Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

openme.exe

windows7_x64

10

openme.exe

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    99s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    27/02/2021, 16:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    openme.exe

  • Size

    372KB

  • MD5

    e3b3e285390c0e2f7d04bd040bec790d

  • SHA1

    dbee71535e9f1fb23b3f01e25989d22d51237e68

  • SHA256

    21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6

  • SHA512

    6156a6b0ff4f41c823cba68a4596676e357ceb5b8c0848c2828a72321dbc2a731d9ae8f1a417fe27aef7de0080001ad3f77b3809b64a93c610ae99f95b35f5be

Score
10/10
lockylocky_osirisransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Locky (Osiris variant)

    Variant of the Locky ransomware seen in the wild since early 2017.

    ransomwarelocky_osiris
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\openme.exe
    "C:\Users\Admin\AppData\Local\Temp\openme.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:324
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1092
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1092 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1640
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\openme.exe"
      2⤵
        PID:1600
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:432

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/324-2-0x00000000766C1000-0x00000000766C3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/324-4-0x00000000030E0000-0x00000000030E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/324-3-0x00000000030F0000-0x0000000003117000-memory.dmp

      Filesize

      156KB

      Download

    • memory/324-138-0x0000000002030000-0x0000000002034000-memory.dmp

      Filesize

      16KB

      Download

    • memory/432-134-0x0000000000120000-0x0000000000122000-memory.dmp

      Filesize

      8KB

      Download

    • memory/432-139-0x0000000000220000-0x0000000000221000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1668-131-0x000007FEF7D30000-0x000007FEF7FAA000-memory.dmp

      Filesize

      2.5MB

      Download