Overview

overview

10

Static

static

ky.bin.exe

windows7_x64

10

ky.bin.exe

windows10_x64

10

Analysis

  • max time kernel
    134s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    02-10-2020 18:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ky.bin.exe

  • Size

    421KB

  • MD5

    80143152971ee77d14bb77c8d10346ec

  • SHA1

    6c6e9ebe1e11714bd4c3584fc5b732ccfb782a05

  • SHA256

    7860832a25f403c43865c00bd072fa58b2da66bc81152eec30582ad0a72932e6

  • SHA512

    133f5a81542f5475597b5d2dea84af932ff49df5286a27dc9ce0dfdaa200d52f6cec8fd9f44c07e86e2585195c278874953e4dcd15a5b1a7845f704125e0c36b

Score
10/10
ransomwarepersistencespyware

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1131729243-447456001-3632642222-1000\SYMMYWARE.TXT

Ransom Note
*-------=SymmiWare=-------* All your files was ciphered by Strong algorythm AES-128. Take your time, no one will be able to decrypt your files without our decryption service. To decrypt files, pay $ 0 in Bitcoins. If you do not have 0 bitcoins (everyone has it) then go to the site localbitcoins.com and there send to our wallet (which we do not have) and write to the mail simmyware@protonmail.ch to get the key and the decoder. We advise you not to mess around because you still do not restore their hands. We've also encrypted all your drives, files on your hard drives and network drives. AES-128 is the Most reliable military-grade cryptographic algorithm. There's no way to hack it, not even with a supercomputer. The file cutter will start in 48 hours. Don't be stupid and ugly like Patrick. Any hacking attempts can fuck all of your data and the locker will turn them into pee-pee. Good luck. Goodbye. P.S I'm not spreading, and I can't. P.P.S. The best time to send a letter: after November 25 (while we register the mail), and the fact that we wrote about 48 hours - it was a joke. We do not count down the time until the system is removed. *-------=SymmiWare=-------*
Emails

simmyware@protonmail.ch

Signatures

  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Modifies service 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 5 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 24 IoCs
  • Suspicious use of SendNotifyMessage 39 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ky.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\ky.bin.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:896
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\34C6.tmp\34D7.bat C:\Users\Admin\AppData\Local\Temp\ky.bin.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1876
      • C:\Users\Admin\AppData\Local\Temp\PsExec.exe
        psexec hyBrDFjOidLuty.exe /accepteula -s -high
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of WriteProcessMemory
        PID:1192
        • C:\Users\Admin\AppData\Local\Temp\hyBrDFjOidLuty.exe
          "hyBrDFjOidLuty.exe" /accepteula -s -high
          4⤵
          • Executes dropped EXE
          • Modifies extensions of user files
          • Drops startup file
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1912
          • C:\Windows\explorer.exe
            "C:\Windows\explorer.exe"
            5⤵
              PID:1628
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies service
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1624

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Modify Existing Service

    1
    T1031

    Privilege Escalation

    Defense Evasion

    Modify Registry

    3
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\34C6.tmp\34D7.bat
      MD5

      ed53b8acfbea918e8c95e7a39c286d83

      SHA1

      19dc601925d5602cb135b9012da4032947b533ac

      SHA256

      46c77d27fab56e047a51a472e9cdd1371e510d7a878bbb693d53dfee37130472

      SHA512

      e2f1bf41ac80f66a45cdc076325f23cb88628c1bc27a166e7f4cd82df357d6abbbe68a42c946b0754ef859aef1a3f4e227d2d2108e20140e3b9e67cd1a88dc73

