Trojan.Win64.LOCKBIT.YACE2

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan adds the following processes:

• %System%\mstsc.exe {Command Line of the Parent Process} --pt={Malware File Path}\{Malware File Name}.dll --cg=%System%\config.ini --we={Parent Process Path}
• %System%\cmd.exe /c ping 127.0.0.1 -n 3 && del /f /q %System%\rundll32.exe
• %System%\cmd.exe /c ping 127.0.0.1 -n 3 && del /f /q {Malware File Path}\{Malware File Name}.dll

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• 90A6C383-C154-2AF6-D2C5-A816C2002671 → if the parameter --nomutex=1 is not used

It injects codes into the following process(es):

• %System%\mstsc.exe → injected with the decrypted config.ini shellcode file

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Other System Modifications

This Trojan deletes the following files:

• {Malware File Path}\{Malware File Name}.dll
• %System%\config.ini

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Other Details

This Trojan requires the existence of the following files to properly run:

• %System%\config.ini → shellcode to be decrypted and executed

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It accepts the following parameters:

• --nomutex=1