Overview

overview

10

Static

static

3

lc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    437s
  • max time network
    438s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/07/2024, 22:40

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    lc.exe

  • Size

    180KB

  • MD5

    7924c0f21738fab05f61102c0caf3da2

  • SHA1

    09e6fd5797381eeb9ec60d5214f2932154636247

  • SHA256

    9b29f5a1f0b6c270c90b343f4c6d0e0843201d687068dc5273cbf5074083609f

  • SHA512

    cdb47c2d516cc448ffadb4cbb1a3574d1f04a00bad5e127343faa73da9be2b72e1d2e4337c7991655a5865a322636c4ba88a7f0b46f7a964de9e77d4796d0936

  • SSDEEP

    3072:Ei65pVpgqCILIFgUhhPUHNl1xIhzUCpM69/KImQi/6ebW6kTg8Obk:itR6fhhPU+zUCpM69/KImQi/6ebl

Score
10/10
defense_evasionpersistencespywarestealer

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 13 IoCs
    persistence
  • Drops desktop.ini file(s) 12 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 12 IoCs
    defense_evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 24 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\lc.exe
    "C:\Users\Admin\AppData\Local\Temp\lc.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c F: & attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the CryptoBytes hacker group! Telegram for contact: @yes_u_are_hacked 1>info-0v92.txt & attrib -h +s +r info-0v92.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Views/modifies file attributes
        PID:4972
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-0v92.txt
        3⤵
        • Views/modifies file attributes
        PID:1256
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%\desktop"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the CryptoBytes hacker group! Telegram for contact: @yes_u_are_hacked 1>info-0v92.txt & attrib -h +s +r info-0v92.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:1268
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:2592
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-0v92.txt
        3⤵
        • Views/modifies file attributes
        PID:4612
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%systemdrive%\Users\Public\Desktop"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the CryptoBytes hacker group! Telegram for contact: @yes_u_are_hacked 1>info-0v92.txt & attrib -h +s +r info-0v92.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:3556
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:1712
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-0v92.txt
        3⤵
        • Views/modifies file attributes
        PID:1988
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%\downloads"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the CryptoBytes hacker group! Telegram for contact: @yes_u_are_hacked 1>info-0v92.txt & attrib -h +s +r info-0v92.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:408
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:3116
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-0v92.txt
        3⤵
        • Views/modifies file attributes
        PID:1816
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%\documents"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the CryptoBytes hacker group! Telegram for contact: @yes_u_are_hacked 1>info-0v92.txt & attrib -h +s +r info-0v92.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:4200
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-0v92.txt
        3⤵
        • Views/modifies file attributes
        PID:4656
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the CryptoBytes hacker group! Telegram for contact: @yes_u_are_hacked 1>info-0v92.txt & attrib -h +s +r info-0v92.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:3880
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Views/modifies file attributes
        PID:1664
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-0v92.txt
        3⤵
        • Views/modifies file attributes
        PID:3520
    • C:\Windows\SYSTEM32\taskkill.exe
      taskkill.exe /im Explorer.exe /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4420
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c F: & attrib -h -s -r -i /D & del info-0v92.txt /q /s & attrib +h +s -r desktop.ini
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4632
      • C:\Windows\system32\attrib.exe
        attrib -h -s -r -i /D
        3⤵
        • Views/modifies file attributes
        PID:3636
      • C:\Windows\system32\attrib.exe
        attrib +h +s -r desktop.ini
        3⤵
        • Views/modifies file attributes
        PID:1168
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%\desktop"&attrib -h -s -r -i /D & del info-0v92.txt /q /s & attrib +h +s -r desktop.ini
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:3840
      • C:\Windows\system32\attrib.exe
        attrib -h -s -r -i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:3616
      • C:\Windows\system32\attrib.exe
        attrib +h +s -r desktop.ini
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:1936
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%systemdrive%\Users\Public\Desktop"&attrib -h -s -r -i /D & del info-0v92.txt /q /s & attrib +h +s -r desktop.ini
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:376
      • C:\Windows\system32\attrib.exe
        attrib -h -s -r -i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:3172
      • C:\Windows\system32\attrib.exe
        attrib +h +s -r desktop.ini
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:3568
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%\downloads"&attrib -h -s -r -i /D & del info-0v92.txt /q /s & attrib +h +s -r desktop.ini
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:3932
      • C:\Windows\system32\attrib.exe
        attrib -h -s -r -i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:2120
      • C:\Windows\system32\attrib.exe
        attrib +h +s -r desktop.ini
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:4972
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%\documents"&attrib -h -s -r -i /D & del info-0v92.txt /q /s & attrib +h +s -r desktop.ini
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:3900
      • C:\Windows\system32\attrib.exe
        attrib -h -s -r -i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:1500
      • C:\Windows\system32\attrib.exe
        attrib +h +s -r desktop.ini
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:4368
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%"&attrib -h -s -r -i /D & del info-0v92.txt /q /s & attrib +h +s -r desktop.ini
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4624
      • C:\Windows\system32\attrib.exe
        attrib -h -s -r -i /D
        3⤵
        • Views/modifies file attributes
        PID:2660
      • C:\Windows\system32\attrib.exe
        attrib +h +s -r desktop.ini
        3⤵
        • Views/modifies file attributes
        PID:4796

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Documents\info-0v92.txt
          Filesize

          116B

          MD5

          647cac7d7eb872a562ea76b3301a6c41

          SHA1

          229e9a64c538db226e7cb6fa1f7748d1b7c78e96

          SHA256

          4c35cd5723076358fe178683c7e14fd4a099bfb7471b65a48f2edd22e682612e

          SHA512

          45bcfbf1a758af4c0863c9c5925ba1e5ca4184bb15146ca9201619d1c79332ef06d76224c0ab976f6f966e39b652f8ca3fd2561a2c419c5004aa622e04fe5c22

          Download Submit

        • memory/1324-0-0x00007FFB6EE23000-0x00007FFB6EE25000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1324-1-0x0000000000480000-0x00000000004B4000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1324-2-0x00007FFB6EE20000-0x00007FFB6F8E1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1324-18-0x00007FFB6EE23000-0x00007FFB6EE25000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1324-19-0x00007FFB6EE20000-0x00007FFB6F8E1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1324-23-0x00007FFB6EE20000-0x00007FFB6F8E1000-memory.dmp

          Filesize

          10.8MB

          Download