Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
17-11-2021 11:36
General
-
Target
20161205_e4a80fe1dcf0f7e3a9cb5ebfd027c115.js
-
Size
13KB
-
MD5
cf7844b89cfa63d28152f4706ab1fc74
-
SHA1
ce46ff282bfe3162aec806b92672e0299aa09588
-
SHA256
cfc9a840db2ea814739f220bdaa2edc18f2fdcb350a40646bdc144ea7b559b9f
-
SHA512
58672ec8b6440321d4394e838e911927e2c03217a6ff39357f4c85d3428aef0ed4868e4848d6db3fc27d196d553aaee836a961f76ab4e669f9453e81f631b469
Score
10/10
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
-
Blocklisted process makes network request 9 IoCs
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
-
Loads dropped DLL 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\20161205_e4a80fe1dcf0f7e3a9cb5ebfd027c115.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\TL1G5Z~1.ZK,TOxNKCZjUHCfTf9D2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\TL1G5Z~1.ZK,TOxNKCZjUHCfTf9D3⤵
- Blocklisted process makes network request
- Modifies extensions of user files
- Loads dropped DLL
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
-
Filesize
232KB