Analysis

  • max time kernel
    4s
  • max time network
    15s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-10-2024 15:13

Errors

Reason
Machine shutdown

General

  • Target

    Ransom.Win32.LCrypt0rX.A/LCrypt0rX with shutdown.vbs

  • Size

    21KB

  • MD5

    ccfb22a0d55543947874bc9b607c7843

  • SHA1

    b956bda2cb1484dd81a858a20b6f352738b7520a

  • SHA256

    709f205ac793546c11dab288eebec677f14b61c1e290ba48c8694e199c55ec42

  • SHA512

    987888a30fdd10957c00c0cf34197ff9e261dc364251a778e758248a298782555b071b1a9ac693d253ae91a3ee72c2bb4114a9462fc3fe9e574752eaa9b82a06

  • SSDEEP

    384:tegbplStxYHQHSH7l+icj1F2Z2vXQayXwA+9xQ+E6z:b2T2hJ+Em

Malware Config

Signatures

  • UAC bypass 3 TTPs 2 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Blocklisted process makes network request 2 IoCs
  • Blocks application from running via registry modification 3 IoCs

    Adds application to list of disallowed applications.

  • Disables RegEdit via registry modification 1 IoCs
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in System32 directory 6 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 4 IoCs
  • Modifies Control Panel 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • System policy modification 1 TTPs 15 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ransom.Win32.LCrypt0rX.A\LCrypt0rX with shutdown.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4496
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\Ransom.Win32.LCrypt0rX.A\LCrypt0rX with shutdown.vbs" /elevated
      2⤵
      • UAC bypass
      • Blocklisted process makes network request
      • Blocks application from running via registry modification
      • Disables RegEdit via registry modification
      • Checks computer location settings
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3020
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2660
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2324
      • C:\Windows\System32\notepad.exe
        "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\READMEPLEASE.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1980
      • C:\Windows\System32\RUNDLL32.EXE
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll,UpdatePerUserSystemParameters
        3⤵
          PID:3120
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\iamthedoom.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3572
          • C:\Windows\system32\mspaint.exe
            mspaint
            4⤵
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:5016
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js
            4⤵
              PID:5648
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd49d246f8,0x7ffd49d24708,0x7ffd49d24718
                5⤵
                  PID:5888
            • C:\Windows\System32\wscript.exe
              "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
              3⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:3396
              • C:\Windows\System32\wscript.exe
                "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
                4⤵
                • Checks computer location settings
                • Suspicious use of WriteProcessMemory
                PID:4188
                • C:\Windows\System32\wscript.exe
                  "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
                  5⤵
                    PID:5240
                    • C:\Windows\System32\wscript.exe
                      "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
                      6⤵
                        PID:5440
                        • C:\Windows\System32\wscript.exe
                          "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
                          7⤵
                            PID:5656
                            • C:\Windows\System32\wscript.exe
                              "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
                              8⤵
                                PID:6128
                    • C:\Windows\System32\wscript.exe
                      "C:\Windows\System32\wscript.exe" C:\Windows\System32\wins32bugfix.vbs
                      3⤵
                      • Checks computer location settings
                      • Suspicious use of WriteProcessMemory
                      PID:3624
                      • C:\Windows\System32\taskkill.exe
                        "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
                        4⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4040
                      • C:\Windows\System32\taskkill.exe
                        "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
                        4⤵
                        • Kills process with taskkill
                        PID:5460
                      • C:\Windows\System32\taskkill.exe
                        "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
                        4⤵
                        • Kills process with taskkill
                        PID:540
                    • C:\Windows\System32\taskkill.exe
                      "C:\Windows\System32\taskkill.exe" /F /IM explorer.exe
                      3⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3308
                    • C:\Windows\System32\shutdown.exe
                      "C:\Windows\System32\shutdown.exe" /r /t 0
                      3⤵
                        PID:5664
                  • C:\Windows\system32\vssvc.exe
                    C:\Windows\system32\vssvc.exe
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2408
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
                    1⤵
                      PID:5256
                    • C:\Windows\system32\LogonUI.exe
                      "LogonUI.exe" /flags:0x4 /state0:0xa38ca055 /state1:0x41c64e6d
                      1⤵
                        PID:5856

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                        Filesize

                        152B

                        MD5

                        c2d9eeb3fdd75834f0ac3f9767de8d6f

                        SHA1

                        4d16a7e82190f8490a00008bd53d85fb92e379b0

                        SHA256

                        1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

                        SHA512

                        d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

                      • C:\Users\Admin\Desktop\READMEPLEASE.txt

                        Filesize

                        263B

                        MD5

                        3ef0278e79a3b141585b0eb66d965dcd

                        SHA1

                        2c5a34b067b368adcb8daad4b6ead6c4a1a2ef26

                        SHA256

                        defe7e5a9ae1aa925ca79cc6f7b1c56368bcf21b48668e1161449ed96bb6774a

                        SHA512

                        b21fcb3dfc37680fe6669818505101fff46a0848a5406e5e94c5dbe4c6031bb47cfe4763d21fa8d966c8e09e8e5050c4e35bc1f0cfdedcb6cb63bec9db34221c

                      • C:\Windows\System32\haha.vbs

                        Filesize

                        1KB

                        MD5

                        f2a256e463d8b95880579574a96ed06e

                        SHA1

                        0148ad8f4a38a303fc58ff7bf543b9fd2da6cdad

                        SHA256

                        d8c9882db9ff81f39e227378a1476d27075b8aa63e3c7ac31ab79b35a1f63915

                        SHA512

                        3ac57af6f83ad83d63689c1f9868829cf83220d98b278da267ba4c8398fa541afff38416e1a947aff74963099fdf75c275cb302f3cea120eddd5afc6b9a8b5a1

                      • C:\Windows\System32\iamthedoom.bat

                        Filesize

                        431B

                        MD5

                        7f577772568e8e2166472cfc8576f2a5

                        SHA1

                        19f00b639e0456bc990c2506d4e9d516f57a56c3

                        SHA256

                        de6bdd7e830e1df26ded7aee443e494869390dd08f2f14de277c4eb56699f640

                        SHA512

                        31f06800905fa4031d00c28a003059afa385dcaa4cff606a7805cbada80fdae2ad5518f5939d9a31c9a51dd9a0ea0af1cdb0b9e292d324023dcfbf227d7e47a9

                      • C:\Windows\System32\wins32bugfix.vbs

                        Filesize

                        496B

                        MD5

                        e2d836beba8f0d92022fc8c07d42f684

                        SHA1

                        ca8904c7281ff138afbbb2690862a54ebdbd53e7

                        SHA256

                        2581cbeb3f35d83a6f90ed208a1f3ac8e59efbbeafbaab11c9d2b66c2333e1a3

                        SHA512

                        ead612bde359a4d0d7b305f8aeaee4d46595c8cbfbfecd0ff76c7dbc1b0156e2a6d5df76787c2c07134df1d4d0122f2b61a51b3287c026ec1e202228f0248ad7