Analysis
-
max time kernel
571s -
max time network
362s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
16-10-2021 15:18
General
-
Target
lockit.exe
-
Size
372KB
-
MD5
e3b3e285390c0e2f7d04bd040bec790d
-
SHA1
dbee71535e9f1fb23b3f01e25989d22d51237e68
-
SHA256
21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6
-
SHA512
6156a6b0ff4f41c823cba68a4596676e357ceb5b8c0848c2828a72321dbc2a731d9ae8f1a417fe27aef7de0080001ad3f77b3809b64a93c610ae99f95b35f5be
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
-
Deletes itself 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\lockit.exe"C:\Users\Admin\AppData\Local\Temp\lockit.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1200 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\lockit.exe"2⤵
- Deletes itself
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
67aef63b6d2e96e46870ae1be360b9f8
SHA186a79775ae2443cb35f5f0cf032bd093e16386d7
SHA256f3da92a2cfa31f97fe062d917b93c91af3e4febc4fe4ef702fb4a4da857f61c5
SHA512bd34bb914b6462ad75a144cdaad7b75c5fd228a2fe36d2d348f988e9f655b272d2859aa935d3e2d341a646bc251970c9b560b430164878273f7eea2352c6c2d0
-
MD5
405b97b9d7ad474a0876b38b3407b314
SHA116bf8ff015acefab81c909cc85b685ee8440b1c4
SHA256dfec3ffd264a0a3d170a1b242908466e68998d93a5d47a0e7f758d59a0176582
SHA512be74c9d2de18c8236b041f7e32a3e9b56e2ffa30c85d725925724c5241c374ac9610f7490c68d0ed67a12d0ee31546a5ff503fb4799cf73779ae8f2d54cee34f
-
MD5
448fc0b2b33a8db81ebda303b547ad40
SHA1f6a76f14b0badcef3346c73bcdacf4f8b191ef0e
SHA256af1e88e66db49e1332c8e3806a448f2a26be86235dd4cb9917cac800d54df5ea
SHA512ad09b0268204a7b421b4a64371b89e2282a73df30236aaeb234474299568603c54d73e4387896302877066678810a5311db6a13d830f7b7f4a08c0a61a93c139
-
Filesize
8KB
-
Filesize
4KB
-
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
12.3MB
-
Filesize
392KB
-
Filesize
12.3MB
-
Filesize
4KB
-
-
