Overview

overview

10

Static

static

20161205_0...816.js

windows7_x64

10

20161205_0...816.js

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    17-11-2021 11:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20161205_0a3057963564d1fbe7c4c961ad8c2816.js

  • Size

    13KB

  • MD5

    874e785cda72eb99593ce097ab739b71

  • SHA1

    a8b8d3ed05173b8a33d3f03d525ea440e593848c

  • SHA256

    10fc625dc1859a1f88b9cae2aae55e4268c027a65eff039d0266e855c75b6ca5

  • SHA512

    c984bfc1dc0ea684c466530bba8d8a83ad61da413e23cd6f2bd98301b5560c5f5acc6d7ced6c5035fd9954239a7a3ab8284120d8c07d568bb579eb454f398cab

Score
10/10
lockylocky_osirisransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Locky (Osiris variant)

    Variant of the Locky ransomware seen in the wild since early 2017.

    ransomwarelocky_osiris
  • Blocklisted process makes network request 6 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\20161205_0a3057963564d1fbe7c4c961ad8c2816.js
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:4056
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\OUV6VD~1.ZK,TOxNKCZjUHCfTf9D
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:512
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\OUV6VD~1.ZK,TOxNKCZjUHCfTf9D
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        PID:804

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\OUV6VD~1.ZK
    MD5

    6b760fbbefa7f8dd1daaa93ebc38725a

    SHA1

    81841f24244485dae1c1834df3e544893d258f06

    SHA256

    c564dcc24fa9909a4482feb46d52fa96869a2ad6c8c87b5cbeee19b9b36a0ff6

    SHA512

    6ea91469538c40dada22b66373da0deb57f48d9d535e5ebd8199b5074a26c93a297386389a58468032dec1aef36423271d7ffaf84feba772b531c9ccd46fc68a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\OUV6VD~1.ZK
    MD5

    6b760fbbefa7f8dd1daaa93ebc38725a

    SHA1

    81841f24244485dae1c1834df3e544893d258f06

    SHA256

    c564dcc24fa9909a4482feb46d52fa96869a2ad6c8c87b5cbeee19b9b36a0ff6

    SHA512

    6ea91469538c40dada22b66373da0deb57f48d9d535e5ebd8199b5074a26c93a297386389a58468032dec1aef36423271d7ffaf84feba772b531c9ccd46fc68a

    Download Submit
  • memory/512-118-0x0000000000000000-mapping.dmp
    Download
  • memory/804-120-0x0000000000000000-mapping.dmp
    Download
  • memory/804-122-0x0000000074250000-0x000000007428A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/804-124-0x0000000002EB0000-0x0000000002F5E000-memory.dmp
    Filesize

    696KB

    Download