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\PsExec.exe
      MD5

      27304b246c7d5b4e149124d5f93c5b01

      SHA1

      e50d9e3bd91908e13a26b3e23edeaf577fb3a095

      SHA256

      3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

      SHA512

      bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\PsExec.exe
      MD5

      27304b246c7d5b4e149124d5f93c5b01

      SHA1

      e50d9e3bd91908e13a26b3e23edeaf577fb3a095

      SHA256

      3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

      SHA512

      bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\WPDNSE\SYMMYWARE.TXT
      MD5

      faa8bede77570fab1ccd34ffa9a90b9f

      SHA1

      3c6e9946dca8cd2ae364f5d316616d29ce68a336

      SHA256

      82ba2394c2e4b0ccc783a5ab55dd6dc3f91b5ebcda1521e9b9d6b8473a883620

      SHA512

      d70d1a8298e24d5b4cdadcf7fcf480aa4830267421364451deaa09103f2fd6e443a8c00ac27145b4b4cc464d8fef68ad1063b5d7df88aa4e14e71bd6498a51be

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\hyBrDFjOidLuty.exe
      MD5

      9ca339da8a96656779074b5caaa76c63

      SHA1

      f6813078253f72bf25c136debe45ac54cfbb7012

      SHA256

      da50730580bd7fe14fca5c3547eb54882b6f79b42cd474530b9b07dd5de4f1ac

      SHA512

      2971f3cbfd65340f33381346fb60e6425282316077b28dd22cd5abc0c5854842cf8dd2936e818204dfa7d3a53ef8b2e924cd1183ae5234513f39b43eb096912d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\hyBrDFjOidLuty.exe
      MD5

      9ca339da8a96656779074b5caaa76c63

      SHA1

      f6813078253f72bf25c136debe45ac54cfbb7012

      SHA256

      da50730580bd7fe14fca5c3547eb54882b6f79b42cd474530b9b07dd5de4f1ac

      SHA512

      2971f3cbfd65340f33381346fb60e6425282316077b28dd22cd5abc0c5854842cf8dd2936e818204dfa7d3a53ef8b2e924cd1183ae5234513f39b43eb096912d

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk.SYMMYWARE
      MD5

      0d427041202db3e0dd3e2a25056d2a23

      SHA1

      f9d04738f2251adbabe28795c6d635e238b3e7d8

      SHA256

      bdf9015734f3ae6968f01140a366b3684d9b0dea940689ba0d9d85dd63a50b0c

      SHA512

      41ad94b53306a3f6e3ab3ae149118396dedb2ff4b9a7c0ac263f09fd629259c6c1b486bcad665eb6142b7666013dedbfe7c3bca3a39b5e9229e9bcf5b6b99df1

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk.SYMMYWARE
      MD5

      91a993cd10363f87b2bafc78576ccc38

      SHA1

      3f17dd2674b6bef24882e4a52d98644cfca80666

      SHA256

      a35f93a1efd43b1216aca3be635c5a7f995149561cce788b0192403471cd6833

      SHA512

      99cb7fee1f4bb92b257d1d31fea43bbe7e9da727f829d6164305de0db68b33bc91290735158baab5cb8a9ab7b872b3c0b303b424041ec939d1fd9bf6e1f83687

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk.SYMMYWARE
      MD5

      0260e0ffe7e0bf4aa45a11ebdb44a29f

      SHA1

      39bbfbc76fb7b8808f39737e6dd881b9dd6c423f

      SHA256

      2a28b8e39ebb6be12009b38c456df76e7e31347423a1800054eb74497f72e40d

      SHA512

      2d10621f3d71fcc0dac1cc2e0c25e614e921828e292ad0b77ef89068c5c71524d6bd6fb5c947c3d1b34597cf528bbb882994d74d0faab5e5a24f40aa347deafb

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Media Player.lnk.SYMMYWARE
      MD5

      510c968ad0ae40018ec96d1ebd3ebbfb

      SHA1

      41df74ad27182fb84bd6678977c5a18145163dc0

      SHA256

      ea11c710f02a0dad110a84b7b819dbdc4c582cd3d7106928d572c31f1bd09cf5

      SHA512

      81ddd4585ee817738651364c27d995595df2d74756bf9f817fa703f66577f4ae36dd47fb63114ced0f89d614e199bbe95408a88da356bd897a137c5a63772df6

