Overview

overview

10

Static

static

3

LCRYPT0R/L...D).vbs

windows7-x64

9

LCRYPT0R/L...D).vbs

windows10-2004-x64

1

LCRYPT0R/L...D).vbs

windows11-21h2-x64

1

LCRYPT0R/L...rX.vbs

windows7-x64

9

LCRYPT0R/L...rX.vbs

windows10-2004-x64

9

LCRYPT0R/L...rX.vbs

windows11-21h2-x64

9

other malw...0r.exe

windows7-x64

10

other malw...0r.exe

windows10-2004-x64

10

other malw...0r.exe

windows11-21h2-x64

10

other malw...rm.vbs

windows7-x64

1

other malw...rm.vbs

windows10-2004-x64

1

other malw...rm.vbs

windows11-21h2-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    LCrypt0rX.zip

  • Size

    3.4MB

  • Sample

    241019-h79emstfrf

  • MD5

    6de83dbc46dc4727c0d0bca96a58dc08

  • SHA1

    32c2d4ba4481feb63b9ffe462580d5f8ef8a9c7d

  • SHA256

    becd2c45fe7bf8eedc702223d6be3484b2c2bc38277ecba16c74e18ab2572846

  • SHA512

    d863dc494026ccc5f524e71fcc5e494fdf6eb1ef75d58a33a25f3b63ec526c2840b193b0a3c895fd88f185635db347d8f2bd25d0bcb8c6b0b345fabd4afef5aa

  • SSDEEP

    98304:8enlgpfEEiHDmEuFXtcmkHpvACxt7JUxp2L/fOU3:fK+EYmMdJYQlUz0Hf

Score
10/10
wannacrydefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealerworm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\other malware cuz why not\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Targets

    • Target

      LCRYPT0R/LCRYPT (OBFUSCATED).vbs

    • Size

      316KB

    • MD5

      daf48d77c531efa2b179e53a17086dc1

    • SHA1

      6e837e58e743de1447ca611cbf6e394d359d95fb

    • SHA256

      3daeb5848ba4858a229b75b4665d9b252696d279370052b26874cef9cfda392d

    • SHA512

      c85ec82fc10a640a1c6e35a27efe31a18d31233816229dcd66f316f4a753953e7e513ee7b0bae60a20955049cafb0a0f2b2cfdff40ff93027d26933809e55e02

    • SSDEEP

      1536:K6qtptGo6yDiDtd30UJCIMuaDZo89dVI826pPy+n+gg83jm+8foEQft7Dt9I2cIN:Kl2BAhlo8j/AJc7H7zuebfR

    Score
    9/10
    defense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Blocklisted process makes network request

    • Disables RegEdit via registry modification

      evasion

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2behavioral3

    • Target

      LCRYPT0R/LCrypt0rX.vbs

    • Size

      12KB

    • MD5

      a3932d2bfc2b9d66ba5da7cd39f7cd84

    • SHA1

      a508af3ec896559b5cc102917e3345996792726b

    • SHA256

      63498826e04670e88ea0ddaf76e27b0f6afedb778e298147c29676dee3ce92fd

    • SHA512

      95dfb60f4d6b16cefa4c3a20e47c94034a17a0b44479527679ca3ae514e5dda08defd49bb6c13d85f12c1820bfc681409a7eacb29ed33c59df293d8e57db251a

    • SSDEEP

      384:BobplStxYHQHSH7l+ii3qF2ZNvLyyB8dstnH+7Me:EM22M

    Score
    9/10
    defense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Blocklisted process makes network request

    • Disables RegEdit via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral4behavioral5behavioral6

    • Target

      other malware cuz why not/[email protected]

    • Size

      3.4MB

    • MD5

      84c82835a5d21bbcf75a61706d8ab549

    • SHA1

      5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

    • SHA256

      ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

    • SHA512

      90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

    • SSDEEP

      98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB

    Score
    10/10
    wannacrydefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealerworm

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

      defense_evasion

    • Sets desktop wallpaper using registry

      ransomware
    behavioral7behavioral8behavioral9

    • Target

      other malware cuz why not/loveletterworm.vbs

    • Size

      10KB

    • MD5

      d94e46e40f5663dd698dad3369f1f782

    • SHA1

      9c511b8ddf0c2c9ce9c32d92cdf60c1e3d1c8abf

    • SHA256

      bc39d64a797497d2e0e6cd498f7b84c6fa2464cc7dc29114ef9af438089c5f25

    • SHA512

      07e6f98ba6374f68886f9f642598744b91954a76e1b23fdb9ece89835b596d9bde68c96eedf5f2bbbad3d53b84b7d1dd231ebb9e8d9757996d2779b4c802bd02

    • SSDEEP

      192:brjZcrmlHV31G7sMBMLMLMiMhM5MmMhMrMXM57Mksc/021wqIVCPsz87sGdOVRJS:brjOi1V31GoIGWFqAHqi407/sX/pVCdV

    Score
    1/10
    behavioral10behavioral11behavioral12

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Direct Volume Access

1
T1006

File and Directory Permissions Modification

2
T1222

Windows File and Directory Permissions Modification

1
T1222.001

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

6
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

2
T1490

Tasks

static1

Score
3/10

behavioral1

defense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
9/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

defense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
9/10

behavioral5

defense_evasiondiscoveryevasionexecutionimpactpersistenceransomware
Score
9/10

behavioral6

defense_evasionevasionexecutionimpactpersistenceransomware
Score
9/10

behavioral7

wannacrydefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealerworm
Score
10/10

behavioral8

wannacrydefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealerworm
Score
10/10

behavioral9

wannacrydefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealerworm
Score
10/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10