmp
      Filesize

      4KB

    • memory/1780-26-0x0000000003890000-0x00000000038A1000-memory.dmp
      Filesize

      68KB

    • memory/1780-27-0x0000000003480000-0x0000000003491000-memory.dmp
      Filesize

      68KB

    • memory/1780-18-0x0000000000000000-mapping.dmp
    • memory/1784-12-0x00000000007C0000-0x00000000007C1000-memory.dmp
      Filesize

      4KB

    • memory/1784-13-0x0000000000230000-0x0000000000231000-memory.dmp
      Filesize

      4KB

    • memory/1784-2-0x00000000760D1000-0x00000000760D3000-memory.dmp
      Filesize

      8KB

    • memory/2028-382-0x000007FEFBA51000-0x000007FEFBA53000-memory.dmp
      Filesize

      8KB