7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f

General

Target

cylance_ransomware_Windows-sample.exe.bin.exe
Size

151KB
MD5

31ed39e13ae9da7fa610f85b56838dde
SHA1

ff602997ce7bdd695a282bd373daf57bea7a051f
SHA256

7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f
SHA512

199d70b70636555fbe753e83662cc672b5b06428050229856e9912488037cb4dae34a0766c3fcc560afd8fb07a4dcb5cfd8435a0fe3db86484a7929218cab5ee
SSDEEP

3072:lAMP+TYgJWo6QD6ivAFvvYknplbZVaX6TEQZwRNfysqdoTPwum3n:OZNMnQFvM/lbbHTFZw/fLm3n

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cylance_ransomware_Windows-sample.exe.bin.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	cylance_ransomware_Windows-sample.exe.bin.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cylance_ransomware_Windows-sample.exe.bin.exe

description	ioc	process
File opened (read-only)	\??\I:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\U:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\V:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\W:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\B:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\E:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\F:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\M:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\T:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\Y:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\Z:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\A:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\G:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\L:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\H:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\X:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\D:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\O:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\P:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\Q:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\R:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\S:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\J:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\K:	cylance_ransomware_Windows-sample.exe.bin.exe
File opened (read-only)	\??\N:	cylance_ransomware_Windows-sample.exe.bin.exe

Drops file in Program Files directory 64 IoCs

Processes:

cylance_ransomware_Windows-sample.exe.bin.exe

description	ioc	process
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\CYLANCE_README.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaultagent_localized.ini	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml	cylance_ransomware_Windows-sample.exe.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\CYLANCE_README.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File created	C:\Program Files (x86)\Microsoft.NET\CYLANCE_README.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\processing.slk	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\WinRTUtils.winmd	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe.config	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\wmpnetwk.exe.mui	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\AppxManifest.xml	cylance_ransomware_Windows-sample.exe.bin.exe
File created	C:\Program Files\Windows Defender\de-DE\CYLANCE_README.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\avtransport.xml.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal_CustomCapability.sccd	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cylance_ransomware_Windows-sample.exe.bin.exe
File created	C:\Program Files\Microsoft Office 15\CYLANCE_README.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.Cursors.winmd	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.winmd	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Generic.xaml	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\SmallLogo.png	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaultagent_localized.ini.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\cancelled.slk	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\AppxManifest.xml	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	cylance_ransomware_Windows-sample.exe.bin.exe
File created	C:\Program Files\7-Zip\Lang\CYLANCE_README.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\SLERROR.XML	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\wmlaunch.exe.mui	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\done_listening.slk	cylance_ransomware_Windows-sample.exe.bin.exe
File created	C:\Program Files\Java\jre1.8.0_66\CYLANCE_README.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\DMR_120.jpg.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\resources.pri	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\WMPMediaSharing.dll.mui	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\THANKS.txt.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	cylance_ransomware_Windows-sample.exe.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\CYLANCE_README.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\logo.png	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\MediaReceiverRegistrar.xml	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio_Model_CX.winmd	cylance_ransomware_Windows-sample.exe.bin.exe
File created	C:\Program Files\7-Zip\CYLANCE_README.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\ieinstal.exe.mui.Cylance	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.winmd	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	cylance_ransomware_Windows-sample.exe.bin.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf	cylance_ransomware_Windows-sample.exe.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\CYLANCE_README.txt	cylance_ransomware_Windows-sample.exe.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1612 schtasks.exe

pid	process
1612	schtasks.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

cylance_ransomware_Windows-sample.exe.bin.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2188	cylance_ransomware_Windows-sample.exe.bin.exe
Token: SeRestorePrivilege	2188	cylance_ransomware_Windows-sample.exe.bin.exe
Token: SeBackupPrivilege	2188	cylance_ransomware_Windows-sample.exe.bin.exe
Token: SeTakeOwnershipPrivilege	2188	cylance_ransomware_Windows-sample.exe.bin.exe
Token: SeAuditPrivilege	2188	cylance_ransomware_Windows-sample.exe.bin.exe
Token: SeSecurityPrivilege	2188	cylance_ransomware_Windows-sample.exe.bin.exe
Token: SeIncBasePriorityPrivilege	2188	cylance_ransomware_Windows-sample.exe.bin.exe
Token: SeBackupPrivilege	4964	vssvc.exe
Token: SeRestorePrivilege	4964	vssvc.exe
Token: SeAuditPrivilege	4964	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cylance_ransomware_Windows-sample.exe.bin.execmd.exe

description	pid	process	target process
PID 2188 wrote to memory of 3456	2188	cylance_ransomware_Windows-sample.exe.bin.exe	cmd.exe
PID 2188 wrote to memory of 3456	2188	cylance_ransomware_Windows-sample.exe.bin.exe	cmd.exe
PID 2188 wrote to memory of 3456	2188	cylance_ransomware_Windows-sample.exe.bin.exe	cmd.exe
PID 3456 wrote to memory of 1612	3456	cmd.exe	schtasks.exe
PID 3456 wrote to memory of 1612	3456	cmd.exe	schtasks.exe
PID 3456 wrote to memory of 1612	3456	cmd.exe	schtasks.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\cylance_ransomware_Windows-sample.exe.bin.exe
"C:\Users\Admin\AppData\Local\Temp\cylance_ransomware_Windows-sample.exe.bin.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\cylance_ransomware_Windows-sample.exe.bin.exe" /F
2⤵
- Suspicious use of WriteProcessMemory
PID:3456

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\cylance_ransomware_Windows-sample.exe.bin.exe" /F
3⤵
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\CYLANCE_README.txt
Filesize
1KB

MD5
e7755142780934677f475cc1a364b48f

SHA1
8e3cf11dba721ae4e3176aaf54d4e3da4405cfb1

SHA256
f77a83cd053dd5fb8abb66a644e8bbb8b08ad3caa1f63bf97a29c80a27a3f6ed

SHA512
084cb42fc9607b6be0c7c7dba129886778de9d3b876b7dabd6705b5f802e1e8a8fbb91aac97d231687c6ed12bc4dbe926e783cc8e77bdc1bb636263dd7b064da

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads