File name:	lc.exe
Full analysis:	https://app.any.run/tasks/9447fa62-f24f-4270-a195-5ad095701601
Verdict:	Malicious activity
Analysis date:	July 12, 2024, 06:23:01
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	netreactor
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	7924C0F21738FAB05F61102C0CAF3DA2
SHA1:	09E6FD5797381EEB9EC60D5214F2932154636247
SHA256:	9B29F5A1F0B6C270C90B343F4C6D0E0843201D687068DC5273CBF5074083609F
SSDEEP:	3072:sRuz2/auIDD6u4AFHNbJFoUZXzUCpM69/KImQi/6ebW6kTgwj3:FC/auMkAFtbJ9zUCpM69/KImQi/6ebl

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe	\|	Win64 Executable (generic) (21.3)
.scr	\|	Windows screen saver (10.1)
.dll	\|	Win32 Dynamic Link Library (generic) (5)
.exe	\|	Win32 Executable (generic) (3.4)

AssemblyVersion:	0.0.0.0
ProductVersion:	0.0.0.0
ProductName:	-
OriginalFileName:	lc.exe
LegalTrademarks:	-
LegalCopyright:	-
InternalName:	lc.exe
FileVersion:	0.0.0.0
FileDescription:	-
CompanyName:	-
Comments:	-
CharacterSet:	Unicode
LanguageCode:	Neutral
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Win32
FileFlags:	(none)
FileFlagsMask:	0x003f
ProductVersionNumber:	0.0.0.0
FileVersionNumber:	0.0.0.0
Subsystem:	Windows GUI
SubsystemVersion:	4
ImageVersion:	-
OSVersion:	4
EntryPoint:	0x2e72e
UninitializedDataSize:	-
InitializedDataSize:	2048
CodeSize:	182272
LinkerVersion:	80
PEType:	PE32
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Large address aware, 32-bit
TimeStamp:	2022:12:02 14:42:19+00:00
MachineType:	Intel 386 or later, and compatibles


(PID) Process:	(452) lc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	WindowsInstaller
Value: "C:\Users\admin\Desktop\lc.exe" -startup
(PID) Process:	(452) lc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	MSEdgeUpdateX
Value: "C:\Users\admin\Desktop\lc.exe"
(PID) Process:	(452) lc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:	write	Name:	System3264Wow
Value: "C:\Users\admin\Desktop\lc.exe" --init
(PID) Process:	(452) lc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:	write	Name:	OneDrive10293
Value: "C:\Users\admin\Desktop\lc.exe" /setup
(PID) Process:	(452) lc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:	write	Name:	WINDOWS
Value: "C:\Users\admin\Desktop\lc.exe" --wininit
(PID) Process:	(452) lc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:	write	Name:	Shell
Value: "C:\Users\admin\Desktop\lc.exe"
(PID) Process:	(452) lc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Operation:	write	Name:	a
Value: YOU ARE HACKED!\1
(PID) Process:	(452) lc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Operation:	write	Name:	b
Value: HAHAHAHAHAHAHA\1
(PID) Process:	(452) lc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Operation:	write	Name:	c
Value: winlocker.ru\1
(PID) Process:	(452) lc.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Operation:	write	Name:	MRUList
Value: abc

PID	Process	Filename		Type
2272	cmd.exe	C:\Users\admin\Documents\info-0v92.txt		text
		MD5:9E72F7DEF34B5123DB17BB695B93C6F3	SHA256:937493F186EA9FD938E1ED53874869FE917C3AF78C3C72A1530E2E29541C2B98
2860	cmd.exe	C:\Users\admin\info-0v92.txt		text
		MD5:9E72F7DEF34B5123DB17BB695B93C6F3	SHA256:937493F186EA9FD938E1ED53874869FE917C3AF78C3C72A1530E2E29541C2B98
5096	cmd.exe	C:\Users\admin\Desktop\info-0v92.txt		text
		MD5:9E72F7DEF34B5123DB17BB695B93C6F3	SHA256:937493F186EA9FD938E1ED53874869FE917C3AF78C3C72A1530E2E29541C2B98
452	lc.exe	C:\Users\admin\AppData\Local\Temp\$unlocker_id.ux-cryptobytes		text
		MD5:99244073E9931D740C19F2BB0E5F3889	SHA256:9512E6F8351B8BDFAA8441D65F547835C8616B03866CF9A45F5944C711886455
3908	cmd.exe	C:\Users\admin\Downloads\info-0v92.txt		text
		MD5:9E72F7DEF34B5123DB17BB695B93C6F3	SHA256:937493F186EA9FD938E1ED53874869FE917C3AF78C3C72A1530E2E29541C2B98

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3776	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
3776	RUXIMICS.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
2052	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
4392	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
4392	svchost.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
—	—	POST	200	20.52.64.200:443	https://self.events.data.microsoft.com/OneCollector/1.0/	unknown	binary	9 b	—

PID	Process	IP	Domain	ASN	CN	Reputation
4392	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	239.255.255.250:1900	—	—	—	whitelisted
3776	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
2052	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	104.126.37.160:443	—	Akamai International B.V.	DE	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
4392	svchost.exe	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	unknown
3776	RUXIMICS.exe	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	unknown
2052	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	unknown
3776	RUXIMICS.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.124.78.146 20.73.194.208	whitelisted
google.com	216.58.206.46	whitelisted
crl.microsoft.com	2.16.164.120 2.16.164.72	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
self.events.data.microsoft.com	20.52.64.200	whitelisted

General Info

lc.exe

7924C0F21738FAB05F61102C0CAF3DA2

09E6FD5797381EEB9EC60D5214F2932154636247

9B29F5A1F0B6C270C90B343F4C6D0E0843201D687068DC5273CBF5074083609F

3072:sRuz2/auIDD6u4AFHNbJFoUZXzUCpM69/KImQi/6ebW6kTgwj3:FC/auMkAFtbJ9zUCpM69/KImQi/6ebl

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Changes the autorun value in the registry

Changes the login/logoff helper path in the registry

SUSPICIOUS

Starts CMD.EXE for commands execution

Uses TASKKILL.EXE to kill process

Likely accesses (executes) a file from the Public directory

Uses ATTRIB.EXE to modify file attributes

INFO

Reads the machine GUID from the registry

Reads the computer name

Checks supported languages

Create files in a temporary directory

.NET Reactor protector has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings