Overview

overview

10

Static

static

3

LCRYPT0R/L...D).vbs

windows7-x64

9

LCRYPT0R/L...D).vbs

windows10-2004-x64

1

LCRYPT0R/L...D).vbs

windows11-21h2-x64

1

LCRYPT0R/L...rX.vbs

windows7-x64

9

LCRYPT0R/L...rX.vbs

windows10-2004-x64

9

LCRYPT0R/L...rX.vbs

windows11-21h2-x64

9

other malw...0r.exe

windows7-x64

10

other malw...0r.exe

windows10-2004-x64

10

other malw...0r.exe

windows11-21h2-x64

10

other malw...rm.vbs

windows7-x64

1

other malw...rm.vbs

windows10-2004-x64

1

other malw...rm.vbs

windows11-21h2-x64

1

Analysis

  • max time kernel
    108s
  • max time network
    143s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19-10-2024 07:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LCRYPT0R/LCrypt0rX.vbs

  • Size

    12KB

  • MD5

    a3932d2bfc2b9d66ba5da7cd39f7cd84

  • SHA1

    a508af3ec896559b5cc102917e3345996792726b

  • SHA256

    63498826e04670e88ea0ddaf76e27b0f6afedb778e298147c29676dee3ce92fd

  • SHA512

    95dfb60f4d6b16cefa4c3a20e47c94034a17a0b44479527679ca3ae514e5dda08defd49bb6c13d85f12c1820bfc681409a7eacb29ed33c59df293d8e57db251a

  • SSDEEP

    384:BobplStxYHQHSH7l+ii3qF2ZNvLyyB8dstnH+7Me:EM22M

Score
9/10
defense_evasionevasionexecutionimpactpersistenceransomware

Malware Config

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Blocklisted process makes network request 2 IoCs
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 2 IoCs
  • Opens file in notepad (likely ransom note) 12 IoCs
    ransomware
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • System policy modification 1 TTPs 5 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LCRYPT0R\LCrypt0rX.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3776
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\LCRYPT0R\LCrypt0rX.vbs" /elevated
      2⤵
      • Blocklisted process makes network request
      • Disables RegEdit via registry modification
      • Adds Run key to start application
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1680
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1052
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:4804
      • C:\Windows\System32\rundll32.exe
        "C:\Windows\System32\rundll32.exe" USER32.DLL,SwapMouseButton
        3⤵
          PID:1224
        • C:\Windows\System32\notepad.exe
          "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\READMEPLEASE.txt
          3⤵
          • Opens file in notepad (likely ransom note)
          PID:2120
        • C:\Windows\System32\RUNDLL32.EXE
          "C:\Windows\System32\RUNDLL32.EXE" user32.dll,UpdatePerUserSystemParameters
          3⤵
            PID:976
          • C:\Windows\System32\rundll32.exe
            "C:\Windows\System32\rundll32.exe" user32.dll,BlockInput True
            3⤵
              PID:2480
            • C:\Windows\System32\rundll32.exe
              "C:\Windows\System32\rundll32.exe" user32.dll,BlockInput True
              3⤵
                PID:248
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\iamthedoom.bat" "
                3⤵
                  PID:1692
                • C:\Windows\System32\taskkill.exe
                  "C:\Windows\System32\taskkill.exe" /F /IM explorer.exe
                  3⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1364
                • C:\Windows\System32\notepad.exe
                  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\ConnectSkip.wdp.lcryx
                  3⤵
                  • Opens file in notepad (likely ransom note)
                  PID:3800
                • C:\Windows\System32\notepad.exe
                  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\ConnectUnregister.pot.lcryx
                  3⤵
                  • Opens file in notepad (likely ransom note)
                  PID:4220
                • C:\Windows\System32\notepad.exe
                  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\CopySkip.sys.lcryx
                  3⤵
                  • Opens file in notepad (likely ransom note)
                  PID:3148
                • C:\Windows\System32\notepad.exe
                  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\desktop.ini.lcryx
                  3⤵
                  • Opens file in notepad (likely ransom note)
                  PID:2976
                • C:\Windows\System32\notepad.exe
                  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\DisableInstall.xltm.lcryx
                  3⤵
                  • Opens file in notepad (likely ransom note)
                  PID:1000
                • C:\Windows\System32\notepad.exe
                  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\DisableSwitch.htm.lcryx
                  3⤵
                  • Opens file in notepad (likely ransom note)
                  PID:572
                • C:\Windows\System32\notepad.exe
                  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\DisableSwitch.jpeg.lcryx
                  3⤵
                  • Opens file in notepad (likely ransom note)
                  PID:2768
                • C:\Windows\System32\notepad.exe
                  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\DisconnectPublish.docx.lcryx
                  3⤵
                  • Opens file in notepad (likely ransom note)
                  PID:4864
                • C:\Windows\System32\notepad.exe
                  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\DisconnectSet.rm.lcryx
                  3⤵
                  • Opens file in notepad (likely ransom note)
                  PID:5020
                • C:\Windows\System32\notepad.exe
                  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\LimitWatch.mov.lcryx
                  3⤵
                  • Opens file in notepad (likely ransom note)
                  PID:2144
                • C:\Windows\System32\notepad.exe
                  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\LockEnter.jpg.lcryx
                  3⤵
                  • Opens file in notepad (likely ransom note)
                  PID:2788
                • C:\Windows\System32\notepad.exe
                  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\Microsoft Edge.lnk.lcryx
                  3⤵
                    PID:5000
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3508

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\Desktop\ConnectSkip.wdp.lcryx
                Filesize

                441KB

                MD5

                f754e8128f7b67ddf68d10d85f83fa07

                SHA1

                b66b51ca614f1b28260420eb447cff8ff3fb3300

                SHA256

                a62a947fdd813f1d25c2899f708229b5de2dad6b0aa29a1a62fce8bc1c6fc5de

                SHA512

                8197750b52a846ba588d7c09b84bb520e6b3f2e38b4a25c849092f4add7fba29e2607edbe2f30159992a4c1dae692a1db03549913efaed95a01b5b2441d3f616

                Download Submit

              • C:\Users\Admin\Desktop\ConnectUnregister.pot.lcryx
                Filesize

                487KB

                MD5

                cfd20b3f27999428986eeca66e02bf72

                SHA1

                cab86029b1720568c08f5fd62f324f77902390f8

                SHA256

                5e56163ff1bbd422f3ce91ec4ee302d94daf0c92d8fafc2d93d1dcad2ab4d974

                SHA512

                c4809d5d58f856c17281056c5d79395b4a36d5545458c2eb51399de936664faec19e7a010f0f928896e187c4a3077cc4e498120710b2c999eeb7e2216cffaca0

                Download Submit

              • C:\Users\Admin\Desktop\CopySkip.sys.lcryx
                Filesize

                418KB

                MD5

                3b2e5c9a4a48e6b3c62281bc0c22402f

                SHA1

                f1bd72b6b116d1b38e9bf23829d52a32518d9f32

                SHA256

                5ecddc82c4077cd64335deeadb69354a72cbe7682e33520dd7505f32ebab4072

                SHA512

                0f3ec57059ffb0978afdfb54ce750dfada9c8ac4b41f70b5e444d70e52f16cf780e13105cb94f9cc03e8faaca34dcb733fd6d058828870b7c6f3dd9f9948ad70

                Download Submit

              • C:\Users\Admin\Desktop\DisableInstall.xltm.lcryx
                Filesize

                394KB

                MD5

                d25c5f4d5317277896019c9b35bfd461

                SHA1

                7f0a7dd596d285817c1fcddf8f98c4c36ab73095

                SHA256

                b4d2a6d16aced98f7b226f994e3f3459af6af26abff6fbec4ca82e80c63bdd54

                SHA512

                c2f8865b31227fac36be959bc764eb949cc711c961265056f3eafba98197a2efff7127f12b97091c38b672f268048d0cf6f4401caf79e20013a33938118c3fa9

                Download Submit

              • C:\Users\Admin\Desktop\DisableSwitch.htm.lcryx
                Filesize

                232KB

                MD5

                db0f8bdf5a57671b5f7f5b463dada94d

                SHA1

                631716a9f3f503e0aa4dc6786e72a74f0e8d9ffe

                SHA256

                a1e37ae3dc39f8b51f8126d325ec9d6f3fa5bde1c4aad94060faa2e98acfc600

                SHA512

                fd2498d6b84806801c75d2d6bfb2fb57bd4a496331ada170f380e4c13b32221b5d4a6129fa85a88490f0102b25f2e1425c07f21e8706b0e66d85c30a9b77bfe9

                Download Submit

              • C:\Users\Admin\Desktop\DisableSwitch.jpeg.lcryx
                Filesize

                510KB

                MD5

                9123a34d109e1d8e59ea7e7739274d3e

                SHA1

                6b45d9530f4c27d377144fa21cf18db8fec49bf2

                SHA256

                81e30624f5ad65108f005867b1dca6085ed198f39b2e0b0d81f4ae6f7bad08f2

                SHA512

                3eadef5a434e9047923ef9b7c6f5cca43196c450c897724c0a4d4f025b61dc2dc9a04d6b776c152d6a38535d18db2384da459c92082333a3fd2f3c35e676831e

                Download Submit

              • C:\Users\Admin\Desktop\DisconnectPublish.docx.lcryx
                Filesize

                20KB

                MD5

                1554d7fb799b5dd0015989fb4b9da8cf

                SHA1

                1e64fef66ba16b64b51031a73bc3b5c3b37db3ba

                SHA256

                4f153238e31f594ce89ec40bf44592dd5361c03ae0f2f979949f58ed46ce7627

                SHA512

                3ae0ccf1fce37947a46d68745b64c0f8978fe854d9763d5d8283f97ef543543f6c45ea3375e444a2223350ded60d10fba47d2af3aeed30e7780779850a14d035

                Download Submit

              • C:\Users\Admin\Desktop\DisconnectSet.rm.lcryx
                Filesize

                348KB

                MD5

                0e681a0ed52f9f7f593540a3bec92cf1

                SHA1

                fc25765fe49c425f33a264ef86fcaa9aef6241c7

                SHA256

                9926e60321150c1b2d04026b20af6960bfd381c13ed7da19268096f5f98a7b12

                SHA512

                28d287ecac3ecf19f03d365d51275bff74f1fb57181859609de5aa1f03c71d7200a6e4b57e00a3af733e3a0b2bbf23a3e70f2bc9049b2e3942e56aeef2c64cb0

                Download Submit

              • C:\Users\Admin\Desktop\LimitWatch.mov.lcryx
                Filesize

                255KB

                MD5

                f1bdba04df640b74f7c147c54c6e6f26

                SHA1

                992228b15f3a1971cfa3aa390f6dbfd226ebf901

                SHA256

                03ae86628f520e82346b0def5f27dacbaaea2a83583266f44ce7ea69825ee796

                SHA512

                97b330f64c698be07b0a5412c06ed4f9ac8b77a584d562c3e401bb979f43ca2645d8df300e4b5bf0cace6c499317eab93c025a999780cde80c3a4c39a9cc85cf

                Download Submit

              • C:\Users\Admin\Desktop\LockEnter.jpg.lcryx
                Filesize

                580KB

                MD5

                e33993dcad1ca93096682d49af3116c7

                SHA1

                4743c33077deb638d45151bcd1a43521ca370c01

                SHA256

                b50d5f88a8d7ed870890efe96957a85814f1a80f65194f4105f18a79c2332828

                SHA512

                9ec191c3fdb3e7a4d615bbffdddfd1f0e676212c5003d1143b464e78da30638427bda76901d41abf6a5b0dd22f3e6d3a60f0ce23dd5ee017b4449f9a3c1dbebb

                Download Submit

              • C:\Users\Admin\Desktop\Microsoft Edge.lnk.lcryx
                Filesize

                2KB

                MD5

                890c723174b715b02903738632f27186

                SHA1

                da42cb516c900fa46eb2f37d8fb25cf6e045c7fc

                SHA256

                b219e5d2b47631493af61b93fcc4342a2dfd9ec9196cd5029b20d4a234d247e6

                SHA512

                d4135059da63b57ddc92900fd1143ee2006f1495ddb6122ecc6790369ec96af811f5ba6612198b5d32024cbacbd49bb5736a7cbb4f447fd1985743310e4402d5

                Download Submit

              • C:\Users\Admin\Desktop\READMEPLEASE.txt
                Filesize

                95B

                MD5

                316cdf8bc3bae069158a2b5ce6e6584b

                SHA1

                1fb87b0babb134777c858a5a0ca2b61257be7b88

                SHA256

                5185b861b4c7d2c74ec334178a1f9eb6bae84bfaefc11ef9f1aa88ca1d1ef211

                SHA512

                48e69c5958b7dce18dbcf0330aae01be09b8db685d5e080e24d88a4ae91f8cede980b19522b81d5a7c82cd70dd51a60c3d971d5775c7ef8fd5cefccd65520080

                Download Submit

              • C:\Users\Admin\Desktop\desktop.ini.lcryx
                Filesize

                286B

                MD5

                8f49d1bd5969ae6b036d645b302b92a0

                SHA1

                f0f2e93cfe56be9aaa048fdee59f78bf09153e9a

                SHA256

                a17613ff3aca1b52c0f7af7970873fe31755f2353b8c920e153aa4394828d322

                SHA512

                64346a0d9d1197b5d60f4daa748125ab6d134604e5f4ea578efa6ec94e27a85eabc54e8dac2fff1f1f802fea6cab1ca395e5ba1f6e42b678ceb64e78570a7868

                Download Submit

              • C:\Windows\System32\iamthedoom.bat
                Filesize

                320B

                MD5

                87b38705d72cc16189ca8043e1e7cdd7

                SHA1

                a7caa6d14276714b95eb394dc3be1a6fb479590c

                SHA256

                7306e8aef5accfe4f7b3796d2c16f1f88b2650e65ee9a9736554fd335f2875af

                SHA512

                48a7a2a1370973e141931f375254b645884f9467b59f7b0babb821f12382368350a6d4925af2da74221f0420f0ccb5a6133412536d6a5a3c32c8f7d527218294

                Download Submit