Analysis
-
max time kernel
151s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
17-11-2021 11:53
Static task
static1
Behavioral task
behavioral1
Sample
20161205_9ce2d7bf1b9cf61897a960de3e0481d0.js
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
20161205_9ce2d7bf1b9cf61897a960de3e0481d0.js
Resource
win10-en-20211014
General
-
Target
20161205_9ce2d7bf1b9cf61897a960de3e0481d0.js
-
Size
13KB
-
MD5
558d1d1e23ddd0847e8a5f2d5ed4f930
-
SHA1
9c59224dff0787058da1a8b2c1c6182a1a6dd9d5
-
SHA256
fad379ba7f9d1b7e2d8efd4f92e622e386e56e4a05499d4a0c80e05072a5d355
-
SHA512
ad98ec378d4ae717dc93e94fbc672907345e78e85e1d1a0fa3677a517362a6e61ba1322c0a35743ab93d00e4a7968ef603c854e721365a62e9f08b8ad3fc1beb
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
-
Blocklisted process makes network request 7 IoCs
Processes:
wscript.exerundll32.exeflow pid process 6 1680 wscript.exe 8 1680 wscript.exe 9 1888 rundll32.exe 12 1888 rundll32.exe 13 1888 rundll32.exe 14 1888 rundll32.exe 15 1888 rundll32.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\Users\Admin\Pictures\CheckpointShow.tiff rundll32.exe File opened for modification \??\c:\Users\Admin\Pictures\RestartSubmit.tiff rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1888 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
wscript.exerundll32.exedescription pid process target process PID 1680 wrote to memory of 1940 1680 wscript.exe rundll32.exe PID 1680 wrote to memory of 1940 1680 wscript.exe rundll32.exe PID 1680 wrote to memory of 1940 1680 wscript.exe rundll32.exe PID 1940 wrote to memory of 1888 1940 rundll32.exe rundll32.exe PID 1940 wrote to memory of 1888 1940 rundll32.exe rundll32.exe PID 1940 wrote to memory of 1888 1940 rundll32.exe rundll32.exe PID 1940 wrote to memory of 1888 1940 rundll32.exe rundll32.exe PID 1940 wrote to memory of 1888 1940 rundll32.exe rundll32.exe PID 1940 wrote to memory of 1888 1940 rundll32.exe rundll32.exe PID 1940 wrote to memory of 1888 1940 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\20161205_9ce2d7bf1b9cf61897a960de3e0481d0.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\5kCGed9T.zk,TOxNKCZjUHCfTf9D2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\5kCGed9T.zk,TOxNKCZjUHCfTf9D3⤵
- Blocklisted process makes network request
- Modifies extensions of user files
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5kCGed9T.zkMD5
6b760fbbefa7f8dd1daaa93ebc38725a
SHA181841f24244485dae1c1834df3e544893d258f06
SHA256c564dcc24fa9909a4482feb46d52fa96869a2ad6c8c87b5cbeee19b9b36a0ff6
SHA5126ea91469538c40dada22b66373da0deb57f48d9d535e5ebd8199b5074a26c93a297386389a58468032dec1aef36423271d7ffaf84feba772b531c9ccd46fc68a
-
\Users\Admin\AppData\Local\Temp\5kCGed9T.zkMD5
6b760fbbefa7f8dd1daaa93ebc38725a
SHA181841f24244485dae1c1834df3e544893d258f06
SHA256c564dcc24fa9909a4482feb46d52fa96869a2ad6c8c87b5cbeee19b9b36a0ff6
SHA5126ea91469538c40dada22b66373da0deb57f48d9d535e5ebd8199b5074a26c93a297386389a58468032dec1aef36423271d7ffaf84feba772b531c9ccd46fc68a
-
memory/1888-57-0x0000000000000000-mapping.dmp
-
memory/1888-58-0x00000000754F1000-0x00000000754F3000-memory.dmpFilesize
8KB
-
memory/1888-60-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/1888-61-0x0000000074B40000-0x0000000074B7A000-memory.dmpFilesize
232KB
-
memory/1940-55-0x0000000000000000-mapping.dmp