Overview
overview
10Static
static
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.ps1
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.msi
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.ps1
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
8Ransomware...KB.exe
windows10-2004-x64
10Resubmissions
28-07-2024 16:38
240728-t5tryssgmm 1007-07-2024 14:07
240707-rfgd8atekm 1007-07-2024 14:07
240707-re689awdpe 1013-09-2022 17:54
220913-wg1lpsgbg7 10Analysis
-
max time kernel
1660s -
max time network
1673s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2022 17:54
Static task
static1
Behavioral task
behavioral1
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral2
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral4
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral6
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral8
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral10
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral12
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral13
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral14
Sample
RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral16
Sample
RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral17
Sample
RansomwareSamples/Nemty_03_02_2021_124KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral18
Sample
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
RansomwareSamples/Phoenix_29_03_2021_1930KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral20
Sample
RansomwareSamples/PwndLocker_04_03_2020_17KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
RansomwareSamples/Pysa_08_04_2021_500KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral22
Sample
RansomwareSamples/REvil_07_04_2021_121KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral23
Sample
RansomwareSamples/REvil_08_04_2021_121KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral24
Sample
RansomwareSamples/Ragnar_11_02_2020_40KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral25
Sample
RansomwareSamples/RansomEXX_14_12_2020_156KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral26
Sample
RansomwareSamples/Ranzy_20_11_2020_138KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral27
Sample
RansomwareSamples/Ryuk_21_03_2021_274KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral28
Sample
RansomwareSamples/Sekhmet_30_03_2020_364KB.msi
Resource
win10v2004-20220812-en
Behavioral task
behavioral29
Sample
RansomwareSamples/Sodinokibi_04_07_2019_253KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral30
Sample
RansomwareSamples/SunCrypt_26_01_2021_1422KB.ps1
Resource
win10v2004-20220901-en
Behavioral task
behavioral31
Sample
RansomwareSamples/Thanos_23_03_2021_91KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral32
Sample
RansomwareSamples/Zeppelin_08_03_2021_813KB.exe
Resource
win10v2004-20220812-en
General
-
Target
RansomwareSamples/Hades_29_03_2021_1909KB.exe
-
Size
1.9MB
-
MD5
9fa1ba3e7d6e32f240c790753cdaaf8e
-
SHA1
7bcea3fbfcb4c170c57c9050499e1fae40f5d731
-
SHA256
fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
-
SHA512
8d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe
-
SSDEEP
49152:zHOalx8WJjq64Hv7OHxTAhEu5undVmB9dn5AI7EyP3S:Z/8WJjiPSRRu5undVmDd5VEyvS
Malware Config
Extracted
C:\HOW-TO-DECRYPT-gn9cj.txt
Signatures
-
Hades Ransomware
Ransomware family attributed to Evil Corp APT first seen in late 2020.
-
Hades payload 2 IoCs
resource yara_rule behavioral10/memory/4836-132-0x0000000140000000-0x00000001401E2000-memory.dmp family_hades behavioral10/memory/3064-139-0x0000000140000000-0x00000001401E2000-memory.dmp family_hades -
resource yara_rule behavioral10/files/0x0006000000022e7e-138.dat cryptone behavioral10/files/0x0006000000022e7e-137.dat cryptone -
Executes dropped EXE 1 IoCs
pid Process 3064 Kb -
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\ExpandRepair.crw.gn9cj Kb File renamed C:\Users\Admin\Pictures\NewUndo.png => C:\Users\Admin\Pictures\NewUndo.png.gn9cj Kb File opened for modification C:\Users\Admin\Pictures\NewUndo.png.gn9cj Kb File renamed C:\Users\Admin\Pictures\UnpublishConvertTo.tif => C:\Users\Admin\Pictures\UnpublishConvertTo.tif.gn9cj Kb File opened for modification C:\Users\Admin\Pictures\UnpublishConvertTo.tif.gn9cj Kb File renamed C:\Users\Admin\Pictures\ExpandRepair.crw => C:\Users\Admin\Pictures\ExpandRepair.crw.gn9cj Kb -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4836 wrote to memory of 3064 4836 Hades_29_03_2021_1909KB.exe 80 PID 4836 wrote to memory of 3064 4836 Hades_29_03_2021_1909KB.exe 80 PID 3064 wrote to memory of 4124 3064 Kb 82 PID 3064 wrote to memory of 4124 3064 Kb 82 PID 4836 wrote to memory of 1528 4836 Hades_29_03_2021_1909KB.exe 84 PID 4836 wrote to memory of 1528 4836 Hades_29_03_2021_1909KB.exe 84 PID 4124 wrote to memory of 4988 4124 cmd.exe 86 PID 4124 wrote to memory of 4988 4124 cmd.exe 86 PID 1528 wrote to memory of 4896 1528 cmd.exe 87 PID 1528 wrote to memory of 4896 1528 cmd.exe 87 PID 1528 wrote to memory of 3568 1528 cmd.exe 89 PID 4124 wrote to memory of 3188 4124 cmd.exe 88 PID 1528 wrote to memory of 3568 1528 cmd.exe 89 PID 4124 wrote to memory of 3188 4124 cmd.exe 88 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 3188 attrib.exe 3568 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Users\Admin\AppData\Roaming\RendezvousOverlay\KbC:\Users\Admin\AppData\Roaming\RendezvousOverlay\Kb /go2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SYSTEM32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\RendezvousOverlay\Kb" & del "C:\Users\Admin\AppData\Roaming\RendezvousOverlay\Kb" & rd "C:\Users\Admin\AppData\Roaming\RendezvousOverlay\"3⤵
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y4⤵PID:4988
-
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\RendezvousOverlay\Kb"4⤵
- Views/modifies file attributes
PID:3188
-
-
-
-
C:\Windows\SYSTEM32\cmd.execmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe" & del "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe" & rd "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\"2⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\system32\waitfor.exewaitfor /t 10 pause /d y3⤵PID:4896
-
-
C:\Windows\system32\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe"3⤵
- Views/modifies file attributes
PID:3568
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD59fa1ba3e7d6e32f240c790753cdaaf8e
SHA17bcea3fbfcb4c170c57c9050499e1fae40f5d731
SHA256fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
SHA5128d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe
-
Filesize
1.9MB
MD59fa1ba3e7d6e32f240c790753cdaaf8e
SHA17bcea3fbfcb4c170c57c9050499e1fae40f5d731
SHA256fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
SHA5128d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe