Analysis

  • max time kernel
    138s
  • max time network
    97s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    09/10/2020, 11:15

General

  • Target

    osno-crypted.bin.exe

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\osno-crypted.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\osno-crypted.bin.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • Modifies extensions of user files
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3524
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3716
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:4060
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profile
            4⤵
              PID:2736
            • C:\Windows\SysWOW64\findstr.exe
              findstr All
              4⤵
                PID:3964
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C tasklist /FO TABLE > "C:\Users\Admin\AppData\Local\Temp\3873d8888a3836bc92341667cb978e5e\e490a4874391a1e4ab67cdcda1604a77\processes.txt"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3152
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist /FO TABLE
                4⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:1960
            • C:\Users\Admin\Desktop\Osno Decryptor.exe
              "C:\Users\Admin\Desktop\Osno Decryptor.exe"
              3⤵
              • Executes dropped EXE
              PID:3800
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1128
                4⤵
                • Program crash
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4040

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2096-1-0x0000000000610000-0x0000000000611000-memory.dmp

          Filesize

          4KB

        • memory/2096-3-0x0000000004F50000-0x0000000004F51000-memory.dmp

          Filesize

          4KB

        • memory/2096-4-0x00000000029B0000-0x00000000029BC000-memory.dmp

          Filesize

          48KB

        • memory/2096-5-0x00000000051A0000-0x00000000052E1000-memory.dmp

          Filesize

          1.3MB

        • memory/2096-0-0x0000000073380000-0x0000000073A6E000-memory.dmp

          Filesize

          6.9MB

        • memory/3524-11-0x0000000005BF0000-0x0000000005BF1000-memory.dmp

          Filesize

          4KB

        • memory/3524-6-0x0000000000400000-0x00000000004D6000-memory.dmp

          Filesize

          856KB

        • memory/3524-8-0x0000000073380000-0x0000000073A6E000-memory.dmp

          Filesize

          6.9MB

        • memory/3524-18-0x00000000063A0000-0x00000000063A1000-memory.dmp

          Filesize

          4KB

        • memory/3524-13-0x0000000005D10000-0x0000000005D11000-memory.dmp

          Filesize

          4KB

        • memory/3524-12-0x0000000005C20000-0x0000000005C21000-memory.dmp

          Filesize

          4KB

        • memory/3524-21-0x0000000006940000-0x0000000006941000-memory.dmp

          Filesize

          4KB

        • memory/3800-27-0x0000000073380000-0x0000000073A6E000-memory.dmp

          Filesize

          6.9MB

        • memory/3800-28-0x0000000000630000-0x0000000000631000-memory.dmp

          Filesize

          4KB

        • memory/3800-32-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

          Filesize

          4KB

        • memory/4040-33-0x00000000045D0000-0x00000000045D1000-memory.dmp

          Filesize

          4KB

        • memory/4040-40-0x0000000004D10000-0x0000000004D11000-memory.dmp

          Filesize

          4KB