Overview

overview

10

Static

static

YourCyanide.bat

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    YourCyanide.bat

  • Size

    110KB

  • Sample

    220523-x36khsgagj

  • MD5

    ec021aca2f2a3b5725e0e28dd5d43578

  • SHA1

    879d5e39d279cb39773d55dbf75130bee2c61a55

  • SHA256

    59206d147fdb9aa0b350d1d5e68cf2c041ffbc85f544a041dd153d407abd2db4

  • SHA512

    91ebd89588caa0fc9a7bc43cfc06f48b021e4054002701619ee8a76cd407d503100c8ef9e1809120b9970c154a0f74992c393e7f5955058f5889e0a82249c8ad

Score
10/10
evasionpersistenceransomwaresuricata

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\YcynNote.txt

Ransom Note
Q: What happened to my files? A: Oops your files have been encrypted by YourCyanide. Q: how can I get them back? A: You can get them back by paying $500 in bitcoin to this btc wallet bc1qrl532s9r2qge8d8p7qlrq57dc4uhssqjexmlwf. Q: What happens if I dont pay? A: You will never get your files back. Q: How can I contact you? A: contact at yourcyanide.help@gmail.com. Q: How many files were encrypted? A: 9269 files have been encrypted. -Love YourCyanide Mon 05/23/2022, 19:24:18.97
Emails

yourcyanide.help@gmail.com

Targets

    • Target

      YourCyanide.bat

    • Size

      110KB

    • MD5

      ec021aca2f2a3b5725e0e28dd5d43578

    • SHA1

      879d5e39d279cb39773d55dbf75130bee2c61a55

    • SHA256

      59206d147fdb9aa0b350d1d5e68cf2c041ffbc85f544a041dd153d407abd2db4

    • SHA512

      91ebd89588caa0fc9a7bc43cfc06f48b021e4054002701619ee8a76cd407d503100c8ef9e1809120b9970c154a0f74992c393e7f5955058f5889e0a82249c8ad

    Score
    10/10
    evasionpersistenceransomwaresuricata

    • suricata: ET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND

      suricata: ET MALWARE Windows TaskList Microsoft Windows DOS prompt command exit OUTBOUND

      suricata

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Blocklisted process makes network request

    • Disables Task Manager via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Account Manipulation

1
T1098

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Hidden Files and Directories

1
T1158

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks