Overview

overview

10

Static

static

ky.bin.exe

windows7_x64

10

ky.bin.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ky.bin.zip

  • Size

    418KB

  • Sample

    201002-mtqqh6vd1j

  • MD5

    f7298ae207e762ea2c7be40ea2ac7c40

  • SHA1

    3c09a95848e681d1c91c0ca024800a51d1f72a17

  • SHA256

    da09eaca93ddd6728e2e137d6fee47db0644f2fe79bcc18e3bf2fe6eee55f411

  • SHA512

    0cb2e38768d591664cf60f7fd13c1459f0f4bb9cd3823c3929996e1d241a30eb8360f6d6314115a978ab5471f22a5419371fa5f6c762f7002774e50ccdefcdc6

Score
10/10
persistenceransomwarespyware

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1131729243-447456001-3632642222-1000\SYMMYWARE.TXT

Ransom Note
*-------=SymmiWare=-------* All your files was ciphered by Strong algorythm AES-128. Take your time, no one will be able to decrypt your files without our decryption service. To decrypt files, pay $ 0 in Bitcoins. If you do not have 0 bitcoins (everyone has it) then go to the site localbitcoins.com and there send to our wallet (which we do not have) and write to the mail [email protected] to get the key and the decoder. We advise you not to mess around because you still do not restore their hands. We've also encrypted all your drives, files on your hard drives and network drives. AES-128 is the Most reliable military-grade cryptographic algorithm. There's no way to hack it, not even with a supercomputer. The file cutter will start in 48 hours. Don't be stupid and ugly like Patrick. Any hacking attempts can fuck all of your data and the locker will turn them into pee-pee. Good luck. Goodbye. P.S I'm not spreading, and I can't. P.P.S. The best time to send a letter: after November 25 (while we register the mail), and the fact that we wrote about 48 hours - it was a joke. We do not count down the time until the system is removed. *-------=SymmiWare=-------*

Targets

    • Target

      ky.bin

    • Size

      421KB

    • MD5

      80143152971ee77d14bb77c8d10346ec

    • SHA1

      6c6e9ebe1e11714bd4c3584fc5b732ccfb782a05

    • SHA256

      7860832a25f403c43865c00bd072fa58b2da66bc81152eec30582ad0a72932e6

    • SHA512

      133f5a81542f5475597b5d2dea84af932ff49df5286a27dc9ce0dfdaa200d52f6cec8fd9f44c07e86e2585195c278874953e4dcd15a5b1a7845f704125e0c36b

    Score
    10/10
    ransomwarepersistencespyware

    • Executes dropped EXE

    • Modifies Installed Components in the registry

      persistence

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies service

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks