Resubmissions

19/05/2025, 11:12

250519-na59lsfk3v 10

15/05/2025, 14:49

250515-r7a2hsxjz6 10

15/05/2025, 14:49

250515-r61wjsak6w 10

11/05/2025, 10:44

250511-mszdcaar41 10

General

  • Target

    LCrypt0rX.vbs

  • Size

    32KB

  • Sample

    250511-mszdcaar41

  • MD5

    9dcad976bf8ad5f2241f08194d332380

  • SHA1

    496bfa3ebe716d4f8206a1bb98d84cd38fa783d5

  • SHA256

    d6118a0bbfd98bd76e6f953f4f36f394f57feb26b1f5684d327702bdb072ed29

  • SHA512

    cc2953730143770b402924ce5d80b9aecc33dcdd75019abfbcf597c68822409bdb622d041ff66a7e1ab819a63d4bad180435c07ba5a8214ece4ed2df64e955de

  • SSDEEP

    384:tjfviu3p49gax5F9W4eHCP5SSbAhM/Q5WQ9Y3HIo3uIudUx9Iq4rDjLggFu6:Zni4218WQ+IoD5oDFu6

Malware Config

Targets

    • Target

      LCrypt0rX.vbs

    • Size

      32KB

    • MD5

      9dcad976bf8ad5f2241f08194d332380

    • SHA1

      496bfa3ebe716d4f8206a1bb98d84cd38fa783d5

    • SHA256

      d6118a0bbfd98bd76e6f953f4f36f394f57feb26b1f5684d327702bdb072ed29

    • SHA512

      cc2953730143770b402924ce5d80b9aecc33dcdd75019abfbcf597c68822409bdb622d041ff66a7e1ab819a63d4bad180435c07ba5a8214ece4ed2df64e955de

    • SSDEEP

      384:tjfviu3p49gax5F9W4eHCP5SSbAhM/Q5WQ9Y3HIo3uIudUx9Iq4rDjLggFu6:Zni4218WQ+IoD5oDFu6

    • Modifies WinLogon for persistence

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Blocklisted process makes network request

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Drops file in Drivers directory

    • Event Triggered Execution: Image File Execution Options Injection

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Indicator Removal: Clear Persistence

      remove IFEO.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v16

Tasks