4e33391000cf4732b82569f2ff0196e3cfee10a67b7dcaf52070ac7e2f79826e

General

Target

winnt32.exe
Size

441KB
MD5

bc0b5052b957c3bedff6bb3cb6e0d646
SHA1

593a2d83afdf8377207af4b1b20573a2aa83b7bf
SHA256

4e33391000cf4732b82569f2ff0196e3cfee10a67b7dcaf52070ac7e2f79826e
SHA512

fc7ea750aa4b886b01aaa41dfacc69ea6082913965af0dff68cdbf4430b79aa584d057369680d3e7ee5f0cb41cd16d50ef6418bcf5ec5adf4c7fb2d7acb6ac20

Score

10^/10

evasion persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\LCRY_README.txt

Ransom Note

YOU ARE NOW VICTIM OF LCRY RANSOMWARE! YOUR FILES ARE ENCRYPTED USING A STRONG ALGORITHM! YOU HAVE NO WAY TO DECRYPT YOUR FILES UNLESS YOU PURCHASE A KEY! DON'T WORRY!THE KEY IS EASY TO PURCHASE IF YOU FOLLOW THE INSTRUCTIONS! 1.REGISTER AN EMAIL ACCOUNT. 2.CONTACT [email protected]! 3.GIVE OUT YOUR MACHINE ID IN [SYSTEMDRIVE]\LCRY_MACHINEID.ID. 4.PURCHASE THE KEY AND REMEMBER IT. 5.OPEN [SYSTEMDRIVE]\LCRY_DECRYPTOR.EXE OR THE EXE OF LCRY RANSOMWARE YOU JUST OPENED. 6.ENTER THE KEY. 7.WAIT FOR YOUR FILES TO BE DECRYPTED. PLEASE FOLLOW THE INSTRUCTIONS OR YOU MUST SAY GOODBYE TO YOUR FILES!

Emails

[email protected]

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\LCRY_DECRYPTOR.exe"	winnt32.exe

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Executes dropped EXE 4 IoCs

pid	Process
916	winnt32.exe
2388	winnt32.exe
2368	LCRY_DECRYPTOR.exe
3928	winnt32.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ConvertToRepair.crw => C:\Users\Admin\Pictures\ConvertToRepair.crw.KGOD.LCRY	winnt32.exe
File renamed	C:\Users\Admin\Pictures\RequestSelect.png => C:\Users\Admin\Pictures\RequestSelect.png.BMDL.LCRY	winnt32.exe
File renamed	C:\Users\Admin\Pictures\StepRename.tif => C:\Users\Admin\Pictures\StepRename.tif.HGLW.LCRY	winnt32.exe
File renamed	C:\Users\Admin\Pictures\UnblockClear.tif => C:\Users\Admin\Pictures\UnblockClear.tif.VSRW.LCRY	winnt32.exe
File opened for modification	C:\Users\Admin\Pictures\LimitEdit.tiff	winnt32.exe
File renamed	C:\Users\Admin\Pictures\LimitEdit.tiff => C:\Users\Admin\Pictures\LimitEdit.tiff.CGRT.LCRY	winnt32.exe
File renamed	C:\Users\Admin\Pictures\ResizeConfirm.tif => C:\Users\Admin\Pictures\ResizeConfirm.tif.XKPG.LCRY	winnt32.exe
File renamed	C:\Users\Admin\Pictures\SelectRevoke.tif => C:\Users\Admin\Pictures\SelectRevoke.tif.ACNU.LCRY	winnt32.exe
File renamed	C:\Users\Admin\Pictures\StepResolve.crw => C:\Users\Admin\Pictures\StepResolve.crw.ANLN.LCRY	winnt32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000000689-116.dat	upx
behavioral2/files/0x0008000000000689-115.dat	upx
behavioral2/files/0x0008000000000689-120.dat	upx
behavioral2/files/0x000100000001ab73-124.dat	upx
behavioral2/files/0x000100000001ab73-123.dat	upx
behavioral2/files/0x0008000000000689-126.dat	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsCheck = "C:\\LCRY_DECRYPTOR.exe"	winnt32.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winnt32.exe

Drops desktop.ini file(s) 28 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	winnt32.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	winnt32.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	winnt32.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	winnt32.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	winnt32.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	winnt32.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	winnt32.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	winnt32.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	winnt32.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	winnt32.exe
File opened for modification	C:\Users\Public\desktop.ini	winnt32.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	winnt32.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	winnt32.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	winnt32.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	winnt32.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	winnt32.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	winnt32.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	winnt32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	winnt32.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	winnt32.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	winnt32.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	winnt32.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	winnt32.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	winnt32.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini	winnt32.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	winnt32.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	winnt32.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	winnt32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\winnt32.exe	winnt32.exe
File opened for modification	C:\Windows\system32\winnt32.exe	winnt32.exe
File created	C:\Windows\system32\winnt32.exe	LCRY_DECRYPTOR.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	winnt32.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3820	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2388	winnt32.exe
2388	winnt32.exe
2388	winnt32.exe
2388	winnt32.exe
3928	winnt32.exe
3928	winnt32.exe
3928	winnt32.exe
3928	winnt32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
916	winnt32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3928	winnt32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 916	3056	winnt32.exe	72
PID 3056 wrote to memory of 916	3056	winnt32.exe	72
PID 916 wrote to memory of 3820	916	winnt32.exe	82
PID 916 wrote to memory of 3820	916	winnt32.exe	82
PID 916 wrote to memory of 2388	916	winnt32.exe	83
PID 916 wrote to memory of 2388	916	winnt32.exe	83
PID 2368 wrote to memory of 3928	2368	LCRY_DECRYPTOR.exe	85
PID 2368 wrote to memory of 3928	2368	LCRY_DECRYPTOR.exe	85

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winnt32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winnt32.exe

C:\Users\Admin\AppData\Local\Temp\winnt32.exe
"C:\Users\Admin\AppData\Local\Temp\winnt32.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\system32\winnt32.exe
  "C:\Windows\system32\winnt32.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies extensions of user files
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops desktop.ini file(s)
  - Modifies registry class
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:916
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\LCRY_README.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3820
- - C:\Windows\system32\winnt32.exe
    "C:\Windows\system32\winnt32.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2388

C:\LCRY_DECRYPTOR.exe
C:\LCRY_DECRYPTOR.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\system32\winnt32.exe
  "C:\Windows\system32\winnt32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3928