Overview

overview

10

Static

static

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

7

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

9

Ransomware...KB.exe

windows10-ltsc_2021-x64

9

Ransomware...KB.ps1

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.msi

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Resubmissions

31/03/2025, 00:22

250331-apdw1ssjs8 10

28/03/2025, 22:52

250328-2tfd7avl15 10

25/03/2025, 14:57

250325-sb3mbsxxht 10

Analysis

  • max time kernel
    423s
  • max time network
    531s
  • platform
    windows10-ltsc_2021_x64
  • resource
    win10ltsc2021-20250314-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
  • submitted
    28/03/2025, 22:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RansomwareSamples/Phoenix_29_03_2021_1930KB.exe

  • Size

    1.9MB

  • MD5

    d86f451bbff804e59a549f9fb33d6e3f

  • SHA1

    3cb0cb07cc2542f1d98060adccda726ea865db98

  • SHA256

    008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549

  • SHA512

    c86ad7e1d5c445d4de9866faab578b2eb04f72ffef4fac380b7164003471b4b48b09772e735ea15205e2ab4a1f4d194d188cdeb12c7199d0824ddaba393dcaa2

  • SSDEEP

    49152:olyGDEemRoq2KKpgL5lWKDFcmjkf8cudB/8WjM:UYerFq/FgUcuf/85

Score
10/10
hadescryptonepackerransomware

Malware Config

Signatures

  • Hades Ransomware

    Ransomware family attributed to Evil Corp APT first seen in late 2020.

    ransomwarehades
  • Hades family
    hades
  • Hades payload 5 IoCs
  • CryptOne packer 1 IoCs

    Detects CryptOne packer defined in NCC blogpost.

    cryptonepacker
  • Renames multiple (164) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Phoenix_29_03_2021_1930KB.exe
    "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Phoenix_29_03_2021_1930KB.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:460
    • C:\Users\Admin\AppData\Roaming\FactorsProviders\Rpc
      C:\Users\Admin\AppData\Roaming\FactorsProviders\Rpc /go
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\FactorsProviders\Rpc" & del "C:\Users\Admin\AppData\Roaming\FactorsProviders\Rpc" & rd "C:\Users\Admin\AppData\Roaming\FactorsProviders\"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1452
        • C:\Windows\system32\waitfor.exe
          waitfor /t 10 pause /d y
          4⤵
            PID:2892
          • C:\Windows\system32\attrib.exe
            attrib -h "C:\Users\Admin\AppData\Roaming\FactorsProviders\Rpc"
            4⤵
            • Views/modifies file attributes
            PID:2864
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Phoenix_29_03_2021_1930KB.exe" & del "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Phoenix_29_03_2021_1930KB.exe" & rd "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3760
        • C:\Windows\system32\waitfor.exe
          waitfor /t 10 pause /d y
          3⤵
            PID:856
          • C:\Windows\system32\attrib.exe
            attrib -h "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Phoenix_29_03_2021_1930KB.exe"
            3⤵
            • Views/modifies file attributes
            PID:3976

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\FactorsProviders\Rpc
        Filesize

        1.9MB

        MD5

        d86f451bbff804e59a549f9fb33d6e3f

        SHA1

        3cb0cb07cc2542f1d98060adccda726ea865db98

        SHA256

        008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549

        SHA512

        c86ad7e1d5c445d4de9866faab578b2eb04f72ffef4fac380b7164003471b4b48b09772e735ea15205e2ab4a1f4d194d188cdeb12c7199d0824ddaba393dcaa2

        Download Submit

      • C:\Users\Admin\PHOENIX-HELP.txt
        Filesize

        1KB

        MD5

        da5d4b050389dea3bccf57dcb9be5a07

        SHA1

        72a35a5cc4439111d51a685e2eb1bfee53d28121

        SHA256

        109fcc906bd7387dc22d43bf44d4a3b73d4b5300863185ccd9a2b734791a4343

        SHA512

        42382e3c26fd4fd056db19a8130645a79d9a1741bfff9a980f2e5c65be74c41a6690ebc2595cc7736e84edccaf0b5ebe7cc9a5014cc650c51bbbccefa89511d0

        Download Submit

      • memory/460-0-0x0000000002190000-0x0000000002350000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/460-1-0x0000000140000000-0x00000001401E4000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/460-5-0x0000000140000000-0x00000001401E4000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/460-6-0x0000000002190000-0x0000000002350000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/460-350-0x0000000140000000-0x00000001401E4000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/2024-8-0x0000000002220000-0x00000000023E0000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2024-9-0x0000000140000000-0x00000001401E4000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/2024-348-0x0000000140000000-0x00000001401E4000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/2024-349-0x0000000002220000-0x00000000023E0000-memory.dmp

        Filesize

        1.8MB

        Download