7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f

General

Target

cylance_ransomware_Windows-sample.exe.bin.exe
Size

151KB
MD5

31ed39e13ae9da7fa610f85b56838dde
SHA1

ff602997ce7bdd695a282bd373daf57bea7a051f
SHA256

7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f
SHA512

199d70b70636555fbe753e83662cc672b5b06428050229856e9912488037cb4dae34a0766c3fcc560afd8fb07a4dcb5cfd8435a0fe3db86484a7929218cab5ee
SSDEEP

3072:lAMP+TYgJWo6QD6ivAFvvYknplbZVaX6TEQZwRNfysqdoTPwum3n:OZNMnQFvM/lbbHTFZw/fLm3n

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cylance_ransomware_Windows-sample.exe.bin.exe

description	ioc	process
File opened (read-only)	\??\J:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\M:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\P:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\W:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\X:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\B:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\E:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\H:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\R:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\Z:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\Y:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\D:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\G:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\L:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\N:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\Q:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\V:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\S:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\T:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\U:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\A:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\F:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\I:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\K:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\O:	cylance_ransomware_Windows-sample.exe.bin.exe

Drops file in Program Files directory 64 IoCs

Processes:

cylance_ransomware_Windows-sample.exe.bin.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Journal\de-DE\jnwdui.dll.mui	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\jsdbgui.dll.mui	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\WMPDMCCore.dll.mui	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\WMPDMCCore.dll.mui	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\wmplayer.exe.mui	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\wmpnetwk.exe.mui	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\WMPDMC.exe.mui	cylance_ransomware_Windows-sample.exe.bin.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\CYLANCE_README.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\To_Do_List.jtp	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw32.jpg	cylance_ransomware_Windows-sample.exe.bin.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\CYLANCE_README.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File created	C:\Program Files\7-Zip\Lang\CYLANCE_README.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File created	C:\Program Files\Windows Mail\fr-FR\CYLANCE_README.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\wmpnssci.dll.mui	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\verisign.bmp	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\WMPDMC.exe.mui	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File created	C:\Program Files\DVD Maker\it-IT\CYLANCE_README.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\jnwdui.dll.mui	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\WMPSideShowGadget.exe.mui	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw32.bmp	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File created	C:\Program Files\Microsoft Games\Mahjong\CYLANCE_README.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File created	C:\Program Files\Windows Defender\en-US\CYLANCE_README.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\wmpnssci.dll.mui	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.png	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\it-IT\Sidebar.exe.mui	cylance_ransomware_Windows-sample.exe.bin.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\CYLANCE_README.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File created	C:\Program Files (x86)\Microsoft.NET\CYLANCE_README.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui	cylance_ransomware_Windows-sample.exe.bin.exe
File created	C:\Program Files\Windows Media Player\ja-JP\CYLANCE_README.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\ieinstal.exe.mui	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\PDIALOG.exe.mui	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\wmplayer.exe.mui	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\InitializeCompare.tif.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Mozilla Firefox\Accessible.tlb.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File created	C:\Program Files\Microsoft Games\Purble Place\CYLANCE_README.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File created	C:\Program Files\Microsoft Games\Solitaire\CYLANCE_README.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\UnregisterFormat.3gpp.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\DVD Maker\soniccolorconverter.ax	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\ContentDirectory.xml	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.bmp	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\PhotoAcq.dll.mui	cylance_ransomware_Windows-sample.exe.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

572 schtasks.exe

pid	process
572	schtasks.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

cylance_ransomware_Windows-sample.exe.bin.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2020	cylance_ransomware_Windows-sample.exe.bin.exe
Token: SeRestorePrivilege	2020	cylance_ransomware_Windows-sample.exe.bin.exe
Token: SeBackupPrivilege	2020	cylance_ransomware_Windows-sample.exe.bin.exe
Token: SeTakeOwnershipPrivilege	2020	cylance_ransomware_Windows-sample.exe.bin.exe
Token: SeAuditPrivilege	2020	cylance_ransomware_Windows-sample.exe.bin.exe
Token: SeSecurityPrivilege	2020	cylance_ransomware_Windows-sample.exe.bin.exe
Token: SeIncBasePriorityPrivilege	2020	cylance_ransomware_Windows-sample.exe.bin.exe
Token: SeBackupPrivilege	1804	vssvc.exe
Token: SeRestorePrivilege	1804	vssvc.exe
Token: SeAuditPrivilege	1804	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cylance_ransomware_Windows-sample.exe.bin.execmd.exe

description	pid	process	target process
PID 2020 wrote to memory of 576	2020	cylance_ransomware_Windows-sample.exe.bin.exe	cmd.exe
PID 2020 wrote to memory of 576	2020	cylance_ransomware_Windows-sample.exe.bin.exe	cmd.exe
PID 2020 wrote to memory of 576	2020	cylance_ransomware_Windows-sample.exe.bin.exe	cmd.exe
PID 2020 wrote to memory of 576	2020	cylance_ransomware_Windows-sample.exe.bin.exe	cmd.exe
PID 576 wrote to memory of 572	576	cmd.exe	schtasks.exe
PID 576 wrote to memory of 572	576	cmd.exe	schtasks.exe
PID 576 wrote to memory of 572	576	cmd.exe	schtasks.exe
PID 576 wrote to memory of 572	576	cmd.exe	schtasks.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\cylance_ransomware_Windows-sample.exe.bin.exe
"C:\Users\Admin\AppData\Local\Temp\cylance_ransomware_Windows-sample.exe.bin.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\cylance_ransomware_Windows-sample.exe.bin.exe" /F
2⤵
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\cylance_ransomware_Windows-sample.exe.bin.exe" /F
3⤵
- Creates scheduled task(s)
PID:572

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\CYLANCE_README.txt
Filesize
1KB

MD5
29f5cd37815c27a48a1ac0f7aa106c7d

SHA1
eb03d56e438adb0ed8c21e6a8befe3a1af26d571

SHA256
10d4cb1b571df00c5d13cf50635118d29847980d8a7d56518bf12e74495ecf7b

SHA512
169ff36b6b1e96b5ab1ec3d2f67268bc6486775676a933c3d338c21e2318fb011ed74b98c7252222d525a298cadb6997ba3207c9113560c4473697a4018f3f7f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads