locky | fad379ba7f9d1b7e2d8efd4f92e622e386e56e4a05499d4a0c80e05072a5d355

General

Target

20161205_9ce2d7bf1b9cf61897a960de3e0481d0.js
Size

13KB
MD5

558d1d1e23ddd0847e8a5f2d5ed4f930
SHA1

9c59224dff0787058da1a8b2c1c6182a1a6dd9d5
SHA256

fad379ba7f9d1b7e2d8efd4f92e622e386e56e4a05499d4a0c80e05072a5d355
SHA512

ad98ec378d4ae717dc93e94fbc672907345e78e85e1d1a0fa3677a517362a6e61ba1322c0a35743ab93d00e4a7968ef603c854e721365a62e9f08b8ad3fc1beb

Score

10^/10

locky locky_osiris ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris
Blocklisted process makes network request 7 IoCs

Processes:

wscript.exerundll32.exe

flow pid process

6 1680 wscript.exe
8 1680 wscript.exe
9 1888 rundll32.exe
12 1888 rundll32.exe
13 1888 rundll32.exe
14 1888 rundll32.exe
15 1888 rundll32.exe

flow	pid	process
6	1680	wscript.exe
8	1680	wscript.exe
9	1888	rundll32.exe
12	1888	rundll32.exe
13	1888	rundll32.exe
14	1888	rundll32.exe
15	1888	rundll32.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

rundll32.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\Pictures\CheckpointShow.tiff	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\RestartSubmit.tiff	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1888 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1888	rundll32.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

wscript.exerundll32.exe

description	pid	process	target process
PID 1680 wrote to memory of 1940	1680	wscript.exe	rundll32.exe
PID 1680 wrote to memory of 1940	1680	wscript.exe	rundll32.exe
PID 1680 wrote to memory of 1940	1680	wscript.exe	rundll32.exe
PID 1940 wrote to memory of 1888	1940	rundll32.exe	rundll32.exe
PID 1940 wrote to memory of 1888	1940	rundll32.exe	rundll32.exe
PID 1940 wrote to memory of 1888	1940	rundll32.exe	rundll32.exe
PID 1940 wrote to memory of 1888	1940	rundll32.exe	rundll32.exe
PID 1940 wrote to memory of 1888	1940	rundll32.exe	rundll32.exe
PID 1940 wrote to memory of 1888	1940	rundll32.exe	rundll32.exe
PID 1940 wrote to memory of 1888	1940	rundll32.exe	rundll32.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\20161205_9ce2d7bf1b9cf61897a960de3e0481d0.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\5kCGed9T.zk,TOxNKCZjUHCfTf9D
2⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\5kCGed9T.zk,TOxNKCZjUHCfTf9D
3⤵
- Blocklisted process makes network request
- Modifies extensions of user files
- Loads dropped DLL
PID:1888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5kCGed9T.zk
MD5
6b760fbbefa7f8dd1daaa93ebc38725a

SHA1
81841f24244485dae1c1834df3e544893d258f06

SHA256
c564dcc24fa9909a4482feb46d52fa96869a2ad6c8c87b5cbeee19b9b36a0ff6

SHA512
6ea91469538c40dada22b66373da0deb57f48d9d535e5ebd8199b5074a26c93a297386389a58468032dec1aef36423271d7ffaf84feba772b531c9ccd46fc68a

Download Submit
\Users\Admin\AppData\Local\Temp\5kCGed9T.zk
MD5
6b760fbbefa7f8dd1daaa93ebc38725a

SHA1
81841f24244485dae1c1834df3e544893d258f06

SHA256
c564dcc24fa9909a4482feb46d52fa96869a2ad6c8c87b5cbeee19b9b36a0ff6

SHA512
6ea91469538c40dada22b66373da0deb57f48d9d535e5ebd8199b5074a26c93a297386389a58468032dec1aef36423271d7ffaf84feba772b531c9ccd46fc68a

Download Submit
memory/1888-57-0x0000000000000000-mapping.dmp

Download
memory/1888-58-0x00000000754F1000-0x00000000754F3000-memory.dmp

Filesize
8KB

Download
memory/1888-60-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1888-61-0x0000000074B40000-0x0000000074B7A000-memory.dmp

Filesize
232KB

Download
memory/1940-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing