Analysis
-
max time kernel
151s -
max time network
126s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
17-11-2021 11:33
Static task
static1
Behavioral task
behavioral1
Sample
20161205_0a3057963564d1fbe7c4c961ad8c2816.js
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
20161205_0a3057963564d1fbe7c4c961ad8c2816.js
Resource
win10-en-20211104
General
-
Target
20161205_0a3057963564d1fbe7c4c961ad8c2816.js
-
Size
13KB
-
MD5
874e785cda72eb99593ce097ab739b71
-
SHA1
a8b8d3ed05173b8a33d3f03d525ea440e593848c
-
SHA256
10fc625dc1859a1f88b9cae2aae55e4268c027a65eff039d0266e855c75b6ca5
-
SHA512
c984bfc1dc0ea684c466530bba8d8a83ad61da413e23cd6f2bd98301b5560c5f5acc6d7ced6c5035fd9954239a7a3ab8284120d8c07d568bb579eb454f398cab
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
-
Blocklisted process makes network request 6 IoCs
Processes:
wscript.exerundll32.exeflow pid process 10 4056 wscript.exe 24 804 rundll32.exe 25 804 rundll32.exe 26 804 rundll32.exe 29 804 rundll32.exe 30 804 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 804 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wscript.exerundll32.exedescription pid process target process PID 4056 wrote to memory of 512 4056 wscript.exe rundll32.exe PID 4056 wrote to memory of 512 4056 wscript.exe rundll32.exe PID 512 wrote to memory of 804 512 rundll32.exe rundll32.exe PID 512 wrote to memory of 804 512 rundll32.exe rundll32.exe PID 512 wrote to memory of 804 512 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\20161205_0a3057963564d1fbe7c4c961ad8c2816.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\OUV6VD~1.ZK,TOxNKCZjUHCfTf9D2⤵
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\OUV6VD~1.ZK,TOxNKCZjUHCfTf9D3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:804
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\OUV6VD~1.ZKMD5
6b760fbbefa7f8dd1daaa93ebc38725a
SHA181841f24244485dae1c1834df3e544893d258f06
SHA256c564dcc24fa9909a4482feb46d52fa96869a2ad6c8c87b5cbeee19b9b36a0ff6
SHA5126ea91469538c40dada22b66373da0deb57f48d9d535e5ebd8199b5074a26c93a297386389a58468032dec1aef36423271d7ffaf84feba772b531c9ccd46fc68a
-
\Users\Admin\AppData\Local\Temp\OUV6VD~1.ZKMD5
6b760fbbefa7f8dd1daaa93ebc38725a
SHA181841f24244485dae1c1834df3e544893d258f06
SHA256c564dcc24fa9909a4482feb46d52fa96869a2ad6c8c87b5cbeee19b9b36a0ff6
SHA5126ea91469538c40dada22b66373da0deb57f48d9d535e5ebd8199b5074a26c93a297386389a58468032dec1aef36423271d7ffaf84feba772b531c9ccd46fc68a
-
memory/512-118-0x0000000000000000-mapping.dmp
-
memory/804-120-0x0000000000000000-mapping.dmp
-
memory/804-122-0x0000000074250000-0x000000007428A000-memory.dmpFilesize
232KB
-
memory/804-124-0x0000000002EB0000-0x0000000002F5E000-memory.dmpFilesize
696KB