Overview

overview

10

Static

static

lockit.exe

windows7_x64

10

lockit.exe

windows10_x64

10

Analysis

  • max time kernel
    571s
  • max time network
    362s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    16-10-2021 15:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lockit.exe

  • Size

    372KB

  • MD5

    e3b3e285390c0e2f7d04bd040bec790d

  • SHA1

    dbee71535e9f1fb23b3f01e25989d22d51237e68

  • SHA256

    21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6

  • SHA512

    6156a6b0ff4f41c823cba68a4596676e357ceb5b8c0848c2828a72321dbc2a731d9ae8f1a417fe27aef7de0080001ad3f77b3809b64a93c610ae99f95b35f5be

Score
10/10
lockylocky_osirisransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Locky (Osiris variant)

    Variant of the Locky ransomware seen in the wild since early 2017.

    ransomwarelocky_osiris
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\lockit.exe
    "C:\Users\Admin\AppData\Local\Temp\lockit.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1232
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1200 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2012
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\lockit.exe"
      2⤵
      • Deletes itself
      PID:1828
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IT7NH1AK.txt
    MD5

    67aef63b6d2e96e46870ae1be360b9f8

    SHA1

    86a79775ae2443cb35f5f0cf032bd093e16386d7

    SHA256

    f3da92a2cfa31f97fe062d917b93c91af3e4febc4fe4ef702fb4a4da857f61c5

    SHA512

    bd34bb914b6462ad75a144cdaad7b75c5fd228a2fe36d2d348f988e9f655b272d2859aa935d3e2d341a646bc251970c9b560b430164878273f7eea2352c6c2d0

    Download Submit
  • C:\Users\Admin\DesktopOSIRIS.bmp
    MD5

    405b97b9d7ad474a0876b38b3407b314

    SHA1

    16bf8ff015acefab81c909cc85b685ee8440b1c4

    SHA256

    dfec3ffd264a0a3d170a1b242908466e68998d93a5d47a0e7f758d59a0176582

    SHA512

    be74c9d2de18c8236b041f7e32a3e9b56e2ffa30c85d725925724c5241c374ac9610f7490c68d0ed67a12d0ee31546a5ff503fb4799cf73779ae8f2d54cee34f

    Download Submit
  • C:\Users\Admin\DesktopOSIRIS.htm
    MD5

    448fc0b2b33a8db81ebda303b547ad40

    SHA1

    f6a76f14b0badcef3346c73bcdacf4f8b191ef0e

    SHA256

    af1e88e66db49e1332c8e3806a448f2a26be86235dd4cb9917cac800d54df5ea

    SHA512

    ad09b0268204a7b421b4a64371b89e2282a73df30236aaeb234474299568603c54d73e4387896302877066678810a5311db6a13d830f7b7f4a08c0a61a93c139

    Download Submit
  • memory/1092-62-0x00000000001E0000-0x00000000001E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1092-64-0x00000000002A0000-0x00000000002A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1200-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1232-53-0x0000000074F81000-0x0000000074F83000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1232-59-0x00000000020D0000-0x00000000020D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1232-58-0x0000000003140000-0x0000000003D8A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/1232-56-0x0000000000400000-0x0000000000462000-memory.dmp
    Filesize

    392KB

    Download
  • memory/1232-54-0x0000000003140000-0x0000000003D8A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/1232-55-0x00000000020D0000-0x00000000020D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1828-63-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-65-0x0000000000000000-mapping.dmp
    Download