Overview

overview

10

Static

static

20161205_9...1d0.js

windows7_x64

10

20161205_9...1d0.js

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    17-11-2021 11:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20161205_9ce2d7bf1b9cf61897a960de3e0481d0.js

  • Size

    13KB

  • MD5

    558d1d1e23ddd0847e8a5f2d5ed4f930

  • SHA1

    9c59224dff0787058da1a8b2c1c6182a1a6dd9d5

  • SHA256

    fad379ba7f9d1b7e2d8efd4f92e622e386e56e4a05499d4a0c80e05072a5d355

  • SHA512

    ad98ec378d4ae717dc93e94fbc672907345e78e85e1d1a0fa3677a517362a6e61ba1322c0a35743ab93d00e4a7968ef603c854e721365a62e9f08b8ad3fc1beb

Score
10/10
lockylocky_osirisransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Locky (Osiris variant)

    Variant of the Locky ransomware seen in the wild since early 2017.

    ransomwarelocky_osiris
  • Blocklisted process makes network request 7 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\20161205_9ce2d7bf1b9cf61897a960de3e0481d0.js
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\5kCGed9T.zk,TOxNKCZjUHCfTf9D
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\5kCGed9T.zk,TOxNKCZjUHCfTf9D
        3⤵
        • Blocklisted process makes network request
        • Modifies extensions of user files
        • Loads dropped DLL
        PID:1888

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1888-58-0x00000000754F1000-0x00000000754F3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1888-60-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1888-61-0x0000000074B40000-0x0000000074B7A000-memory.dmp

    Filesize

    232KB

    Download