locky | cfc9a840db2ea814739f220bdaa2edc18f2fdcb350a40646bdc144ea7b559b9f

General

Target

20161205_e4a80fe1dcf0f7e3a9cb5ebfd027c115.js
Size

13KB
MD5

cf7844b89cfa63d28152f4706ab1fc74
SHA1

ce46ff282bfe3162aec806b92672e0299aa09588
SHA256

cfc9a840db2ea814739f220bdaa2edc18f2fdcb350a40646bdc144ea7b559b9f
SHA512

58672ec8b6440321d4394e838e911927e2c03217a6ff39357f4c85d3428aef0ed4868e4848d6db3fc27d196d553aaee836a961f76ab4e669f9453e81f631b469

Score

10^/10

locky locky_osiris ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris

Blocklisted process makes network request 9 IoCs

Processes:

wscript.exerundll32.exe

flow	pid	process
11	512	wscript.exe
13	512	wscript.exe
17	512	wscript.exe
19	512	wscript.exe
33	4368	rundll32.exe
34	4368	rundll32.exe
35	4368	rundll32.exe
38	4368	rundll32.exe
39	4368	rundll32.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

rundll32.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\Pictures\ClearRead.tiff	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\SearchWatch.tiff	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4368 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4368	rundll32.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

wscript.exerundll32.exe

description	pid	process	target process
PID 512 wrote to memory of 4356	512	wscript.exe	rundll32.exe
PID 512 wrote to memory of 4356	512	wscript.exe	rundll32.exe
PID 4356 wrote to memory of 4368	4356	rundll32.exe	rundll32.exe
PID 4356 wrote to memory of 4368	4356	rundll32.exe	rundll32.exe
PID 4356 wrote to memory of 4368	4356	rundll32.exe	rundll32.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\20161205_e4a80fe1dcf0f7e3a9cb5ebfd027c115.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:512

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\TL1G5Z~1.ZK,TOxNKCZjUHCfTf9D
2⤵
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\TL1G5Z~1.ZK,TOxNKCZjUHCfTf9D
3⤵
- Blocklisted process makes network request
- Modifies extensions of user files
- Loads dropped DLL
PID:4368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TL1G5Z~1.ZK
MD5
6b760fbbefa7f8dd1daaa93ebc38725a

SHA1
81841f24244485dae1c1834df3e544893d258f06

SHA256
c564dcc24fa9909a4482feb46d52fa96869a2ad6c8c87b5cbeee19b9b36a0ff6

SHA512
6ea91469538c40dada22b66373da0deb57f48d9d535e5ebd8199b5074a26c93a297386389a58468032dec1aef36423271d7ffaf84feba772b531c9ccd46fc68a

Download Submit
\Users\Admin\AppData\Local\Temp\TL1G5Z~1.ZK
MD5
6b760fbbefa7f8dd1daaa93ebc38725a

SHA1
81841f24244485dae1c1834df3e544893d258f06

SHA256
c564dcc24fa9909a4482feb46d52fa96869a2ad6c8c87b5cbeee19b9b36a0ff6

SHA512
6ea91469538c40dada22b66373da0deb57f48d9d535e5ebd8199b5074a26c93a297386389a58468032dec1aef36423271d7ffaf84feba772b531c9ccd46fc68a

Download Submit
memory/4356-118-0x0000000000000000-mapping.dmp

Download
memory/4368-120-0x0000000000000000-mapping.dmp

Download
memory/4368-122-0x0000000001000000-0x000000000114A000-memory.dmp

Filesize
1.3MB

Download
memory/4368-123-0x00000000744B0000-0x00000000744EA000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads