a04ccc459ad4dcd2cff42884c5c64f2032aad33473ba737828747b932cecb99a

Analysis

max time kernel
141s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19-10-2024 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LCRYPT0R/LCrypt0rX.vbs
Size

12KB
MD5

24cbd3ad1736fa6950e220bba381429b
SHA1

44ceaa0b8622f64ad1e1d2283c4cfcc8629be152
SHA256

719ed739717c7ac5a2bbac4187738df3ead0e38e31f4a656e976e9a5716a9af0
SHA512

fc8fb1b1d06bf331c234af985f0fe2269d2f552dbd315507bb9796bb20eec948531c08e3f385ed9a1e6a8e86001fcbad2a8a8601fb1265621d634c975ce99ab8
SSDEEP

384:HobplStxYHQHSH7l+ii3qF2ZNvLyyB8dstnH+7Me:aM22M

Score

9^/10

defense_evasion evasion execution impact persistence ransomware

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	1508	wscript.exe
3	1508	wscript.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyStartupScript = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LCRYPT0R\\LCrypt0rX.vbs"	wscript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
3	drive.google.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\iamthedoom.bat	wscript.exe
File opened for modification	C:\Windows\System32\iamthedoom.bat	wscript.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\gcrybground.png"	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
464	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3532	taskkill.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Desktop	wscript.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\SwapMouseButtons = "1"	wscript.exe

Opens file in notepad (likely ransom note) 6 IoCs

ransomware

pid	Process
1320	notepad.exe
1208	notepad.exe
4564	notepad.exe
3676	notepad.exe
1220	notepad.exe
4164	notepad.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	3340	vssvc.exe
Token: SeRestorePrivilege	3340	vssvc.exe
Token: SeAuditPrivilege	3340	vssvc.exe
Token: SeDebugPrivilege	3532	taskkill.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 1508	3032	WScript.exe	80
PID 3032 wrote to memory of 1508	3032	WScript.exe	80
PID 1508 wrote to memory of 132	1508	wscript.exe	81
PID 1508 wrote to memory of 132	1508	wscript.exe	81
PID 132 wrote to memory of 464	132	cmd.exe	83
PID 132 wrote to memory of 464	132	cmd.exe	83
PID 1508 wrote to memory of 4992	1508	wscript.exe	86
PID 1508 wrote to memory of 4992	1508	wscript.exe	86
PID 1508 wrote to memory of 1320	1508	wscript.exe	87
PID 1508 wrote to memory of 1320	1508	wscript.exe	87
PID 1508 wrote to memory of 1908	1508	wscript.exe	90
PID 1508 wrote to memory of 1908	1508	wscript.exe	90
PID 1508 wrote to memory of 3084	1508	wscript.exe	91
PID 1508 wrote to memory of 3084	1508	wscript.exe	91
PID 1508 wrote to memory of 5040	1508	wscript.exe	92
PID 1508 wrote to memory of 5040	1508	wscript.exe	92
PID 1508 wrote to memory of 1544	1508	wscript.exe	93
PID 1508 wrote to memory of 1544	1508	wscript.exe	93
PID 1508 wrote to memory of 3532	1508	wscript.exe	95
PID 1508 wrote to memory of 3532	1508	wscript.exe	95
PID 1508 wrote to memory of 1208	1508	wscript.exe	98
PID 1508 wrote to memory of 1208	1508	wscript.exe	98
PID 1508 wrote to memory of 4564	1508	wscript.exe	99
PID 1508 wrote to memory of 4564	1508	wscript.exe	99
PID 1508 wrote to memory of 3676	1508	wscript.exe	100
PID 1508 wrote to memory of 3676	1508	wscript.exe	100
PID 1508 wrote to memory of 1220	1508	wscript.exe	101
PID 1508 wrote to memory of 1220	1508	wscript.exe	101
PID 1508 wrote to memory of 4164	1508	wscript.exe	102
PID 1508 wrote to memory of 4164	1508	wscript.exe	102

System policy modification 1 TTPs 5 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoChangeStartMenu = "1"	wscript.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LCRYPT0R\LCrypt0rX.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\LCRYPT0R\LCrypt0rX.vbs" /elevated
  2⤵
  - Blocklisted process makes network request
  - Disables RegEdit via registry modification
  - Adds Run key to start application
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1508
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:132
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:464
- - C:\Windows\System32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" USER32.DLL,SwapMouseButton
    3⤵
    PID:4992
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\READMEPLEASE.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1320
- - C:\Windows\System32\RUNDLL32.EXE
    "C:\Windows\System32\RUNDLL32.EXE" user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:1908
- - C:\Windows\System32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" user32.dll,BlockInput True
    3⤵
    PID:3084
- - C:\Windows\System32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" user32.dll,BlockInput True
    3⤵
    PID:5040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\iamthedoom.bat" "
    3⤵
    PID:1544
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3532
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\BackupExpand.AAC.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1208
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\BlockSend.easmx.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:4564
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\ClearMerge.001.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3676
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\ClearRevoke.vbe.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1220
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\CompressSync.odt.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:4164

