Overview

overview

10

Static

static

1

LCrypt0rX.vbs

windows7-x64

10

Resubmissions

31-10-2024 08:45

241031-kn28bsvgnj 1

31-10-2024 08:39

241031-kkgr8avgkn 1

31-10-2024 08:31

241031-ke7rfssrhx 10

31-10-2024 08:31

241031-kep7easrgs 1

31-10-2024 08:28

241031-kc6rdasrcx 10

31-10-2024 08:25

241031-kbss5asrat 10

31-10-2024 08:25

241031-kbcf5svepk 1

31-10-2024 08:22

241031-j9qkzsveln 10

31-10-2024 08:15

241031-j5n7cswlbp 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    LCrypt0rX.vbs

  • Size

    22KB

  • Sample

    241031-kc6rdasrcx

  • MD5

    f25a640ad8b8ea3b0f63ae8959c129a1

  • SHA1

    eadb43ef97823955f8b30a4e621e5422f8894afe

  • SHA256

    3b39fb55fdfa391dc03c40197b88165c18a260bf9b171a46622c9304c7c38d53

  • SHA512

    6964a4b78972d0fc0be9bebd2a3752a63b261281920f1b0bac2f9c9fb7215a268b2cb3258975f417df5e790c9c89da4f9ec8015f7e57b1cf0b58d2298249c524

  • SSDEEP

    384:t0GbplStxYHQHSH7l+i/HVn2jv1QayXwA+sxQ+E6O:LJR2iY+EF

Score
10/10
defense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan

Malware Config

Targets

    • Target

      LCrypt0rX.vbs

    • Size

      22KB

    • MD5

      f25a640ad8b8ea3b0f63ae8959c129a1

    • SHA1

      eadb43ef97823955f8b30a4e621e5422f8894afe

    • SHA256

      3b39fb55fdfa391dc03c40197b88165c18a260bf9b171a46622c9304c7c38d53

    • SHA512

      6964a4b78972d0fc0be9bebd2a3752a63b261281920f1b0bac2f9c9fb7215a268b2cb3258975f417df5e790c9c89da4f9ec8015f7e57b1cf0b58d2298249c524

    • SSDEEP

      384:t0GbplStxYHQHSH7l+i/HVn2jv1QayXwA+sxQ+E6O:LJR2iY+EF

    Score
    10/10
    defense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Blocklisted process makes network request

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

      evasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables RegEdit via registry modification

      evasion

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Direct Volume Access

1
T1006

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Modify Registry

4
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

3
T1490

Tasks