Overview

overview

10

Static

static

ky.bin.exe

windows7_x64

10

ky.bin.exe

windows10_x64

10

Analysis

  • max time kernel
    142s
  • max time network
    128s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    02/10/2020, 18:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ky.bin.exe

  • Size

    421KB

  • MD5

    80143152971ee77d14bb77c8d10346ec

  • SHA1

    6c6e9ebe1e11714bd4c3584fc5b732ccfb782a05

  • SHA256

    7860832a25f403c43865c00bd072fa58b2da66bc81152eec30582ad0a72932e6

  • SHA512

    133f5a81542f5475597b5d2dea84af932ff49df5286a27dc9ce0dfdaa200d52f6cec8fd9f44c07e86e2585195c278874953e4dcd15a5b1a7845f704125e0c36b

Score
10/10
ransomwarepersistencespyware

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1400429095-533421673-2598934218-1000\SYMMYWARE.TXT

Ransom Note
*-------=SymmiWare=-------* All your files was ciphered by Strong algorythm AES-128. Take your time, no one will be able to decrypt your files without our decryption service. To decrypt files, pay $ 0 in Bitcoins. If you do not have 0 bitcoins (everyone has it) then go to the site localbitcoins.com and there send to our wallet (which we do not have) and write to the mail [email protected] to get the key and the decoder. We advise you not to mess around because you still do not restore their hands. We've also encrypted all your drives, files on your hard drives and network drives. AES-128 is the Most reliable military-grade cryptographic algorithm. There's no way to hack it, not even with a supercomputer. The file cutter will start in 48 hours. Don't be stupid and ugly like Patrick. Any hacking attempts can fuck all of your data and the locker will turn them into pee-pee. Good luck. Goodbye. P.S I'm not spreading, and I can't. P.P.S. The best time to send a letter: after November 25 (while we register the mail), and the fact that we wrote about 48 hours - it was a joke. We do not count down the time until the system is removed. *-------=SymmiWare=-------*

Signatures

  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Control Panel 5 IoCs
    evasion
  • Modifies registry class 30 IoCs
  • Suspicious behavior: EnumeratesProcesses 77 IoCs
  • Suspicious use of AdjustPrivilegeToken 65 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ky.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\ky.bin.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3288
    • C:\Windows\System32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D353.tmp\D354.bat C:\Users\Admin\AppData\Local\Temp\ky.bin.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3656
      • C:\Users\Admin\AppData\Local\Temp\PsExec.exe
        psexec hyBrDFjOidLuty.exe /accepteula -s -high
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3968
        • C:\Users\Admin\AppData\Local\Temp\hyBrDFjOidLuty.exe
          "hyBrDFjOidLuty.exe" /accepteula -s -high
          4⤵
          • Executes dropped EXE
          • Modifies extensions of user files
          • Drops startup file
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1716
          • C:\Windows\explorer.exe
            "C:\Windows\explorer.exe"
            5⤵
            • Enumerates connected drives
            • Checks SCSI registry key(s)
            • Modifies Control Panel
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:492
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
      PID:1600
    • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
      1⤵
      • Enumerates system info in registry
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3672
    • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
      "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
      1⤵
      • Modifies Control Panel
      • Suspicious use of SetWindowsHookEx
      PID:1948

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1716-9-0x00007FF96C600000-0x00007FF96CFEC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1716-10-0x00000000002B0000-0x00000000002B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3288-0-0x0000000000640000-0x0000000000642000-memory.dmp

      Filesize

      8KB

      Download