Analysis
-
max time kernel
191s -
max time network
183s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31/03/2023, 00:28
Static task
static1
Behavioral task
behavioral1
Sample
cylance_ransomware_Windows-sample.exe.bin.exe
Resource
win7-20230220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
cylance_ransomware_Windows-sample.exe.bin.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
cylance_ransomware_Windows-sample.exe.bin.exe
-
Size
151KB
-
MD5
31ed39e13ae9da7fa610f85b56838dde
-
SHA1
ff602997ce7bdd695a282bd373daf57bea7a051f
-
SHA256
7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f
-
SHA512
199d70b70636555fbe753e83662cc672b5b06428050229856e9912488037cb4dae34a0766c3fcc560afd8fb07a4dcb5cfd8435a0fe3db86484a7929218cab5ee
-
SSDEEP
3072:lAMP+TYgJWo6QD6ivAFvvYknplbZVaX6TEQZwRNfysqdoTPwum3n:OZNMnQFvM/lbbHTFZw/fLm3n
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\M: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\P: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\W: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\X: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\B: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\E: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\H: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\R: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\Z: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\Y: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\D: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\G: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\L: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\N: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\Q: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\V: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\S: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\T: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\U: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\A: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\F: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\I: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\K: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\O: cylance_ransomware_Windows-sample.exe.bin.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Windows Journal\de-DE\jnwdui.dll.mui cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\el.txt.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Internet Explorer\en-US\jsdbgui.dll.mui cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Media Player\de-DE\WMPDMCCore.dll.mui cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Media Player\en-US\WMPDMCCore.dll.mui cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Media Player\en-US\wmplayer.exe.mui cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Media Player\en-US\wmpnetwk.exe.mui cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Media Player\es-ES\WMPDMC.exe.mui cylance_ransomware_Windows-sample.exe.bin.exe File created C:\Program Files\Windows Media Player\Network Sharing\CYLANCE_README.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Journal\Templates\To_Do_List.jtp cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw32.jpg cylance_ransomware_Windows-sample.exe.bin.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\CYLANCE_README.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File created C:\Program Files\7-Zip\Lang\CYLANCE_README.txt cylance_ransomware_Windows-sample.exe.bin.exe File created C:\Program Files\Windows Mail\fr-FR\CYLANCE_README.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Media Player\de-DE\wmpnssci.dll.mui cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files (x86)\Common Files\Services\verisign.bmp cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Media Player\fr-FR\WMPDMC.exe.mui cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File created C:\Program Files\DVD Maker\it-IT\CYLANCE_README.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Media Player\en-US\WMPSideShowGadget.exe.mui cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw32.bmp cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File created C:\Program Files\Microsoft Games\Mahjong\CYLANCE_README.txt cylance_ransomware_Windows-sample.exe.bin.exe File created C:\Program Files\Windows Defender\en-US\CYLANCE_README.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Media Player\it-IT\wmpnssci.dll.mui cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.png cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Sidebar\it-IT\Sidebar.exe.mui cylance_ransomware_Windows-sample.exe.bin.exe File created C:\Program Files (x86)\Internet Explorer\it-IT\CYLANCE_README.txt cylance_ransomware_Windows-sample.exe.bin.exe File created C:\Program Files (x86)\Microsoft.NET\CYLANCE_README.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui cylance_ransomware_Windows-sample.exe.bin.exe File created C:\Program Files\Windows Media Player\ja-JP\CYLANCE_README.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\ieinstal.exe.mui cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Media Player\it-IT\wmplayer.exe.mui cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\InitializeCompare.tif.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\7z.sfx cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Mozilla Firefox\Accessible.tlb.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt cylance_ransomware_Windows-sample.exe.bin.exe File created C:\Program Files\Microsoft Games\Purble Place\CYLANCE_README.txt cylance_ransomware_Windows-sample.exe.bin.exe File created C:\Program Files\Microsoft Games\Solitaire\CYLANCE_README.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\UnregisterFormat.3gpp.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\DVD Maker\soniccolorconverter.ax cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\ContentDirectory.xml cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.bmp cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui cylance_ransomware_Windows-sample.exe.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 572 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 2020 cylance_ransomware_Windows-sample.exe.bin.exe Token: SeRestorePrivilege 2020 cylance_ransomware_Windows-sample.exe.bin.exe Token: SeBackupPrivilege 2020 cylance_ransomware_Windows-sample.exe.bin.exe Token: SeTakeOwnershipPrivilege 2020 cylance_ransomware_Windows-sample.exe.bin.exe Token: SeAuditPrivilege 2020 cylance_ransomware_Windows-sample.exe.bin.exe Token: SeSecurityPrivilege 2020 cylance_ransomware_Windows-sample.exe.bin.exe Token: SeIncBasePriorityPrivilege 2020 cylance_ransomware_Windows-sample.exe.bin.exe Token: SeBackupPrivilege 1804 vssvc.exe Token: SeRestorePrivilege 1804 vssvc.exe Token: SeAuditPrivilege 1804 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2020 wrote to memory of 576 2020 cylance_ransomware_Windows-sample.exe.bin.exe 29 PID 2020 wrote to memory of 576 2020 cylance_ransomware_Windows-sample.exe.bin.exe 29 PID 2020 wrote to memory of 576 2020 cylance_ransomware_Windows-sample.exe.bin.exe 29 PID 2020 wrote to memory of 576 2020 cylance_ransomware_Windows-sample.exe.bin.exe 29 PID 576 wrote to memory of 572 576 cmd.exe 31 PID 576 wrote to memory of 572 576 cmd.exe 31 PID 576 wrote to memory of 572 576 cmd.exe 31 PID 576 wrote to memory of 572 576 cmd.exe 31 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cylance_ransomware_Windows-sample.exe.bin.exe"C:\Users\Admin\AppData\Local\Temp\cylance_ransomware_Windows-sample.exe.bin.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\cylance_ransomware_Windows-sample.exe.bin.exe" /F2⤵
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\cylance_ransomware_Windows-sample.exe.bin.exe" /F3⤵
- Creates scheduled task(s)
PID:572
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1804
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD529f5cd37815c27a48a1ac0f7aa106c7d
SHA1eb03d56e438adb0ed8c21e6a8befe3a1af26d571
SHA25610d4cb1b571df00c5d13cf50635118d29847980d8a7d56518bf12e74495ecf7b
SHA512169ff36b6b1e96b5ab1ec3d2f67268bc6486775676a933c3d338c21e2318fb011ed74b98c7252222d525a298cadb6997ba3207c9113560c4473697a4018f3f7f