Overview

overview

10

Static

static

8

winnt32.exe

windows7_x64

10

winnt32.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    winnt32.exe

  • Size

    441KB

  • Sample

    210826-gbhbecdts2

  • MD5

    bc0b5052b957c3bedff6bb3cb6e0d646

  • SHA1

    593a2d83afdf8377207af4b1b20573a2aa83b7bf

  • SHA256

    4e33391000cf4732b82569f2ff0196e3cfee10a67b7dcaf52070ac7e2f79826e

  • SHA512

    fc7ea750aa4b886b01aaa41dfacc69ea6082913965af0dff68cdbf4430b79aa584d057369680d3e7ee5f0cb41cd16d50ef6418bcf5ec5adf4c7fb2d7acb6ac20

Score
10/10
evasionpersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Path

C:\LCRY_README.txt

Ransom Note
YOU ARE NOW VICTIM OF LCRY RANSOMWARE! YOUR FILES ARE ENCRYPTED USING A STRONG ALGORITHM! YOU HAVE NO WAY TO DECRYPT YOUR FILES UNLESS YOU PURCHASE A KEY! DON'T WORRY!THE KEY IS EASY TO PURCHASE IF YOU FOLLOW THE INSTRUCTIONS! 1.REGISTER AN EMAIL ACCOUNT. 2.CONTACT [email protected]! 3.GIVE OUT YOUR MACHINE ID IN [SYSTEMDRIVE]\LCRY_MACHINEID.ID. 4.PURCHASE THE KEY AND REMEMBER IT. 5.OPEN [SYSTEMDRIVE]\LCRY_DECRYPTOR.EXE OR THE EXE OF LCRY RANSOMWARE YOU JUST OPENED. 6.ENTER THE KEY. 7.WAIT FOR YOUR FILES TO BE DECRYPTED. PLEASE FOLLOW THE INSTRUCTIONS OR YOU MUST SAY GOODBYE TO YOUR FILES!

Targets

    • Target

      winnt32.exe

    • Size

      441KB

    • MD5

      bc0b5052b957c3bedff6bb3cb6e0d646

    • SHA1

      593a2d83afdf8377207af4b1b20573a2aa83b7bf

    • SHA256

      4e33391000cf4732b82569f2ff0196e3cfee10a67b7dcaf52070ac7e2f79826e

    • SHA512

      fc7ea750aa4b886b01aaa41dfacc69ea6082913965af0dff68cdbf4430b79aa584d057369680d3e7ee5f0cb41cd16d50ef6418bcf5ec5adf4c7fb2d7acb6ac20

    Score
    10/10
    evasionpersistenceransomwarespywarestealertrojanupx

    • Modifies WinLogon for persistence

      persistence

    • UAC bypass

      evasiontrojan

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks