Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03/03/2021, 11:53
General
-
Target
KMSAuto Net.exe
-
Size
2.1MB
-
MD5
26d067caae83528460ed322ae8cf7ab9
-
SHA1
470f0522a5debbbeb0a8d5c3e0a3dc1af6a1344f
-
SHA256
564c6d1973910e06c66670708fdc809d7391d03fd65d5e71d6d154f898429c93
-
SHA512
7f8c96f52f9e01985da14169c836cf0a7878580c312b6ba4b22b7b36fd2324b64deedab8f21221cae744ce0c3c55e6e0bfbcb4c78ffd8cac03b2c1c5fa9e0e81
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt
Ransom Note
******************************ATTENTION!******************************
All your important files have been encrypted by STEEL Ransomware!
For encryption we use reliable algorithms! You can read more here:
https://en.wikipedia.org/wiki/RSA_(cryptosystem)
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
Many of your documents, photos, videos, images and other files are no longer
accessible because they have been encrypted. It means that your files are not
damaged, but modified. The reverse process is called decryption.
We use strong algorithms so it impossible to crack key. You can easily restore all your files.
We guarantee that all your files will be successfully decrypted after paying.
We can decrypt 2 files for free (size <2mb) as proof that we can decrypt your files.
Warning! After 7 days price will be doubled!
How to decrypt files ?
1) Contact us via email [email protected]
2) Pay $350 on our monero wallet (we will send you wallet address)
3) Send your personal key to our email (It's located at the end of this document)
4) Get decryption key and program
5) Decrypt all your files
******************************????????!******************************
??? ???? ????? ??????????? STEEL Ransomware!
??? ?????????? ???????????? ???????? ????????? ??????????.
?? ?????? ???????????? ????????? ?????:
https://en.wikipedia.org/wiki/RSA_(cryptosystem)
https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
???? ?????????, ?????, ????, ???????? ? ?????? ????? ?????? ??????????,
?????? ??? ??? ???????????. ??? ??????, ??? ???? ????? ?? ??????????, ??
??????????????. ???????? ??????? ?????????? ????????????.
???????? ??? ????????? ????? ???????????? ??????????! ?? ?????? ?????
???????????? ??? ?????. ?? ???????????, ??? ??? ???? ????? ????? ???????
???????????? ????? ??????. ? ???????? ?????????????? ??????????? ?????-
??????? ?? ????? ????????? ???????????? 2 ????? ???????? ?? ????? 2 ??.
????????! ????? 7 ???? ???? ????? ???????!
??? ???????????? ??????
1)????????? ? ???? ????? e-mail [email protected]
2)???????? 350 USD ?? monero ???????, ??????? ?? ?????? ???
3)????????? ??? ????, ????????????? ? ????? ????? ?????????.
4)???????? ?????????-?????????? ? ????
5)??????????? ???? ?????
YOUR PERSONAL KEY HERE:
----------BEGIN STEEL KEY----------
upzR+qIO3HME59GNFVElEGa8a9PBXEGejw42BTx5ztuRBUt4gBOTz8meGktshinw
5SMyIWq9p4Jy2Q8CP5jBSSlh5osQpL2OVrGxXjzibbZnKdbaJB1yZ3gyii3wkijX
ru9CDIGVWfcyLnwDbvD3l05iVci2wC4tod6TB3oozbF/L2Y+uU/GHrRk/wIAupFD
7BIgyFrZm81PP2zQEq5tYRxoHcAY2HOkfvtLQcE+haqA8m3ZqKNmFwePU+zNdDDq
iGEcD0QeajZpFOv8m+okJsIn4PJlZuBCroOUQa1TLUOjERbQYrmCJ5a3Z8qHdHYM
oMdWjpfhe83hCxCQYwTkkQ==
----------END STEEL KEY----------
Signatures
-
Executes dropped EXE 2 IoCs
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
-
Loads dropped DLL 1 IoCs
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Opens file in notepad (likely ransom note) 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe"C:\Users\Admin\AppData\Local\Temp\KMSAuto Net.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe"C:\Users\Admin\AppData\Roaming\SWEfghd678hfjbbhbGFrca.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdstr.bat" "2⤵
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_TO_RESTORE_FILES.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB