Overview

overview

10

Static

static

1

LCrypt0rX.vbs

windows7-x64

10

LCrypt0rX.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    LCrypt0rX.vbs

  • Size

    21KB

  • Sample

    241031-j2nfnavdlp

  • MD5

    e1f2ed36b5a3420eeb51d4b3dca147a6

  • SHA1

    f16917a4f615b931db0944f9f79f35dda59dada3

  • SHA256

    1c929430c2d1015df584d1b885c492cefab2bd46b2d90fc36d6af94950aa1543

  • SHA512

    c7ee39674ac88d3e7e412405412f4edffc9ff5e22f3181880d04e7b7746273a0eed24b8f46c57b601d7ddce39f85e682ff32d073769a920fb1ec136979f3526b

  • SSDEEP

    384:t0GbplStxYHQHSH7l+ikHVn27vXQayXwA+sxQ+E6O:LCR2YY+EF

Score
10/10
defense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan

Malware Config

Targets

    • Target

      LCrypt0rX.vbs

    • Size

      21KB

    • MD5

      e1f2ed36b5a3420eeb51d4b3dca147a6

    • SHA1

      f16917a4f615b931db0944f9f79f35dda59dada3

    • SHA256

      1c929430c2d1015df584d1b885c492cefab2bd46b2d90fc36d6af94950aa1543

    • SHA512

      c7ee39674ac88d3e7e412405412f4edffc9ff5e22f3181880d04e7b7746273a0eed24b8f46c57b601d7ddce39f85e682ff32d073769a920fb1ec136979f3526b

    • SSDEEP

      384:t0GbplStxYHQHSH7l+ikHVn27vXQayXwA+sxQ+E6O:LCR2YY+EF

    Score
    10/10
    defense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Blocklisted process makes network request

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

      evasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables RegEdit via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Direct Volume Access

1
T1006

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Modify Registry

5
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

3
T1490

Tasks