1f3e3ed8e708fc98bddddca71de7b9e21c6d2a4b2bf019c260e0b707140f9f62

General

Target

YourCyanide.cmd
Size

90KB
Sample

220518-axmh5abbc9
MD5

4cb725f17bec289507f9e8249c8ea80e
SHA1

a7034e84cb884bf90e61ce3b621424bec57334ae
SHA256

1f3e3ed8e708fc98bddddca71de7b9e21c6d2a4b2bf019c260e0b707140f9f62
SHA512

776982eab99b1285c209b71e2fd39e2765e9ce392a6c310208e72157dab3895b0b5a7c8b63d72e69bc507c88faec90a2f8f57788873f1a617a2659e22d2b7288

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe

Extracted

Path

C:\Users\Admin\Desktop\YcynNote.txt

Ransom Note

Q: What happened to my files? A: Oops your files have been encrypted by YourCyanide. Q: how can I get them back? A: You can get them back by paying $500 in bitcoin to this btc wallet bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf. Q: What happens if I dont pay A: You will never get your files back. Q: How can I contact you A: contact at [email protected] ++++++++++++++++++++++++++++++++++++++++++++ 18064 Files have been encrypted

Emails

[email protected]

Targets

- Target
  
  YourCyanide.cmd
- Size
  
  90KB
- MD5
  
  4cb725f17bec289507f9e8249c8ea80e
- SHA1
  
  a7034e84cb884bf90e61ce3b621424bec57334ae
- SHA256
  
  1f3e3ed8e708fc98bddddca71de7b9e21c6d2a4b2bf019c260e0b707140f9f62
- SHA512
  
  776982eab99b1285c209b71e2fd39e2765e9ce392a6c310208e72157dab3895b0b5a7c8b63d72e69bc507c88faec90a2f8f57788873f1a617a2659e22d2b7288
Score

10^/10

evasion persistence ransomware
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Blocklisted process makes network request
- Disables Task Manager via registry modification
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1