6d4eafaeac05daa575d551127bffc77e92fae88887c3168318fe50dc26b8d725

General

Target

YourCyanide.bat
Size

150KB
Sample

220522-3e4znseeel
MD5

fdd17cbaa7423d1c9ca1ffb376d30b36
SHA1

47986c795d7a2521408f4f63a6b068c054659bc7
SHA256

6d4eafaeac05daa575d551127bffc77e92fae88887c3168318fe50dc26b8d725
SHA512

3aa57c435f462bea43ba87d527603ceabedff24c1353e64dc9b6e2c89956d2216030030e14056095afb4db17eb44f6f33dbed95054d5852cd9a4eccb5d6088cf

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/974798125011198003/976894591552860220/NoKeyB.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/974798125011198003/976939955140038656/GetToken.exe

Extracted

Path

C:\Users\Admin\Desktop\YcynNote.txt

Ransom Note

Q: What happened to my files? A: Oops your files have been encrypted by YourCyanide. Q: how can I get them back? A: You can get them back by paying $500 in bitcoin to this btc wallet bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf. Q: What happens if I dont pay? A: You will never get your files back. Q: How can I contact you? A: contact at yourcyanide.help@gmail.com. Q: How many files were encrypted? A: 24327 files have been encrypted. -Love YourCyanide 1:27:12.08, Mon 05/23/2022

Emails

yourcyanide.help@gmail.com

Extracted

Path

C:\Users\Admin\Desktop\YcynNote.txt

Ransom Note

Q: What happened to my files? A: Oops your files have been encrypted by YourCyanide. Q: how can I get them back? A: You can get them back by paying $500 in bitcoin to this btc wallet bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf. Q: What happens if I dont pay? A: You will never get your files back. Q: How can I contact you? A: contact at yourcyanide.help@gmail.com. Q: How many files were encrypted? A: 24327 files have been encrypted. -Love YourCyanide 1:27:16.63, Mon 05/23/2022

Emails

yourcyanide.help@gmail.com

Targets

- Target
  
  YourCyanide.bat
- Size
  
  150KB
- MD5
  
  fdd17cbaa7423d1c9ca1ffb376d30b36
- SHA1
  
  47986c795d7a2521408f4f63a6b068c054659bc7
- SHA256
  
  6d4eafaeac05daa575d551127bffc77e92fae88887c3168318fe50dc26b8d725
- SHA512
  
  3aa57c435f462bea43ba87d527603ceabedff24c1353e64dc9b6e2c89956d2216030030e14056095afb4db17eb44f6f33dbed95054d5852cd9a4eccb5d6088cf
Score

10^/10

collection evasion persistence ransomware spyware stealer suricata
- suricata: ET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND
  suricata: ET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND
  suricata
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Blocklisted process makes network request
- Disables Task Manager via registry modification
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1 behavioral2 behavioral3