Overview

overview

10

Static

static

dd4eb8aa33...cf.exe

windows7_x64

10

dd4eb8aa33...cf.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dd4eb8aa3371b7fd821a7a9730c924cf.exe

  • Size

    194KB

  • Sample

    210602-fr7h11p5ej

  • MD5

    dd4eb8aa3371b7fd821a7a9730c924cf

  • SHA1

    3e53f7bf7dcb8569aaf0f3a3bcf67bda4c01c054

  • SHA256

    9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184

  • SHA512

    12e760a59377632548f41bbdb98941a04c7d32b5d084f70b23db702dbeabb1e7a489df6d03af40da977a463150e4d144641fbc4640037e8858897a0509c9f356

Score
10/10
prometheusdiscoveryevasionpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Family

prometheus

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. We recommend you upload 3 encrypted files in https://privatlab.com/file and paste link to you message. We will demonstrate that we can recover your files. * Please note that files must not contain any valuable information. Do you really want to restore your files? 1) Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open website: http://sonarmsniko2lvfu.onion/?a=reg c) Register account  d) Click Compose  and write to us, our username: Prometheus, in message write Your Key Identifier (it is at the end of file)  2) Using a email Write to 3 emails address at once, in message write Your Key Identifier (it is at the end of file) : [email protected] [email protected] [email protected] We recommend using 1 method via TOR browser to contact us. Email letters may not reach us. Therefore, if you do not receive a response within 12 hours, please use method 1. * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. *For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data! Key Identifier: eMYQaF9UnXGT1YvwIKo2S+Qlp2shG+aZ3nwfT2xixyjqfbPx4ip2tCHoSkW7XynZb/9lph4+n0UiVp3EFWlBh3fPWsK5F6bmfY/5E7G40/JDir4haDstLeslTB8mJE0z6KegjYWbs1doPEVjP7tNxywBlwNDa2SbqKyYldRLxxP1/9DxDO8UOvHh25lISJv7sE8nmx/dAB3t8jELmEtDHaLcR1OJBZKylQ6GUOEJSnggiKMm8gEVu3ee7+Hroppy+qrPr2VUbPx+7xDZoDvf/9WcfTEFFTX/j7UCrAwqRqV4W4Q0lk305DuUQjoRq8MJSsDVJBuXd/1IHsUvI3ZPcsKe0a7SythsQ/6zkCGB6VQPt9ZBxmoo3rB/yABRVu+I1p8OxpDVKMxfQLJECTDB2ZhYmQKXdJGU1lPlOO9OhsydtzfQjlXwWnE5F8sU95WcOkrGyGLzR/OfF6Xk/nN3AgiVFgIYUiT3NR4cTO4d93yrmb9VR7mnwNl7kgMqQpJn/DO2yc4/8YngzrBhYwEbrijNZwRs2eB/Dc6ihxv8trMS1wIivqsqqZkixPO2RR2NLGiVUAKslhDIK+hQglzpg02u7srC8ESbx8zABTLtRaC01WC1I8hTv2LVTwwGfAZ0AYNwV4l+4IJoA1LRcMjqnKHUXds+nZevY7TL0l2++DY=
URLs

https://privatlab.com/file

http://sonarmsniko2lvfu.onion/?a=reg

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Family

prometheus

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. We recommend you upload 3 encrypted files in https://privatlab.com/file and paste link to you message. We will demonstrate that we can recover your files. * Please note that files must not contain any valuable information. Do you really want to restore your files? 1) Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open website: http://sonarmsniko2lvfu.onion/?a=reg c) Register account d) Click Compose and write to us, our username: Prometheus, in message write Your Key Identifier (it is at the end of file) 2) Using a email Write to 3 emails address at once, in message write Your Key Identifier (it is at the end of file) : [email protected] [email protected] [email protected] We recommend using 1 method via TOR browser to contact us. Email letters may not reach us. Therefore, if you do not receive a response within 12 hours, please use method 1. * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. *For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data! Key Identifier: eMYQaF9UnXGT1YvwIKo2S+Qlp2shG+aZ3nwfT2xixyjqfbPx4ip2tCHoSkW7XynZb/9lph4+n0UiVp3EFWlBh3fPWsK5F6bmfY/5E7G40/JDir4haDstLeslTB8mJE0z6KegjYWbs1doPEVjP7tNxywBlwNDa2SbqKyYldRLxxP1/9DxDO8UOvHh25lISJv7sE8nmx/dAB3t8jELmEtDHaLcR1OJBZKylQ6GUOEJSnggiKMm8gEVu3ee7+Hroppy+qrPr2VUbPx+7xDZoDvf/9WcfTEFFTX/j7UCrAwqRqV4W4Q0lk305DuUQjoRq8MJSsDVJBuXd/1IHsUvI3ZPcsKe0a7SythsQ/6zkCGB6VQPt9ZBxmoo3rB/yABRVu+I1p8OxpDVKMxfQLJECTDB2ZhYmQKXdJGU1lPlOO9OhsydtzfQjlXwWnE5F8sU95WcOkrGyGLzR/OfF6Xk/nN3AgiVFgIYUiT3NR4cTO4d93yrmb9VR7mnwNl7kgMqQpJn/DO2yc4/8YngzrBhYwEbrijNZwRs2eB/Dc6ihxv8trMS1wIivqsqqZkixPO2RR2NLGiVUAKslhDIK+hQglzpg02u7srC8ESbx8zABTLtRaC01WC1I8hTv2LVTwwGfAZ0AYNwV4l+4IJoA1LRcMjqnKHUXds+nZevY7TL0l2++DY=
URLs

