Analysis

  • max time kernel
    98s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220718-en
  • submitted
    20-07-2022 11:54

General

  • Target

    e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe

  • Size

    1.9MB

  • MD5

    49d4bdfa882c8458b86b1e4a5e79c92d

  • SHA1

    6c4c9f61119fdc3d9c31e11f9cef3b0902b81884

  • SHA256

    e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08

  • SHA512

    08313dba9dfa4d3432a374a48e1ad487030c7017947050895f87549efd0545e8df18c00d42aa8a7625d827861a3ab074bf6d104821cb4632e88c43c174c59e57

Malware Config

Extracted

Path

C:\HOW-TO-DECRYPT-kgkq9.txt

Ransom Note
[+] What happened? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has extension *.kgkq9 By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant get back your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] Using a TOR browser! - Download and install TOR browser from this site: hxxps://torproject.org/ - Open our website: hxxp://m6s6axasulxjkhzh.onion - Follow the on-screen instructions Extension name: *.kgkq9 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) will make everything possible for restoring, but please do not interfere. !!! !!! !!! ��

Signatures

  • Hades Ransomware

    Ransomware family attributed to Evil Corp APT first seen in late 2020.

  • Hades payload 2 IoCs
  • CryptOne packer 2 IoCs

    Detects CryptOne packer defined in NCC blogpost.

  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Suspicious use of WriteProcessMemory 14 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe
    "C:\Users\Admin\AppData\Local\Temp\e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3536
    • C:\Users\Admin\AppData\Roaming\PlayTracing\Method
      C:\Users\Admin\AppData\Roaming\PlayTracing\Method /go
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Suspicious use of WriteProcessMemory
      PID:4308
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\PlayTracing\Method" & del "C:\Users\Admin\AppData\Roaming\PlayTracing\Method" & rd "C:\Users\Admin\AppData\Roaming\PlayTracing\"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4300
        • C:\Windows\system32\waitfor.exe
          waitfor /t 10 pause /d y
          4⤵
            PID:2080
          • C:\Windows\system32\attrib.exe
            attrib -h "C:\Users\Admin\AppData\Roaming\PlayTracing\Method"
            4⤵
            • Views/modifies file attributes
            PID:3972
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe" & del "C:\Users\Admin\AppData\Local\Temp\e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe" & rd "C:\Users\Admin\AppData\Local\Temp\"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:920
        • C:\Windows\system32\waitfor.exe
          waitfor /t 10 pause /d y
          3⤵
            PID:468
          • C:\Windows\system32\attrib.exe
            attrib -h "C:\Users\Admin\AppData\Local\Temp\e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08.exe"
            3⤵
            • Views/modifies file attributes
            PID:1168

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\PlayTracing\Method

        Filesize

        1.9MB

        MD5

        49d4bdfa882c8458b86b1e4a5e79c92d

        SHA1

        6c4c9f61119fdc3d9c31e11f9cef3b0902b81884

        SHA256

        e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08

        SHA512

        08313dba9dfa4d3432a374a48e1ad487030c7017947050895f87549efd0545e8df18c00d42aa8a7625d827861a3ab074bf6d104821cb4632e88c43c174c59e57

      • C:\Users\Admin\AppData\Roaming\PlayTracing\Method

        Filesize

        1.9MB

        MD5

        49d4bdfa882c8458b86b1e4a5e79c92d

        SHA1

        6c4c9f61119fdc3d9c31e11f9cef3b0902b81884

        SHA256

        e3d6d045380162b7c6f71def8ba6aa8bd1c846db2095e7c1d9fc127970dfac08

        SHA512

        08313dba9dfa4d3432a374a48e1ad487030c7017947050895f87549efd0545e8df18c00d42aa8a7625d827861a3ab074bf6d104821cb4632e88c43c174c59e57

      • memory/3536-136-0x0000000002030000-0x00000000021F0000-memory.dmp

        Filesize

        1.8MB

      • memory/3536-130-0x0000000140000000-0x00000001401E0000-memory.dmp

        Filesize

        1.9MB

      • memory/4308-137-0x0000000140000000-0x00000001401E0000-memory.dmp

        Filesize

        1.9MB

      • memory/4308-140-0x0000000002170000-0x0000000002330000-memory.dmp

        Filesize

        1.8MB