      Download Submit
    • C:\Users\Admin\Desktop\JoinRead.wma.SYMMYWARE
      MD5

      1c596c5c72d07836518879814d6ea6ea

      SHA1

      ea7bf1a418c0f23dd3d468ead376d2b5a60502ca

      SHA256

      cc58d879fff6c60a73370076a64888e3cf70f59672b1c2b681f174e01e4a4331

      SHA512

      ecc5ceb59e7c4fa9e02f03702c9f91e64bdf28687fe6387c591680c511a6ed0643964d59d3a8a8ea6ce14266ec89459eb4e741ef12e440fee9569a6d21e64e48

      Download Submit
    • C:\Users\Admin\Desktop\MoveConvertFrom.png.SYMMYWARE
      MD5

      770c58834e57925afcc80b9c540bed1a

      SHA1

      52a6f977a6ccdfa81ca21f63a16a88fff33fb165

      SHA256

      e069eda832e21c0a5912fd4bdde7b2faa71fc8c50b7409d6d43b14bbdc9b5190

      SHA512

      a185e3863a4840b69fb1d2a279e0fefdc50e6af729c67b1051d4cc77f28bf05b52e23081291aadf9c1787f7cbf019cfa3b2d17e1e06e39501ff9e2c859a03744

      Download Submit
    • C:\Users\Admin\Desktop\RegisterShow.svg.SYMMYWARE
      MD5

      aa223b8ee15bd62dcf8098e405562ef9

      SHA1

      aee81e4d91667bc5179572a912319bf2e9984da0

      SHA256

      3b1f87abda7503a9bf2abaee61f5e87ee42ede77ab11eab2571fa9f34036a25b

      SHA512

      a62326e992534e918e05b15881e24dbb3247eb5bf388b1c17b10bc4e80e593cd85890b82a423469465083982fa3e3cc1ab9c2a61f3060419e41089000ae6fa60

      Download Submit
    • C:\Users\Admin\Desktop\SYMMYWARE.TXT
      MD5

      faa8bede77570fab1ccd34ffa9a90b9f

      SHA1

      3c6e9946dca8cd2ae364f5d316616d29ce68a336

      SHA256

      82ba2394c2e4b0ccc783a5ab55dd6dc3f91b5ebcda1521e9b9d6b8473a883620

      SHA512

      d70d1a8298e24d5b4cdadcf7fcf480aa4830267421364451deaa09103f2fd6e443a8c00ac27145b4b4cc464d8fef68ad1063b5d7df88aa4e14e71bd6498a51be

      Download Submit
    • C:\Users\Admin\Desktop\SubmitOpen.rar.SYMMYWARE
      MD5

      675e8e910e86701c50ca303a329523b1

      SHA1

      2e41567c598f0b9f6ef554fc7a3953c6fbbc1dd3

      SHA256

      4d4baf2a220dc1f6e1682aa4eeb9ba843580805b092a581c7bae18776bbfb229

      SHA512

      3052693a539410641633953842b5f4faf95b1d51b1f6457a3a284c8f3db2fb9d44a0b4e0b79d72f79fa397a2efb6d384a8cb96eeb79f8d01b2991074a39d8710

      Download Submit
    • C:\Users\Public\Desktop\Adobe Reader 9.lnk.SYMMYWARE
      MD5

      6722cc0561711f97057637f2b0e07771

      SHA1

      24fb2973c2254abb0401285ef4017c78199169f1

      SHA256

      0ce6426031b41fee887ba3c31727dbc7e3850fb403d3764142a1c92d1fc1e74a

      SHA512

      44289e80fcd4f837e1d7bea1fde710bc60536495c2400380593054d68c0905b47f9ae7ed9c51788f675dd3309be95b4d3aa983ba90345db0ca293608b56b585d

      Download Submit
    • C:\Users\Public\Desktop\Firefox.lnk.SYMMYWARE
      MD5

      06098063cf6c3b1ddecc258f97bbfe47

      SHA1

      28c6bb3e5117ac30db2f1ebd151f03d14643fe8a

      SHA256

      0ab09b0082cf043a2248376f2afe9a0376a7544fedd18e28f731c8cfcb6fe6a6

      SHA512

      ef32e3521bc75ae986611d2331ad1008435fa75cadc781f2c92b87b09f769b0b673cfe6b5428f6a92794da6b3a732a630a0563e40dc2a50675c4b84e99b11003

