locky | 10fc625dc1859a1f88b9cae2aae55e4268c027a65eff039d0266e855c75b6ca5

Analysis

max time kernel
151s
max time network
126s
platform
windows10_x64
resource
win10-en-20211104
submitted
17-11-2021 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20161205_0a3057963564d1fbe7c4c961ad8c2816.js
Size

13KB
MD5

874e785cda72eb99593ce097ab739b71
SHA1

a8b8d3ed05173b8a33d3f03d525ea440e593848c
SHA256

10fc625dc1859a1f88b9cae2aae55e4268c027a65eff039d0266e855c75b6ca5
SHA512

c984bfc1dc0ea684c466530bba8d8a83ad61da413e23cd6f2bd98301b5560c5f5acc6d7ced6c5035fd9954239a7a3ab8284120d8c07d568bb579eb454f398cab

Score

10^/10

locky locky_osiris ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris

Blocklisted process makes network request 6 IoCs

flow	pid	Process
10	4056	wscript.exe
24	804	rundll32.exe
25	804	rundll32.exe
26	804	rundll32.exe
29	804	rundll32.exe
30	804	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
804	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 512	4056	wscript.exe	69
PID 4056 wrote to memory of 512	4056	wscript.exe	69
PID 512 wrote to memory of 804	512	rundll32.exe	70
PID 512 wrote to memory of 804	512	rundll32.exe	70
PID 512 wrote to memory of 804	512	rundll32.exe	70

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\20161205_0a3057963564d1fbe7c4c961ad8c2816.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\OUV6VD~1.ZK,TOxNKCZjUHCfTf9D
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:512
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\OUV6VD~1.ZK,TOxNKCZjUHCfTf9D
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/804-122-0x0000000074250000-0x000000007428A000-memory.dmp

Filesize
232KB

Download
memory/804-124-0x0000000002EB0000-0x0000000002F5E000-memory.dmp

Filesize
696KB

Download