80c5e8f13d838fd509ddb0eaa4daf63c8d09b4d34556794cbcaec20875210208

Analysis

max time kernel
4s
max time network
15s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2024 15:13

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Ransom.Win32.LCrypt0rX.A/LCrypt0rX with shutdown.vbs
Size

21KB
MD5

ccfb22a0d55543947874bc9b607c7843
SHA1

b956bda2cb1484dd81a858a20b6f352738b7520a
SHA256

709f205ac793546c11dab288eebec677f14b61c1e290ba48c8694e199c55ec42
SHA512

987888a30fdd10957c00c0cf34197ff9e261dc364251a778e758248a298782555b071b1a9ac693d253ae91a3ee72c2bb4114a9462fc3fe9e574752eaa9b82a06
SSDEEP

384:tegbplStxYHQHSH7l+icj1F2Z2vXQayXwA+9xQ+E6z:b2T2hJ+Em

Score

10^/10

defense_evasion evasion execution impact persistence ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	3020	wscript.exe
10	3020	wscript.exe

Blocks application from running via registry modification 3 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe"	wscript.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wins32BugFix = "C:\\Windows\\System32\\wins32bugfix.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyStartupScript = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransom.Win32.LCrypt0rX.A\\LCrypt0rX with shutdown.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iamthedoom = "C:\\Windows\\System32\\iamthedoom.bat"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpamScript = "C:\\Windows\\System32\\haha.vbs"	wscript.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\System32\iamthedoom.bat	wscript.exe
File opened for modification	C:\Windows\System32\iamthedoom.bat	wscript.exe
File created	C:\Windows\System32\haha.vbs	wscript.exe
File opened for modification	C:\Windows\System32\haha.vbs	wscript.exe
File created	C:\Windows\System32\wins32bugfix.vbs	wscript.exe
File opened for modification	C:\Windows\System32\wins32bugfix.vbs	wscript.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\gcrybground.png"	wscript.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2324	vssadmin.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
4040	taskkill.exe
5460	taskkill.exe
540	taskkill.exe
3308	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\MACHINE\Control Panel\Mouse	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop	wscript.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1980	notepad.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5016	mspaint.exe
5016	mspaint.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeBackupPrivilege	2408	vssvc.exe
Token: SeRestorePrivilege	2408	vssvc.exe
Token: SeAuditPrivilege	2408	vssvc.exe
Token: SeDebugPrivilege	3308	taskkill.exe
Token: SeDebugPrivilege	4040	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5016	mspaint.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4496 wrote to memory of 3020	4496	WScript.exe	84
PID 4496 wrote to memory of 3020	4496	WScript.exe	84
PID 3020 wrote to memory of 2660	3020	wscript.exe	85
PID 3020 wrote to memory of 2660	3020	wscript.exe	85
PID 2660 wrote to memory of 2324	2660	cmd.exe	87
PID 2660 wrote to memory of 2324	2660	cmd.exe	87
PID 3020 wrote to memory of 1980	3020	wscript.exe	90
PID 3020 wrote to memory of 1980	3020	wscript.exe	90
PID 3020 wrote to memory of 3120	3020	wscript.exe	95
PID 3020 wrote to memory of 3120	3020	wscript.exe	95
PID 3020 wrote to memory of 3572	3020	wscript.exe	96
PID 3020 wrote to memory of 3572	3020	wscript.exe	96
PID 3020 wrote to memory of 3396	3020	wscript.exe	98
PID 3020 wrote to memory of 3396	3020	wscript.exe	98
PID 3020 wrote to memory of 3624	3020	wscript.exe	99
PID 3020 wrote to memory of 3624	3020	wscript.exe	99
PID 3020 wrote to memory of 3308	3020	wscript.exe	100
PID 3020 wrote to memory of 3308	3020	wscript.exe	100
PID 3572 wrote to memory of 5016	3572	cmd.exe	102
PID 3572 wrote to memory of 5016	3572	cmd.exe	102
PID 3396 wrote to memory of 4188	3396	wscript.exe	103
PID 3396 wrote to memory of 4188	3396	wscript.exe	103
PID 3624 wrote to memory of 4040	3624	wscript.exe	104
PID 3624 wrote to memory of 4040	3624	wscript.exe	104
PID 4188 wrote to memory of 5240	4188	wscript.exe	108
PID 4188 wrote to memory of 5240	4188	wscript.exe	108

