Overview

overview

10

Static

static

Cyborg Bui....0.exe

windows7_x64

10

Cyborg Bui....0.exe

windows10_x64

8

Resubmissions

24/11/2020, 10:13

201124-jt8mhn46hx 10

24/11/2020, 10:10

201124-ykqpsbcqtn 4

Analysis

  • max time kernel
    89s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    24/11/2020, 10:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Cyborg Builder Ransomware V 1.0.exe

  • Size

    2.5MB

  • MD5

    5ad1631fe97a0345cbccf8802468fa7a

  • SHA1

    8599c32e71d39bbd89b7fcae419fdf4619a6d2f3

  • SHA256

    7f5efdf9e9273ed21f90bb095a34140e70d6f38d074c3f0aebfa2e919d4a82cc

  • SHA512

    2acd63d433d33d5a98710da732cddc873655f97848fa4f9672632f956f14e594da96a0e63af39fcf948cc078eb44ea26e424af6eabb771c4acdb97e4f7150814

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\Cyborg_DECRYPT.txt

Ransom Note
------------------------ ALL YOUR FILES ARE ENCRYPTED BY CYBORG RANSOMWARE ------------------------ Don't worry, you can return all your files! All your files like documents, photos, databases and other important are encrypted What guarantees do we give to you? You can send one of your encrypted file and we decrypt it for free. You must follow these steps To decrypt your files : 1) Send $500 bitcoin to wallet :bnar4p9anklap09ahg7aghak6gabai8a 2) write on our e-mail :cyborg-protonmail.com Your personal ID :NP2M97NJ17L3AFR8KP0OQ2L9RJQKMRCMRN1CRC2LAN991RR0O3

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops autorun.inf file 1 TTPs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
    adwarespyware
  • Modifies registry class 177 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Cyborg Builder Ransomware V 1.0.exe
    "C:\Users\Admin\AppData\Local\Temp\Cyborg Builder Ransomware V 1.0.exe"
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2036
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
    1⤵
      PID:344
    • C:\Users\Admin\Desktop\Ransom.exe
      "C:\Users\Admin\Desktop\Ransom.exe"
      1⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Modifies system certificate store
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://2no.co/2f8nx5
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1532
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1532 CREDAT:275457 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1928
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Cyborg_DECRYPT.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:744
    • C:\PROGRA~2\MICROS~1\Office14\OIS.EXE
      "C:\PROGRA~2\MICROS~1\Office14\OIS.EXE" /shellOpen "C:\Users\Admin\Desktop\Cyborg_DECRYPT.jpg"
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:1344

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1480-158-0x000007FEF7E60000-0x000007FEF80DA000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/1928-176-0x0000000006140000-0x0000000006163000-memory.dmp

      Filesize

      140KB

      Download

    • memory/1928-177-0x0000000006D40000-0x0000000006D97000-memory.dmp

      Filesize

      348KB

      Download

    • memory/2036-44-0x0000000007E70000-0x0000000007E72000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2036-56-0x0000000007E70000-0x0000000007E72000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2036-52-0x0000000007E70000-0x0000000007E72000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2036-48-0x0000000007E70000-0x0000000007E72000-memory.dmp

      Filesize

      8KB

      Download