Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-03-2021 11:53
Static task
static1
Behavioral task
behavioral1
Sample
KMSAuto Net.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
KMSAuto Net.exe
Resource
win10v20201028
General
-
Target
KMSAuto Net.exe
-
Size
2.1MB
-
MD5
26d067caae83528460ed322ae8cf7ab9
-
SHA1
470f0522a5debbbeb0a8d5c3e0a3dc1af6a1344f
-
SHA256
564c6d1973910e06c66670708fdc809d7391d03fd65d5e71d6d154f898429c93
-
SHA512
7f8c96f52f9e01985da14169c836cf0a7878580c312b6ba4b22b7b36fd2324b64deedab8f21221cae744ce0c3c55e6e0bfbcb4c78ffd8cac03b2c1c5fa9e0e81
Malware Config
Extracted
C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt
x_coded@protonmail.com
X_coded@protonmail.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
SWEfghd678hfjbbhbGFrca.exeloader.exepid process 3652 SWEfghd678hfjbbhbGFrca.exe 4412 loader.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
loader.exedescription ioc process File created C:\Users\Admin\Pictures\EditResolve.tif.1ugUSIe loader.exe File created C:\Users\Admin\Pictures\OutBlock.raw.1ugUSIe loader.exe File created C:\Users\Admin\Pictures\ResizeEnable.raw.1ugUSIe loader.exe -
Loads dropped DLL 1 IoCs
Processes:
loader.exepid process 4412 loader.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
loader.exedescription ioc process File opened (read-only) \??\A: loader.exe File opened (read-only) \??\B: loader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Opens file in notepad (likely ransom note) 3 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXEpid process 4392 NOTEPAD.EXE 584 NOTEPAD.EXE 724 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
loader.exepid process 4412 loader.exe 4412 loader.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
KMSAuto Net.exeSWEfghd678hfjbbhbGFrca.exedescription pid process target process PID 4808 wrote to memory of 3652 4808 KMSAuto Net.exe SWEfghd678hfjbbhbGFrca.exe PID 4808 wrote to memory of 3652 4808 KMSAuto Net.exe SWEfghd678hfjbbhbGFrca.exe PID 4808 wrote to memory of 3652 4808 KMSAuto Net.exe SWEfghd678hfjbbhbGFrca.exe PID 4808 wrote to memory of 3740 4808 KMSAuto Net.exe cmd.exe PID 4808 wrote to memory of 3740 4808 KMSAuto Net.exe cmd.exe PID 4808 wrote to memory of 3740 4808 KMSAuto Net.exe cmd.exe PID 3652 wrote to memory of 4412 3652 SWEfghd678hfjbbhbGFrca.exe loader.exe PID 3652 wrote to memory of 4412 3652 SWEfghd678hfjbbhbGFrca.exe loader.exe PID 3652 wrote to memory of 4412 3652 SWEfghd678hfjbbhbGFrca.exe loader.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe"C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe"C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdstr.bat" "2⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\libeay32.dllMD5
ec82afce1ecb9ea8083e366ba4676762
SHA149c610f556e1ff28759448181dc3cfb378429134
SHA256a053c2efd71c874486ca0abd39cee5b07450cefe1e7723ce8813630b9ce1b9f1
SHA512be57b8ab59d7d725041eef30b08426cd4a2ff5aebbd00932ee55a11f88f8a0a6cffa4939669a0a35f395bd022ee388d01e9cce96e89516c1257d283135a649de
-
C:\Users\Admin\AppData\Local\Temp\loader.exeMD5
549e20cd5baca7c1b01209933b563e2a
SHA1a27d9eeffd06e35ef75ca1a7157340c11d426dad
SHA256b120e15d64df566cfddd73032c0338a6fe332d1a583282746e20e6c8a80edd6c
SHA51211be05ea25439ea490bdcc013ac48a62616ad5a4c384819bb9ac083f250f417072111e26b2e8be41b7f403c8ed1a8a37c6601ec22be6e9409a6b5e5703368218
-
C:\Users\Admin\AppData\Local\Temp\selfdstr.batMD5
988ec406a5c0022b37fd5a1d2b4edef9
SHA1a29c6a34c03bb184ae133364f0f6d1cf45932036
SHA2560ad086c508fbfcddf656e24bc88190ff070dccb5b88577e6514d164072ee3d85
SHA512a31778f252e810e22b367c05d4daeb53ad7c1aa28573f0c90a710d7227b9e431a78734dfc7745ad3b5e9fe4bfe6247dd0f44dc1d6791dab61c6fee7c6a6964ce
-
C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exeMD5
734ebe963716a9ba20ffb75dceff80ea
SHA18f98635aa27f50340ebd380ec4743855734f2a35
SHA25655388fde35f487317a3e763f706fe03e39a87d1ba35f40ac9ec85e589d175ebf
SHA51219fc995018a40a5a323cd962d991a83c58b170b1c6492b36cba85578d491465669666a002179aa2d461ab45bfbb568f6916ab04ea1dcd23778db3a0adb498d0a
-
C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exeMD5
734ebe963716a9ba20ffb75dceff80ea
SHA18f98635aa27f50340ebd380ec4743855734f2a35
SHA25655388fde35f487317a3e763f706fe03e39a87d1ba35f40ac9ec85e589d175ebf
SHA51219fc995018a40a5a323cd962d991a83c58b170b1c6492b36cba85578d491465669666a002179aa2d461ab45bfbb568f6916ab04ea1dcd23778db3a0adb498d0a
-
C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txtMD5
b049890b139191517c6cbde99b0709fe
SHA1fbf4f3aff59f814cb15de901308ec648a1ff7038
SHA256b2fc9eea743a9ca6388f0108ae8c62a4562d2f235683c9ad568b95b232138d76
SHA512c419454a83bc9b95832cdae84e3469e65ca5c664781e04034ce1f58547840c7413a84bafbf60f7f3a2b033c1c7c17f872572511d8b31c9715408deaa822f7013
-
\Users\Admin\AppData\Local\Temp\libeay32.dllMD5
ec82afce1ecb9ea8083e366ba4676762
SHA149c610f556e1ff28759448181dc3cfb378429134
SHA256a053c2efd71c874486ca0abd39cee5b07450cefe1e7723ce8813630b9ce1b9f1
SHA512be57b8ab59d7d725041eef30b08426cd4a2ff5aebbd00932ee55a11f88f8a0a6cffa4939669a0a35f395bd022ee388d01e9cce96e89516c1257d283135a649de
-
memory/3652-2-0x0000000000000000-mapping.dmp
-
memory/3740-4-0x0000000000000000-mapping.dmp
-
memory/4412-10-0x0000000000000000-mapping.dmp
-
memory/4412-14-0x00000000022F0000-0x00000000022F1000-memory.dmpFilesize
4KB
-
memory/4412-15-0x0000000004160000-0x0000000004161000-memory.dmpFilesize
4KB
-
memory/4412-16-0x0000000004960000-0x0000000004961000-memory.dmpFilesize
4KB
-
memory/4412-17-0x0000000004160000-0x0000000004161000-memory.dmpFilesize
4KB
-
memory/4412-76-0x0000000004160000-0x0000000004161000-memory.dmpFilesize
4KB
-
memory/4808-9-0x0000000000AA0000-0x0000000000AA1000-memory.dmpFilesize
4KB