Overview

overview

10

Static

static

ky.bin.exe

windows7_x64

10

ky.bin.exe

windows10_x64

10

Analysis

  • max time kernel
    134s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    02/10/2020, 18:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ky.bin.exe

  • Size

    421KB

  • MD5

    80143152971ee77d14bb77c8d10346ec

  • SHA1

    6c6e9ebe1e11714bd4c3584fc5b732ccfb782a05

  • SHA256

    7860832a25f403c43865c00bd072fa58b2da66bc81152eec30582ad0a72932e6

  • SHA512

    133f5a81542f5475597b5d2dea84af932ff49df5286a27dc9ce0dfdaa200d52f6cec8fd9f44c07e86e2585195c278874953e4dcd15a5b1a7845f704125e0c36b

Score
10/10
ransomwarepersistencespyware

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1131729243-447456001-3632642222-1000\SYMMYWARE.TXT

Ransom Note
*-------=SymmiWare=-------* All your files was ciphered by Strong algorythm AES-128. Take your time, no one will be able to decrypt your files without our decryption service. To decrypt files, pay $ 0 in Bitcoins. If you do not have 0 bitcoins (everyone has it) then go to the site localbitcoins.com and there send to our wallet (which we do not have) and write to the mail [email protected] to get the key and the decoder. We advise you not to mess around because you still do not restore their hands. We've also encrypted all your drives, files on your hard drives and network drives. AES-128 is the Most reliable military-grade cryptographic algorithm. There's no way to hack it, not even with a supercomputer. The file cutter will start in 48 hours. Don't be stupid and ugly like Patrick. Any hacking attempts can fuck all of your data and the locker will turn them into pee-pee. Good luck. Goodbye. P.S I'm not spreading, and I can't. P.P.S. The best time to send a letter: after November 25 (while we register the mail), and the fact that we wrote about 48 hours - it was a joke. We do not count down the time until the system is removed. *-------=SymmiWare=-------*

Signatures

  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Modifies service 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 5 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 24 IoCs
  • Suspicious use of SendNotifyMessage 39 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ky.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\ky.bin.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:896
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\34C6.tmp\34D7.bat C:\Users\Admin\AppData\Local\Temp\ky.bin.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1876
      • C:\Users\Admin\AppData\Local\Temp\PsExec.exe
        psexec hyBrDFjOidLuty.exe /accepteula -s -high
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of WriteProcessMemory
        PID:1192
        • C:\Users\Admin\AppData\Local\Temp\hyBrDFjOidLuty.exe
          "hyBrDFjOidLuty.exe" /accepteula -s -high
          4⤵
          • Executes dropped EXE
          • Modifies extensions of user files
          • Drops startup file
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1912
          • C:\Windows\explorer.exe
            "C:\Windows\explorer.exe"
            5⤵
              PID:1628
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies service
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1624

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/896-0-0x00000000001E0000-0x00000000001E2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1624-28-0x0000000003E80000-0x0000000003E81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1624-26-0x0000000003E80000-0x0000000003E81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1624-24-0x0000000003E80000-0x0000000003E81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1624-20-0x0000000003E80000-0x0000000003E81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1624-19-0x0000000003E80000-0x0000000003E81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1624-18-0x0000000003E80000-0x0000000003E81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1912-10-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1912-11-0x0000000000090000-0x0000000000091000-memory.dmp

      Filesize

      4KB

      Download