Overview

overview

10

Static

static

KMSAuto Net.exe

windows7_x64

10

KMSAuto Net.exe

windows10_x64

10

Resubmissions

03-03-2021 11:53

210303-jg1rqnnv7a 10

03-03-2021 11:35

210303-3hqbhblvcn 10

Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    03-03-2021 11:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    KMSAuto Net.exe

  • Size

    2.1MB

  • MD5

    26d067caae83528460ed322ae8cf7ab9

  • SHA1

    470f0522a5debbbeb0a8d5c3e0a3dc1af6a1344f

  • SHA256

    564c6d1973910e06c66670708fdc809d7391d03fd65d5e71d6d154f898429c93

  • SHA512

    7f8c96f52f9e01985da14169c836cf0a7878580c312b6ba4b22b7b36fd2324b64deedab8f21221cae744ce0c3c55e6e0bfbcb4c78ffd8cac03b2c1c5fa9e0e81

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt

Ransom Note
******************************ATTENTION!****************************** All your important files have been encrypted by STEEL Ransomware! For encryption we use reliable algorithms! You can read more here: https://en.wikipedia.org/wiki/RSA_(cryptosystem) https://en.wikipedia.org/wiki/Advanced_Encryption_Standard Many of your documents, photos, videos, images and other files are no longer accessible because they have been encrypted. It means that your files are not damaged, but modified. The reverse process is called decryption. We use strong algorithms so it impossible to crack key. You can easily restore all your files. We guarantee that all your files will be successfully decrypted after paying. We can decrypt 2 files for free (size <2mb) as proof that we can decrypt your files. Warning! After 7 days price will be doubled! How to decrypt files ? 1) Contact us via email x_coded@protonmail.com 2) Pay $350 on our monero wallet (we will send you wallet address) 3) Send your personal key to our email (It's located at the end of this document) 4) Get decryption key and program 5) Decrypt all your files ******************************????????!****************************** ??? ???? ????? ??????????? STEEL Ransomware! ??? ?????????? ???????????? ???????? ????????? ??????????. ?? ?????? ???????????? ????????? ?????: https://en.wikipedia.org/wiki/RSA_(cryptosystem) https://en.wikipedia.org/wiki/Advanced_Encryption_Standard ???? ?????????, ?????, ????, ???????? ? ?????? ????? ?????? ??????????, ?????? ??? ??? ???????????. ??? ??????, ??? ???? ????? ?? ??????????, ?? ??????????????. ???????? ??????? ?????????? ????????????. ???????? ??? ????????? ????? ???????????? ??????????! ?? ?????? ????? ???????????? ??? ?????. ?? ???????????, ??? ??? ???? ????? ????? ??????? ???????????? ????? ??????. ? ???????? ?????????????? ??????????? ?????- ??????? ?? ????? ????????? ???????????? 2 ????? ???????? ?? ????? 2 ??. ????????! ????? 7 ???? ???? ????? ???????! ??? ???????????? ?????? 1)????????? ? ???? ????? e-mail X_coded@protonmail.com 2)???????? 350 USD ?? monero ???????, ??????? ?? ?????? ??? 3)????????? ??? ????, ????????????? ? ????? ????? ?????????. 4)???????? ?????????-?????????? ? ???? 5)??????????? ???? ????? YOUR PERSONAL KEY HERE: ----------BEGIN STEEL KEY---------- upzR+qIO3HME59GNFVElEGa8a9PBXEGejw42BTx5ztuRBUt4gBOTz8meGktshinw 5SMyIWq9p4Jy2Q8CP5jBSSlh5osQpL2OVrGxXjzibbZnKdbaJB1yZ3gyii3wkijX ru9CDIGVWfcyLnwDbvD3l05iVci2wC4tod6TB3oozbF/L2Y+uU/GHrRk/wIAupFD 7BIgyFrZm81PP2zQEq5tYRxoHcAY2HOkfvtLQcE+haqA8m3ZqKNmFwePU+zNdDDq iGEcD0QeajZpFOv8m+okJsIn4PJlZuBCroOUQa1TLUOjERbQYrmCJ5a3Z8qHdHYM oMdWjpfhe83hCxCQYwTkkQ== ----------END STEEL KEY----------
Emails

x_coded@protonmail.com

X_coded@protonmail.com

Signatures

  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Opens file in notepad (likely ransom note) 3 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe
    "C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4808
    • C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe
      "C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3652
      • C:\Users\Admin\AppData\Local\Temp\loader.exe
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        3⤵
        • Executes dropped EXE
        • Modifies extensions of user files
        • Loads dropped DLL
        • Enumerates connected drives
        • Suspicious behavior: EnumeratesProcesses
        PID:4412
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdstr.bat" "
      2⤵
        PID:3740
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:4392
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:584
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:724

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\libeay32.dll
      MD5

      ec82afce1ecb9ea8083e366ba4676762

      SHA1

      49c610f556e1ff28759448181dc3cfb378429134

      SHA256

      a053c2efd71c874486ca0abd39cee5b07450cefe1e7723ce8813630b9ce1b9f1

      SHA512

      be57b8ab59d7d725041eef30b08426cd4a2ff5aebbd00932ee55a11f88f8a0a6cffa4939669a0a35f395bd022ee388d01e9cce96e89516c1257d283135a649de

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\loader.exe
      MD5

      549e20cd5baca7c1b01209933b563e2a

      SHA1

      a27d9eeffd06e35ef75ca1a7157340c11d426dad

      SHA256

      b120e15d64df566cfddd73032c0338a6fe332d1a583282746e20e6c8a80edd6c

      SHA512

      11be05ea25439ea490bdcc013ac48a62616ad5a4c384819bb9ac083f250f417072111e26b2e8be41b7f403c8ed1a8a37c6601ec22be6e9409a6b5e5703368218

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\selfdstr.bat
      MD5

      988ec406a5c0022b37fd5a1d2b4edef9

      SHA1

      a29c6a34c03bb184ae133364f0f6d1cf45932036

      SHA256

      0ad086c508fbfcddf656e24bc88190ff070dccb5b88577e6514d164072ee3d85

      SHA512

      a31778f252e810e22b367c05d4daeb53ad7c1aa28573f0c90a710d7227b9e431a78734dfc7745ad3b5e9fe4bfe6247dd0f44dc1d6791dab61c6fee7c6a6964ce

      Download Submit
    • C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe
      MD5

      734ebe963716a9ba20ffb75dceff80ea

      SHA1

      8f98635aa27f50340ebd380ec4743855734f2a35

      SHA256

      55388fde35f487317a3e763f706fe03e39a87d1ba35f40ac9ec85e589d175ebf

      SHA512

      19fc995018a40a5a323cd962d991a83c58b170b1c6492b36cba85578d491465669666a002179aa2d461ab45bfbb568f6916ab04ea1dcd23778db3a0adb498d0a

      Download Submit
    • C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe
      MD5

      734ebe963716a9ba20ffb75dceff80ea

      SHA1

      8f98635aa27f50340ebd380ec4743855734f2a35

      SHA256

      55388fde35f487317a3e763f706fe03e39a87d1ba35f40ac9ec85e589d175ebf

      SHA512

      19fc995018a40a5a323cd962d991a83c58b170b1c6492b36cba85578d491465669666a002179aa2d461ab45bfbb568f6916ab04ea1dcd23778db3a0adb498d0a

      Download Submit
    • C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt
      MD5

      b049890b139191517c6cbde99b0709fe

      SHA1

      fbf4f3aff59f814cb15de901308ec648a1ff7038

      SHA256

      b2fc9eea743a9ca6388f0108ae8c62a4562d2f235683c9ad568b95b232138d76

      SHA512

      c419454a83bc9b95832cdae84e3469e65ca5c664781e04034ce1f58547840c7413a84bafbf60f7f3a2b033c1c7c17f872572511d8b31c9715408deaa822f7013

      Download Submit
    • \Users\Admin\AppData\Local\Temp\libeay32.dll
      MD5

      ec82afce1ecb9ea8083e366ba4676762

      SHA1

      49c610f556e1ff28759448181dc3cfb378429134

      SHA256

      a053c2efd71c874486ca0abd39cee5b07450cefe1e7723ce8813630b9ce1b9f1

      SHA512

      be57b8ab59d7d725041eef30b08426cd4a2ff5aebbd00932ee55a11f88f8a0a6cffa4939669a0a35f395bd022ee388d01e9cce96e89516c1257d283135a649de

      Download Submit
    • memory/3652-2-0x0000000000000000-mapping.dmp
      Download
    • memory/3740-4-0x0000000000000000-mapping.dmp
      Download
    • memory/4412-10-0x0000000000000000-mapping.dmp
      Download
    • memory/4412-14-0x00000000022F0000-0x00000000022F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4412-15-0x0000000004160000-0x0000000004161000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4412-16-0x0000000004960000-0x0000000004961000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4412-17-0x0000000004160000-0x0000000004161000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4412-76-0x0000000004160000-0x0000000004161000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4808-9-0x0000000000AA0000-0x0000000000AA1000-memory.dmp
      Filesize

      4KB

      Download