Overview

overview

10

Static

static

9

e3d6d04538...08.exe

windows7-x64

10

e3d6d04538...08.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    40s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • submitted
    20-07-2022 11:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe

  • Size

    1.9MB

  • MD5

    49d4bdfa882c8458b86b1e4a5e79c92d

  • SHA1

    6c4c9f61119fdc3d9c31e11f9cef3b0902b81884

  • SHA256

    e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08

  • SHA512

    08313dba9dfa4d3432a374a48e1ad487030c7017947050895f87549efd0545e8df18c00d42aa8a7625d827861a3ab074bf6d104821cb4632e88c43c174c59e57

Score
10/10
hadescryptonepackerransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-kgkq9.txt

Ransom Note
[+] What happened? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has extension *.kgkq9 By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant get back your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] Using a TOR browser! - Download and install TOR browser from this site: hxxps://torproject.org/ - Open our website: hxxp://m6s6axasulxjkhzh.onion - Follow the on-screen instructions Extension name: *.kgkq9 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) will make everything possible for restoring, but please do not interfere. !!! !!! !!! ��

Extracted

Path

C:\Users\Admin\Desktop\HOW-TO-DECRYPT-kgkq9.txt

Ransom Note
[+] What happened? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has extension *.kgkq9 By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant get back your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] Using a TOR browser! - Download and install TOR browser from this site: hxxps://torproject.org/ - Open our website: hxxp://m6s6axasulxjkhzh.onion - Follow the on-screen instructions Extension name: *.kgkq9 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) will make everything possible for restoring, but please do not interfere. !!! !!! !!! ��[+] What happened? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has extension *.kgkq9 By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant get back your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] Using a TOR browser! - Download and install TOR browser from this site: hxxps://torproject.org/ - Open our website: hxxp://m6s6axasulxjkhzh.onion - Follow the on-screen instructions Extension name: *.kgkq9 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) will make everything possible for restoring, but please do not interfere. !!! !!! !!! ��

Signatures

  • Hades Ransomware

    Ransomware family attributed to Evil Corp APT first seen in late 2020.

    ransomwarehades
  • Hades payload 2 IoCs
  • CryptOne packer 4 IoCs

    Detects CryptOne packer defined in NCC blogpost.

    cryptonepacker
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe
    "C:\Users\Admin\AppData\Local\Temp\e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Users\Admin\AppData\Roaming\PolicyService\Library
      C:\Users\Admin\AppData\Roaming\PolicyService\Library /go
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Suspicious use of WriteProcessMemory
      PID:1624
      • C:\Windows\system32\cmd.exe
        cmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\PolicyService\Library" & del "C:\Users\Admin\AppData\Roaming\PolicyService\Library" & rd "C:\Users\Admin\AppData\Roaming\PolicyService\"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1020
        • C:\Windows\system32\waitfor.exe
          waitfor /t 10 pause /d y
          4⤵
            PID:1288
          • C:\Windows\system32\attrib.exe
            attrib -h "C:\Users\Admin\AppData\Roaming\PolicyService\Library"
            4⤵
            • Views/modifies file attributes
            PID:452
      • C:\Windows\system32\cmd.exe
        cmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe" & del "C:\Users\Admin\AppData\Local\Temp\e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe" & rd "C:\Users\Admin\AppData\Local\Temp\"
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:268
        • C:\Windows\system32\waitfor.exe
          waitfor /t 10 pause /d y
          3⤵
            PID:1708
          • C:\Windows\system32\attrib.exe
            attrib -h "C:\Users\Admin\AppData\Local\Temp\e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe"
            3⤵
            • Views/modifies file attributes
            PID:916

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\PolicyService\Library
        Filesize

        1.9MB

        MD5

        49d4bdfa882c8458b86b1e4a5e79c92d

        SHA1

        6c4c9f61119fdc3d9c31e11f9cef3b0902b81884

        SHA256

        e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08

        SHA512

        08313dba9dfa4d3432a374a48e1ad487030c7017947050895f87549efd0545e8df18c00d42aa8a7625d827861a3ab074bf6d104821cb4632e88c43c174c59e57

        Download Submit

      • C:\Users\Admin\AppData\Roaming\PolicyService\Library
        Filesize

        1.9MB

        MD5

        49d4bdfa882c8458b86b1e4a5e79c92d

        SHA1

        6c4c9f61119fdc3d9c31e11f9cef3b0902b81884

        SHA256

        e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08

        SHA512

        08313dba9dfa4d3432a374a48e1ad487030c7017947050895f87549efd0545e8df18c00d42aa8a7625d827861a3ab074bf6d104821cb4632e88c43c174c59e57

        Download Submit

      • \Users\Admin\AppData\Roaming\PolicyService\Library
        Filesize

        1.9MB

        MD5

        49d4bdfa882c8458b86b1e4a5e79c92d

        SHA1

        6c4c9f61119fdc3d9c31e11f9cef3b0902b81884

        SHA256

        e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08

        SHA512

        08313dba9dfa4d3432a374a48e1ad487030c7017947050895f87549efd0545e8df18c00d42aa8a7625d827861a3ab074bf6d104821cb4632e88c43c174c59e57

        Download Submit

      • \Users\Admin\AppData\Roaming\PolicyService\Library
        Filesize

        1.9MB

        MD5

        49d4bdfa882c8458b86b1e4a5e79c92d

        SHA1

        6c4c9f61119fdc3d9c31e11f9cef3b0902b81884

        SHA256

        e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08

        SHA512

        08313dba9dfa4d3432a374a48e1ad487030c7017947050895f87549efd0545e8df18c00d42aa8a7625d827861a3ab074bf6d104821cb4632e88c43c174c59e57

        Download Submit

      • memory/268-67-0x0000000000000000-mapping.dmp

        Download

      • memory/452-71-0x0000000000000000-mapping.dmp

        Download

      • memory/916-70-0x0000000000000000-mapping.dmp

        Download

      • memory/1020-66-0x0000000000000000-mapping.dmp

        Download

      • memory/1288-68-0x0000000000000000-mapping.dmp

        Download

      • memory/1624-62-0x0000000140000000-0x00000001401E0000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/1624-65-0x0000000001B70000-0x0000000001D30000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/1624-59-0x0000000000000000-mapping.dmp

        Download

      • memory/1708-69-0x0000000000000000-mapping.dmp

        Download

      • memory/2020-61-0x0000000001B40000-0x0000000001D00000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2020-54-0x0000000140000000-0x00000001401E0000-memory.dmp

        Filesize

        1.9MB

        Download