General
-
Target
LCrypt0rX.zip
-
Size
3.4MB
-
Sample
241018-h6a6fsthlc
-
MD5
a13f2d8f3cf73940208a68e39740b092
-
SHA1
cc786c0d721c97bcc9485ef503ea0fedbfda17ad
-
SHA256
8c05d0cfd8963829f2a1a637cb373e8dd4b97effd129b28230899deb38abf48d
-
SHA512
b4f0c9854bc69aad2e8ab03830b9332e40d5ccb78ff2d6091d5553ecac866840cd475cff814999afe8ab7bbd4ea2ed6693e4691ce0ff9d6c3149959f28c9ff7e
-
SSDEEP
49152:f5j60usEz1v8aMA0qULsIoYrVFBPOS+skFADvk+2Q+7UoUzig/A0jx5fMq+yXN8f:fEa+VNUhlOS+FF7+2PwaAA0VlMnydg
Malware Config
Extracted
C:\Users\Admin\Documents\@[email protected]
wannacry
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Extracted
C:\Users\Admin\AppData\Local\Temp\other malware cuz why not\@[email protected]
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Targets
-
-
Target
LCRYPT0R/LCRYPT (OBFUSCATED).vbs
-
Size
351KB
-
MD5
554d10e242175ad3112fc2677dc95c4a
-
SHA1
ba8491b8fb87b15ca35024b8b487d2dfd73f3ccb
-
SHA256
28ab9fa728f47d11280f4ee2821aa345263c5cb87c018fbb4ccab7067c2910e7
-
SHA512
a0fcd0fae14e0c1da837a6756196941e2e99301b148078f1ddc65fd763a1cf74db80c008aa1fbb8fa902663399f1ad30d14947be746ec68e67714878c4163b8b
-
SSDEEP
1536:obL+meOFR500HvU4PoBjy71p4YoBC+IFsCNaJEzgLsbWcU4XQPsSwq+RuUjKsbUc:djE4Q7YnqIJ/7rxsbhCZCY2h
Score9/10-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request
-
Disables RegEdit via registry modification
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
-
-
Target
LCRYPT0R/LCrypt0rX.vbs
-
Size
13KB
-
MD5
96b15893f986ff2359e84558f7f1f6b4
-
SHA1
899c3499a8b94778ef2d81d8bf4aba60bcc79b69
-
SHA256
035c90d98ca6c9bb1b9033092bdaa6d6ae71140adeef2cf22234f29c98e8ef3f
-
SHA512
159b129eb61f7a426d30c1a095056e9f04f3fe8eb34df86e83b7c32ad20fcd936877b524f8509115b1f461e6238c8eebed43b133421ec216a00084e89e45171a
-
SSDEEP
384:xbplStxYHQHSH7l+ii3qF2ZNvLyyB8dstnH8KlasrC+:XM22r
Score9/10-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request
-
Disables RegEdit via registry modification
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
-
-
Target
other malware cuz why not/[email protected]
-
Size
3.4MB
-
MD5
84c82835a5d21bbcf75a61706d8ab549
-
SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
-
SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
-
SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
-
SSDEEP
98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB
Score10/10-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
-
Sets desktop wallpaper using registry
-
-
-
Target
other malware cuz why not/loveletterworm.vbs
-
Size
10KB
-
MD5
d94e46e40f5663dd698dad3369f1f782
-
SHA1
9c511b8ddf0c2c9ce9c32d92cdf60c1e3d1c8abf
-
SHA256
bc39d64a797497d2e0e6cd498f7b84c6fa2464cc7dc29114ef9af438089c5f25
-
SHA512
07e6f98ba6374f68886f9f642598744b91954a76e1b23fdb9ece89835b596d9bde68c96eedf5f2bbbad3d53b84b7d1dd231ebb9e8d9757996d2779b4c802bd02
-
SSDEEP
192:brjZcrmlHV31G7sMBMLMLMiMhM5MmMhMrMXM57Mksc/021wqIVCPsz87sGdOVRJS:brjOi1V31GoIGWFqAHqi407/sX/pVCdV
Score1/10 -
-
-
Target
sig.vbs
-
Size
2KB
-
MD5
f7d0f83dcf1c7d906b9d6b937c2efa8d
-
SHA1
fc1fd1571bc65b6f15fec496bf0ee977f46640a7
-
SHA256
e24b9693b4d5434dfba8ef70d0b88f214bf1f51389b54bbb2f081a3f18f3518b
-
SHA512
5c66f79a097a1617bbc1cbff25f14bf7e74a225dc00698a71b15bf743e4ffbe55c3169a5d622e3b03617746554ef9e44f6e54162de62657e0bf1455581e9f8bf
Score1/10 -
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
2File Deletion
2Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1