      Download Submit
    • C:\Users\Public\Desktop\Google Chrome.lnk.SYMMYWARE
      MD5

      60447c0fb6c4f9b8d21c579147171147

      SHA1

      ec45eff082a624562f19d013ff7deac3c949e3e6

      SHA256

      8b3ef884f839f3fa9f57e6f3aa5f8a87ae1aafc3a235229acb65f20e7f70e50e

      SHA512

      b4eb05afe09b44a927e253a7e570aa6b03f18723a3d0afce0c5a415b742a5f7927dae18597e53ed4c16eac686ec986071b08e94801afd05c695a8dfba2b9724b

      Download Submit
    • C:\Users\Public\Desktop\SYMMYWARE.TXT
      MD5

      faa8bede77570fab1ccd34ffa9a90b9f

      SHA1

      3c6e9946dca8cd2ae364f5d316616d29ce68a336

      SHA256

      82ba2394c2e4b0ccc783a5ab55dd6dc3f91b5ebcda1521e9b9d6b8473a883620

      SHA512

      d70d1a8298e24d5b4cdadcf7fcf480aa4830267421364451deaa09103f2fd6e443a8c00ac27145b4b4cc464d8fef68ad1063b5d7df88aa4e14e71bd6498a51be

      Download Submit
    • C:\Users\Public\Desktop\SYMMYWARE.TXT
      MD5

      faa8bede77570fab1ccd34ffa9a90b9f

      SHA1

      3c6e9946dca8cd2ae364f5d316616d29ce68a336

      SHA256

      82ba2394c2e4b0ccc783a5ab55dd6dc3f91b5ebcda1521e9b9d6b8473a883620

      SHA512

      d70d1a8298e24d5b4cdadcf7fcf480aa4830267421364451deaa09103f2fd6e443a8c00ac27145b4b4cc464d8fef68ad1063b5d7df88aa4e14e71bd6498a51be

      Download Submit
    • C:\Users\Public\Desktop\VLC media player.lnk.SYMMYWARE
      MD5

      3f6fb15e4f3b84df46d23720c57262ea

      SHA1

      294d3d1a782c0704c1f404b3a0a43ebaae04c4ae

      SHA256

      a389166b894f27ebbd4ce4e8d34ceb629c9ae7ac2f62d637316b99d4cc357711

      SHA512

      f928d712f20cfc88b963b20d52c0d661f68b358254101ebd5d212a39ac38de3c9b11f0e96428d49c82230da0c669a52fdb004c6b4f887ec29c6106ba5ca35a33

      Download Submit
    • \Users\Admin\AppData\Local\Temp\hyBrDFjOidLuty.exe
      MD5

      9ca339da8a96656779074b5caaa76c63

      SHA1

      f6813078253f72bf25c136debe45ac54cfbb7012

      SHA256

      da50730580bd7fe14fca5c3547eb54882b6f79b42cd474530b9b07dd5de4f1ac

      SHA512

      2971f3cbfd65340f33381346fb60e6425282316077b28dd22cd5abc0c5854842cf8dd2936e818204dfa7d3a53ef8b2e924cd1183ae5234513f39b43eb096912d

      Download Submit
    • memory/896-0-0x00000000001E0000-0x00000000001E2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1192-4-0x0000000000000000-mapping.dmp
      Download
    • memory/1624-28-0x0000000003E80000-0x0000000003E81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1624-26-0x0000000003E80000-0x0000000003E81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1624-24-0x0000000003E80000-0x0000000003E81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1624-20-0x0000000003E80000-0x0000000003E81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1624-19-0x0000000003E80000-0x0000000003E81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1624-18-0x0000000003E80000-0x0000000003E81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1628-13-0x0000000000000000-mapping.dmp
      Download
    • memory/1876-1-0x0000000000000000-mapping.dmp
      Download
    • memory/1912-10-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/1912-7-0x0000000000000000-mapping.dmp
      Download
    • memory/1912-11-0x0000000000090000-0x0000000000091000-memory.dmp
      Filesize

      4KB

      Download