System policy modification 1 TTPs 15 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableCMD = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	wscript.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ransom.Win32.LCrypt0rX.A\LCrypt0rX with shutdown.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4496
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\Ransom.Win32.LCrypt0rX.A\LCrypt0rX with shutdown.vbs" /elevated
  2⤵
  - UAC bypass
  - Blocklisted process makes network request
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3020
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2324
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\READMEPLEASE.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1980
- - C:\Windows\System32\RUNDLL32.EXE
    "C:\Windows\System32\RUNDLL32.EXE" user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:3120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\iamthedoom.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3572
  - - C:\Windows\system32\mspaint.exe
      mspaint
      4⤵
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:5016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js
      4⤵
      PID:5648
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd49d246f8,0x7ffd49d24708,0x7ffd49d24718
        5⤵
        
        PID:5888
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3396
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4188
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        5⤵
        
        PID:5240
      - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        6⤵
        
        PID:5440
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        7⤵
        
        PID:5656
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        8⤵
        
        PID:6128
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" C:\Windows\System32\wins32bugfix.vbs
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3624
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4040
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:5460
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:540
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3308
- - C:\Windows\System32\shutdown.exe
    "C:\Windows\System32\shutdown.exe" /r /t 0
    3⤵
    PID:5664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:5256

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38ca055 /state1:0x41c64e6d
1⤵
PID:5856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\Desktop\READMEPLEASE.txt

Filesize
263B

MD5
3ef0278e79a3b141585b0eb66d965dcd

SHA1
2c5a34b067b368adcb8daad4b6ead6c4a1a2ef26

SHA256
defe7e5a9ae1aa925ca79cc6f7b1c56368bcf21b48668e1161449ed96bb6774a

SHA512
b21fcb3dfc37680fe6669818505101fff46a0848a5406e5e94c5dbe4c6031bb47cfe4763d21fa8d966c8e09e8e5050c4e35bc1f0cfdedcb6cb63bec9db34221c

Download Submit
C:\Windows\System32\haha.vbs

Filesize
1KB

MD5
f2a256e463d8b95880579574a96ed06e

SHA1
0148ad8f4a38a303fc58ff7bf543b9fd2da6cdad

SHA256
d8c9882db9ff81f39e227378a1476d27075b8aa63e3c7ac31ab79b35a1f63915

SHA512
3ac57af6f83ad83d63689c1f9868829cf83220d98b278da267ba4c8398fa541afff38416e1a947aff74963099fdf75c275cb302f3cea120eddd5afc6b9a8b5a1

Download Submit
C:\Windows\System32\iamthedoom.bat

Filesize
431B

MD5
7f577772568e8e2166472cfc8576f2a5

SHA1
19f00b639e0456bc990c2506d4e9d516f57a56c3

SHA256
de6bdd7e830e1df26ded7aee443e494869390dd08f2f14de277c4eb56699f640

SHA512
31f06800905fa4031d00c28a003059afa385dcaa4cff606a7805cbada80fdae2ad5518f5939d9a31c9a51dd9a0ea0af1cdb0b9e292d324023dcfbf227d7e47a9

Download Submit
C:\Windows\System32\wins32bugfix.vbs

Filesize
496B

MD5
e2d836beba8f0d92022fc8c07d42f684

SHA1
ca8904c7281ff138afbbb2690862a54ebdbd53e7

SHA256
2581cbeb3f35d83a6f90ed208a1f3ac8e59efbbeafbaab11c9d2b66c2333e1a3

SHA512
ead612bde359a4d0d7b305f8aeaee4d46595c8cbfbfecd0ff76c7dbc1b0156e2a6d5df76787c2c07134df1d4d0122f2b61a51b3287c026ec1e202228f0248ad7

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads