General
-
Target
779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin
-
Size
233KB
-
Sample
210528-acjqsda27j
-
MD5
96c565af56a5ba8339f35121bf9ff196
-
SHA1
2edae92d476225b00b4a7ea1e9d7f7ccfda462cb
-
SHA256
779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc
-
SHA512
6d4a3d91396bccae3dff43f6ee295980c1919a48f7914d9b8b6eca3e603aa97b8e05a0b78af27e7f1c86691fff6fc26fad69ddb774f8ed5d8011aa87b511b6c1
Static task
static1
Behavioral task
behavioral1
Sample
779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
Resource
win10v20210410
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
prometheus
http://promethw27cbrcot.onion/ticket.php?track=LZG-ZNM-YDNM
Extracted
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
prometheus
http://promethw27cbrcot.onion/ticket.php?track=LZG-ZNM-YDNM
Extracted
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
prometheus
http://promethw27cbrcot.onion/ticket.php?track=LZG-ZNM-YDNM
Extracted
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
prometheus
http://promethw27cbrcot.onion/ticket.php?track=LZG-ZNM-YDNM
Targets
-
-
Target
779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin
-
Size
233KB
-
MD5
96c565af56a5ba8339f35121bf9ff196
-
SHA1
2edae92d476225b00b4a7ea1e9d7f7ccfda462cb
-
SHA256
779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc
-
SHA512
6d4a3d91396bccae3dff43f6ee295980c1919a48f7914d9b8b6eca3e603aa97b8e05a0b78af27e7f1c86691fff6fc26fad69ddb774f8ed5d8011aa87b511b6c1
Score10/10-
Prometheus Ransomware
Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.
-
Downloads MZ/PE file
-
Downloads PsExec from SysInternals website
Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Deletes itself
-
Drops startup file
-
Legitimate hosting services abused for malware hosting/C2
-
Modifies WinLogon
-