Analysis
-
max time kernel
161s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31/03/2023, 00:28
Static task
static1
Behavioral task
behavioral1
Sample
cylance_ransomware_Windows-sample.exe.bin.exe
Resource
win7-20230220-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
cylance_ransomware_Windows-sample.exe.bin.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
cylance_ransomware_Windows-sample.exe.bin.exe
-
Size
151KB
-
MD5
31ed39e13ae9da7fa610f85b56838dde
-
SHA1
ff602997ce7bdd695a282bd373daf57bea7a051f
-
SHA256
7a5e813ec451cde49346d7e18aca31065846cafe52d88d08918a297196a6a49f
-
SHA512
199d70b70636555fbe753e83662cc672b5b06428050229856e9912488037cb4dae34a0766c3fcc560afd8fb07a4dcb5cfd8435a0fe3db86484a7929218cab5ee
-
SSDEEP
3072:lAMP+TYgJWo6QD6ivAFvvYknplbZVaX6TEQZwRNfysqdoTPwum3n:OZNMnQFvM/lbbHTFZw/fLm3n
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation cylance_ransomware_Windows-sample.exe.bin.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\U: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\V: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\W: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\B: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\E: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\F: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\M: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\T: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\Y: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\Z: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\A: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\G: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\L: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\H: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\X: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\D: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\O: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\P: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\Q: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\R: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\S: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\J: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\K: cylance_ransomware_Windows-sample.exe.bin.exe File opened (read-only) \??\N: cylance_ransomware_Windows-sample.exe.bin.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\CYLANCE_README.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Mozilla Firefox\defaultagent_localized.ini cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml cylance_ransomware_Windows-sample.exe.bin.exe File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\CYLANCE_README.txt cylance_ransomware_Windows-sample.exe.bin.exe File created C:\Program Files (x86)\Microsoft.NET\CYLANCE_README.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\processing.slk cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\WinRTUtils.winmd cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe.config cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Internet Explorer\ja-JP\ieinstal.exe.mui.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Media Player\de-DE\wmpnetwk.exe.mui cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\AppxManifest.xml cylance_ransomware_Windows-sample.exe.bin.exe File created C:\Program Files\Windows Defender\de-DE\CYLANCE_README.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\avtransport.xml.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal_CustomCapability.sccd cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl cylance_ransomware_Windows-sample.exe.bin.exe File created C:\Program Files\Microsoft Office 15\CYLANCE_README.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.Cursors.winmd cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.winmd cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Generic.xaml cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppxSignature.p7x cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\SmallLogo.png cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Mozilla Firefox\defaultagent_localized.ini.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\cancelled.slk cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\AppxManifest.xml cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml cylance_ransomware_Windows-sample.exe.bin.exe File created C:\Program Files\7-Zip\Lang\CYLANCE_README.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office16\SLERROR.XML cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Media Player\ja-JP\wmlaunch.exe.mui cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\done_listening.slk cylance_ransomware_Windows-sample.exe.bin.exe File created C:\Program Files\Java\jre1.8.0_66\CYLANCE_README.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_120.jpg.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\resources.pri cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Media Player\es-ES\WMPMediaSharing.dll.mui cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\THANKS.txt.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml cylance_ransomware_Windows-sample.exe.bin.exe File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\CYLANCE_README.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\logo.png cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\MediaReceiverRegistrar.xml cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio_Model_CX.winmd cylance_ransomware_Windows-sample.exe.bin.exe File created C:\Program Files\7-Zip\CYLANCE_README.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\License.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Internet Explorer\es-ES\ieinstal.exe.mui.Cylance cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.winmd cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt cylance_ransomware_Windows-sample.exe.bin.exe File opened for modification C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf cylance_ransomware_Windows-sample.exe.bin.exe File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\CYLANCE_README.txt cylance_ransomware_Windows-sample.exe.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1612 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 2188 cylance_ransomware_Windows-sample.exe.bin.exe Token: SeRestorePrivilege 2188 cylance_ransomware_Windows-sample.exe.bin.exe Token: SeBackupPrivilege 2188 cylance_ransomware_Windows-sample.exe.bin.exe Token: SeTakeOwnershipPrivilege 2188 cylance_ransomware_Windows-sample.exe.bin.exe Token: SeAuditPrivilege 2188 cylance_ransomware_Windows-sample.exe.bin.exe Token: SeSecurityPrivilege 2188 cylance_ransomware_Windows-sample.exe.bin.exe Token: SeIncBasePriorityPrivilege 2188 cylance_ransomware_Windows-sample.exe.bin.exe Token: SeBackupPrivilege 4964 vssvc.exe Token: SeRestorePrivilege 4964 vssvc.exe Token: SeAuditPrivilege 4964 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2188 wrote to memory of 3456 2188 cylance_ransomware_Windows-sample.exe.bin.exe 83 PID 2188 wrote to memory of 3456 2188 cylance_ransomware_Windows-sample.exe.bin.exe 83 PID 2188 wrote to memory of 3456 2188 cylance_ransomware_Windows-sample.exe.bin.exe 83 PID 3456 wrote to memory of 1612 3456 cmd.exe 85 PID 3456 wrote to memory of 1612 3456 cmd.exe 85 PID 3456 wrote to memory of 1612 3456 cmd.exe 85 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cylance_ransomware_Windows-sample.exe.bin.exe"C:\Users\Admin\AppData\Local\Temp\cylance_ransomware_Windows-sample.exe.bin.exe"1⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\cylance_ransomware_Windows-sample.exe.bin.exe" /F2⤵
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\cylance_ransomware_Windows-sample.exe.bin.exe" /F3⤵
- Creates scheduled task(s)
PID:1612
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4964
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e7755142780934677f475cc1a364b48f
SHA18e3cf11dba721ae4e3176aaf54d4e3da4405cfb1
SHA256f77a83cd053dd5fb8abb66a644e8bbb8b08ad3caa1f63bf97a29c80a27a3f6ed
SHA512084cb42fc9607b6be0c7c7dba129886778de9d3b876b7dabd6705b5f802e1e8a8fbb91aac97d231687c6ed12bc4dbe926e783cc8e77bdc1bb636263dd7b064da