https://privatlab.com/file

http://sonarmsniko2lvfu.onion/?a=reg

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Family

prometheus

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. We recommend you upload 3 encrypted files in https://privatlab.com/file and paste link to you message. We will demonstrate that we can recover your files. * Please note that files must not contain any valuable information. Do you really want to restore your files? 1) Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open website: http://sonarmsniko2lvfu.onion/?a=reg c) Register account  d) Click Compose  and write to us, our username: Prometheus, in message write Your Key Identifier (it is at the end of file)  2) Using a email Write to 3 emails address at once, in message write Your Key Identifier (it is at the end of file) : [email protected] [email protected] [email protected] We recommend using 1 method via TOR browser to contact us. Email letters may not reach us. Therefore, if you do not receive a response within 12 hours, please use method 1. * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. *For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data! Key Identifier: PyytrfB7H3OzWakGbuz5RKeJXGWbIR4AmtIFc0gNvvrkjV6vEgJCkTwU1CUB0d28+OSJDMFt6R0NVZ5MGVtwTtfrbqp1wz+bvHDcHVdOW0604XpPcoyoizMxYL7bZMdn9IXA468J+S32cGuJkcGSDXiS1TmyJomJMqVeMzJujmGR2G6IJ062QWozDpml/gkxGLZWLfbLim5wnhagVimLg9hO0KerOz9MlUTihLeChciJekiwdq5f9IT0L8xXAhkMZ5wq+dMLVJlEKBwrmQixbFi+BrshTXVCjdf+kgtPuyd/KfERNdVosydWBeLTw/6iNGy1r//Sl47kWm2KVQTaLRMsFh+XRWBVb8HZButao4UImGaI9dmRp71F4+Kgql4oAgC5c/37z2Tkpg5GXKiE/mkpozLx05RiULxOctpX7ZPcB1KQPaBOVc7NW2kTGGwtrF7s/ZOEEox90Y69l7CP0jtzLh+keuLHXSMB2x+B7qKqG59/ucoWQRovdtazbG7ViREPi+ZGbFa+c5UcmDWb+6iA1garLBjUeuzcjA2rQx4mYmxkJ/ZHomdxJASIENqHIZfWw3oh1dJ7R95GG+LEPF/yu1DYf5zBWUSujAQeaI8AbbzlKy+7TfAS+xBLmom8fP9WXNUYLMaFjhd4EKdD5w3Reksurk71yAzZ1t7MFWc=
URLs

https://privatlab.com/file

http://sonarmsniko2lvfu.onion/?a=reg

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Family

prometheus

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. We recommend you upload 3 encrypted files in https://privatlab.com/file and paste link to you message. We will demonstrate that we can recover your files. * Please note that files must not contain any valuable information. Do you really want to restore your files? 1) Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open website: http://sonarmsniko2lvfu.onion/?a=reg c) Register account d) Click Compose and write to us, our username: Prometheus, in message write Your Key Identifier (it is at the end of file) 2) Using a email Write to 3 emails address at once, in message write Your Key Identifier (it is at the end of file) : [email protected] [email protected] [email protected] We recommend using 1 method via TOR browser to contact us. Email letters may not reach us. Therefore, if you do not receive a response within 12 hours, please use method 1. * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. *For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data! Key Identifier: PyytrfB7H3OzWakGbuz5RKeJXGWbIR4AmtIFc0gNvvrkjV6vEgJCkTwU1CUB0d28+OSJDMFt6R0NVZ5MGVtwTtfrbqp1wz+bvHDcHVdOW0604XpPcoyoizMxYL7bZMdn9IXA468J+S32cGuJkcGSDXiS1TmyJomJMqVeMzJujmGR2G6IJ062QWozDpml/gkxGLZWLfbLim5wnhagVimLg9hO0KerOz9MlUTihLeChciJekiwdq5f9IT0L8xXAhkMZ5wq+dMLVJlEKBwrmQixbFi+BrshTXVCjdf+kgtPuyd/KfERNdVosydWBeLTw/6iNGy1r//Sl47kWm2KVQTaLRMsFh+XRWBVb8HZButao4UImGaI9dmRp71F4+Kgql4oAgC5c/37z2Tkpg5GXKiE/mkpozLx05RiULxOctpX7ZPcB1KQPaBOVc7NW2kTGGwtrF7s/ZOEEox90Y69l7CP0jtzLh+keuLHXSMB2x+B7qKqG59/ucoWQRovdtazbG7ViREPi+ZGbFa+c5UcmDWb+6iA1garLBjUeuzcjA2rQx4mYmxkJ/ZHomdxJASIENqHIZfWw3oh1dJ7R95GG+LEPF/yu1DYf5zBWUSujAQeaI8AbbzlKy+7TfAS+xBLmom8fP9WXNUYLMaFjhd4EKdD5w3Reksurk71yAzZ1t7MFWc=
URLs

https://privatlab.com/file

http://sonarmsniko2lvfu.onion/?a=reg

Targets

    • Target

      dd4eb8aa3371b7fd821a7a9730c924cf.exe

    • Size

      194KB

    • MD5

      dd4eb8aa3371b7fd821a7a9730c924cf

    • SHA1

      3e53f7bf7dcb8569aaf0f3a3bcf67bda4c01c054

    • SHA256

      9bf0633f41d2962ba5e2895ece2ef9fa7b546ada311ca30f330f0d261a7fb184

    • SHA512

      12e760a59377632548f41bbdb98941a04c7d32b5d084f70b23db702dbeabb1e7a489df6d03af40da977a463150e4d144641fbc4640037e8858897a0509c9f356

    Score
    10/10
    prometheusdiscoveryevasionpersistenceransomware

    • Prometheus Ransomware

      Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.

      ransomwareprometheus

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Downloads PsExec from SysInternals website

      Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Deletes itself

    • Drops startup file

    • Modifies file permissions

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks