hades | c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

max time kernel
99s
max time network
104s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RansomwareSamples/Hades_29_03_2021_1909KB.exe
Size

1.9MB
MD5

9fa1ba3e7d6e32f240c790753cdaaf8e
SHA1

7bcea3fbfcb4c170c57c9050499e1fae40f5d731
SHA256

fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
SHA512

8d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe
SSDEEP

49152:zHOalx8WJjq64Hv7OHxTAhEu5undVmB9dn5AI7EyP3S:Z/8WJjiPSRRu5undVmDd5VEyvS

Score

10^/10

hades cryptone packer ransomware

Malware Config

Extracted

Path

C:\Users\Admin\HOW-TO-DECRYPT-gn9cj.txt

Ransom Note

[+] What happened? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has extension *.gn9cj By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant get back your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] Using a TOR browser! - Download and install TOR browser from this site: hxxps://torproject.org/ - Open our website: hxxp://khfsk3ffg3av3rha.onion - Follow the on-screen instructions Extension name: *.gn9cj ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) will make everything possible for restoring, but please do not interfere. !!! !!! !!! ��

Signatures

Hades Ransomware
Ransomware family attributed to Evil Corp APT first seen in late 2020.
ransomware hades
Hades family
hades

Hades payload 4 IoCs

resource	yara_rule
behavioral1/memory/1808-1-0x0000000140000000-0x00000001401E2000-memory.dmp	family_hades
behavioral1/memory/1320-9-0x0000000140000000-0x00000001401E2000-memory.dmp	family_hades
behavioral1/memory/1320-328-0x0000000140000000-0x00000001401E2000-memory.dmp	family_hades
behavioral1/memory/1808-330-0x0000000140000000-0x00000001401E2000-memory.dmp	family_hades

CryptOne packer 1 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

resource	yara_rule
behavioral1/files/0x001a00000002b415-6.dat	cryptone

Renames multiple (154) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
1320	Self

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1320	1808	Hades_29_03_2021_1909KB.exe	78
PID 1808 wrote to memory of 1320	1808	Hades_29_03_2021_1909KB.exe	78
PID 1320 wrote to memory of 644	1320	Self	79
PID 1320 wrote to memory of 644	1320	Self	79
PID 1808 wrote to memory of 5276	1808	Hades_29_03_2021_1909KB.exe	81
PID 1808 wrote to memory of 5276	1808	Hades_29_03_2021_1909KB.exe	81
PID 644 wrote to memory of 2612	644	cmd.exe	83
PID 644 wrote to memory of 2612	644	cmd.exe	83
PID 5276 wrote to memory of 4600	5276	cmd.exe	84
PID 5276 wrote to memory of 4600	5276	cmd.exe	84
PID 5276 wrote to memory of 848	5276	cmd.exe	86
PID 5276 wrote to memory of 848	5276	cmd.exe	86
PID 644 wrote to memory of 5896	644	cmd.exe	85
PID 644 wrote to memory of 5896	644	cmd.exe	85

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
848	attrib.exe
5896	attrib.exe

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe bcdedit /set shutdown /r /f /t 2
1⤵
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Roaming\DddsProcessor\Self
  C:\Users\Admin\AppData\Roaming\DddsProcessor\Self bcdedit /set shutdown /r /f /t 2 /go
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\DddsProcessor\Self" & del "C:\Users\Admin\AppData\Roaming\DddsProcessor\Self" & rd "C:\Users\Admin\AppData\Roaming\DddsProcessor\"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:644
  - - C:\Windows\system32\waitfor.exe
      waitfor /t 10 pause /d y
      4⤵
      PID:2612
  - - C:\Windows\system32\attrib.exe
      attrib -h "C:\Users\Admin\AppData\Roaming\DddsProcessor\Self"
      4⤵
      Views/modifies file attributes
      PID:5896
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe" & del "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe" & rd "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5276
- - C:\Windows\system32\waitfor.exe
    waitfor /t 10 pause /d y
    3⤵
    PID:4600
- - C:\Windows\system32\attrib.exe
    attrib -h "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe"
    3⤵
    - Views/modifies file attributes
    PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DddsProcessor\Self

Filesize
1.9MB

MD5
9fa1ba3e7d6e32f240c790753cdaaf8e

SHA1
7bcea3fbfcb4c170c57c9050499e1fae40f5d731

SHA256
fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87

SHA512
8d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe

Download Submit
C:\Users\Admin\HOW-TO-DECRYPT-gn9cj.txt

Filesize
3KB

MD5
0c6d0a67b942d06fe27f41c7c582cdfe

SHA1
7e674cf6375b138cabca2706583d4ced7a1aef27

SHA256
014ea5effc97085b7832512b9ad2a5c4487265eb67e8d7b0920ef2bc8768400c

SHA512
53ec4509bc58f53419a8923d808c7dfdecf57dc203c37265d061aebab73147720d1c419e79578065a42c3b2a63504370f90516c3f0afad5d6997952592d3a39c

Download Submit
memory/1320-8-0x00000000020F0000-0x00000000022B2000-memory.dmp

Filesize
1.8MB

Download
memory/1320-9-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1320-328-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1320-329-0x00000000020F0000-0x00000000022B2000-memory.dmp

Filesize
1.8MB

Download
memory/1808-0-0x0000000002090000-0x0000000002252000-memory.dmp

Filesize
1.8MB

Download
memory/1808-1-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1808-331-0x0000000002090000-0x0000000002252000-memory.dmp

Filesize
1.8MB

Download
memory/1808-330-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download

Resubmissions

Analysis