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\BackupExpand.AAC.lcryx

Filesize
458KB

MD5
e5b01c0659f100230d4b635a680fc775

SHA1
a347488dc7531947adbf20aa42e7059719d9d84a

SHA256
3c228dce04c22063ee4fbfa672213fe636d5150d9e175482334391b8c5065688

SHA512
3850a5dfe07a8eb1437c58666ebe6796fec3f22951fba9134ae7c86cc9bb8ac6070b33d380ea0165a1ba41964449579e886cddc4fc3f168c7cd0203edfbec388

Download Submit
C:\Users\Admin\Desktop\BlockSend.easmx.lcryx

Filesize
311KB

MD5
928ac1a585ad1f5655a116878d1515bc

SHA1
1cfff875f0e88353855b78a8fb2612d5b319dc8c

SHA256
4daed0ec9c72d6f97d157dfdf0334e15cff30bd3bfbda9d05ce2a24072097dfd

SHA512
3fc1c8d1f2be14e89ae3f2a2b53e4057b38042d1012b2cbe5fe317224c623e7d5cd9f76d0a31eda4140b237a0ae82b8bacab77c7f4a4aaeef58596fb8a26675c

Download Submit
C:\Users\Admin\Desktop\ClearMerge.001.lcryx

Filesize
439KB

MD5
76ed746be9cdb3f5d307de3c8f250abd

SHA1
e8da2f14ad7d8b5aee7711f96eed48e4b609f734

SHA256
c7e7e2a9c289657931e390dd7241cbe7f2c666eef5ed8966d70e9a712808f8a7

SHA512
30a9c8aa38f50930920ab2f749d7e0eaa528b998d2d7b3554302a0e5df21c1902ea6f5fa0f1ecec736edbcda89f1cbd9a6ff9d89302c56fd314e7e524bcf03fb

Download Submit
C:\Users\Admin\Desktop\ClearRevoke.vbe.lcryx

Filesize
494KB

MD5
9675b4a3ea026a9a471524c8203b319d

SHA1
de18659038cf15313cf92b34df26cf5f8405bcf8

SHA256
d27d2b7cd159df458a24285a6f5125dfcee3bfdb654ae809703dc5c23efa8859

SHA512
08f7146624444d0b7e5cddebe8f0bb799b01cc2d29c210c9c98f1c5706b05ab7023570a2b12f44a64c1a39dc42f5806ea4d7e4fa79e2bcbbbd4b181ec51cd0f8

Download Submit
C:\Users\Admin\Desktop\CompressSync.odt.lcryx

Filesize
677KB

MD5
de67b5954c18a679e67f48602b91d343

SHA1
6f6196c80bb67824f5b2a19521bdd99273b1c240

SHA256
ba7c372cc7af4a605f61d846292d0caed228bc42b45fee669b2dc2b6a559b5f9

SHA512
13479b9b0dd31c7bfc4e60469feeb08c1895105063e8ec53f661086d26a6c3098840d02f03ea833f103e7f77564e6e2f9705026171121fa3d6b153f993459a99

Download Submit
C:\Users\Admin\Desktop\READMEPLEASE.txt

Filesize
95B

MD5
316cdf8bc3bae069158a2b5ce6e6584b

SHA1
1fb87b0babb134777c858a5a0ca2b61257be7b88

SHA256
5185b861b4c7d2c74ec334178a1f9eb6bae84bfaefc11ef9f1aa88ca1d1ef211

SHA512
48e69c5958b7dce18dbcf0330aae01be09b8db685d5e080e24d88a4ae91f8cede980b19522b81d5a7c82cd70dd51a60c3d971d5775c7ef8fd5cefccd65520080

Download Submit
C:\Windows\System32\iamthedoom.bat

Filesize
320B

MD5
87b38705d72cc16189ca8043e1e7cdd7

SHA1
a7caa6d14276714b95eb394dc3be1a6fb479590c

SHA256
7306e8aef5accfe4f7b3796d2c16f1f88b2650e65ee9a9736554fd335f2875af

SHA512
48a7a2a1370973e141931f375254b645884f9467b59f7b0babb821f12382368350a6d4925af2da74221f0420f0ccb5a6133412536d6a5a3c32c8f7d527218294

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads