Analysis
-
max time kernel
142s -
max time network
128s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
02-10-2020 18:04
General
-
Target
ky.bin.exe
-
Size
421KB
-
MD5
80143152971ee77d14bb77c8d10346ec
-
SHA1
6c6e9ebe1e11714bd4c3584fc5b732ccfb782a05
-
SHA256
7860832a25f403c43865c00bd072fa58b2da66bc81152eec30582ad0a72932e6
-
SHA512
133f5a81542f5475597b5d2dea84af932ff49df5286a27dc9ce0dfdaa200d52f6cec8fd9f44c07e86e2585195c278874953e4dcd15a5b1a7845f704125e0c36b
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-1400429095-533421673-2598934218-1000\SYMMYWARE.TXT
simmyware@protonmail.ch
Signatures
-
Executes dropped EXE 2 IoCs
-
Modifies Installed Components in the registry 2 TTPs
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Control Panel 5 IoCs
-
Modifies registry class 30 IoCs
-
Suspicious behavior: EnumeratesProcesses 77 IoCs
-
Suspicious use of AdjustPrivilegeToken 65 IoCs
-
Suspicious use of FindShellTrayWindow 49 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ky.bin.exe"C:\Users\Admin\AppData\Local\Temp\ky.bin.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D353.tmp\D354.bat C:\Users\Admin\AppData\Local\Temp\ky.bin.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PsExec.exepsexec hyBrDFjOidLuty.exe /accepteula -s -high3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hyBrDFjOidLuty.exe"hyBrDFjOidLuty.exe" /accepteula -s -high4⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"5⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Control Panel
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Enumerates system info in registry
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\D353.tmp\D354.batMD5
ed53b8acfbea918e8c95e7a39c286d83
SHA119dc601925d5602cb135b9012da4032947b533ac
SHA25646c77d27fab56e047a51a472e9cdd1371e510d7a878bbb693d53dfee37130472
SHA512e2f1bf41ac80f66a45cdc076325f23cb88628c1bc27a166e7f4cd82df357d6abbbe68a42c946b0754ef859aef1a3f4e227d2d2108e20140e3b9e67cd1a88dc73
-
C:\Users\Admin\AppData\Local\Temp\PsExec.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Users\Admin\AppData\Local\Temp\PsExec.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Users\Admin\AppData\Local\Temp\hyBrDFjOidLuty.exeMD5
9ca339da8a96656779074b5caaa76c63
SHA1f6813078253f72bf25c136debe45ac54cfbb7012
SHA256da50730580bd7fe14fca5c3547eb54882b6f79b42cd474530b9b07dd5de4f1ac
SHA5122971f3cbfd65340f33381346fb60e6425282316077b28dd22cd5abc0c5854842cf8dd2936e818204dfa7d3a53ef8b2e924cd1183ae5234513f39b43eb096912d
-
C:\Users\Admin\AppData\Local\Temp\hyBrDFjOidLuty.exeMD5
9ca339da8a96656779074b5caaa76c63
SHA1f6813078253f72bf25c136debe45ac54cfbb7012
SHA256da50730580bd7fe14fca5c3547eb54882b6f79b42cd474530b9b07dd5de4f1ac
SHA5122971f3cbfd65340f33381346fb60e6425282316077b28dd22cd5abc0c5854842cf8dd2936e818204dfa7d3a53ef8b2e924cd1183ae5234513f39b43eb096912d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer.lnk.SYMMYWAREMD5
1da5d0b4d7ac5acf4b1749915bc83d91
SHA12e1725c5b1240d44cec7951463049734f6f1f9ad
SHA256a06aa30795875ec12df0ee2f4dfb1b70bddec6fa6569d7dee7eaf685cddbdaad
SHA512409d5161354b622e026b5d1973b69ed42c3cf086f582f625d985e21ac25173622520201490e35a53779befd96a39e21d307a36cd4263471a3222cff39173e9ec
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk.SYMMYWAREMD5
77c9348d94dfbefc592558effa1e41a9
SHA1281b1288a4c352a53ac229408bc21beeb786562f
SHA25613939449e79f91153c3dc5815040b22a5dabfb274a92ff63483b39042de7d20f
SHA512483855c60239894f82b82f34268d2d8d2691fb507fc361ed6ba68eb4beaca93f48462f00f971a9a953e3d9da18781b35859d13f24f07e0c0a4351e4ae0938159
-
memory/492-12-0x0000000000000000-mapping.dmp
-
memory/1716-9-0x00007FF96C600000-0x00007FF96CFEC000-memory.dmpFilesize
9.9MB
-
memory/1716-10-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/1716-6-0x0000000000000000-mapping.dmp
-
memory/3288-0-0x0000000000640000-0x0000000000642000-memory.dmpFilesize
8KB
-
memory/3656-1-0x0000000000000000-mapping.dmp
-
memory/3968-3-0x0000000000000000-mapping.dmp