locky | 8a1d1c5e75724f1ddc46071f3bb38d6ddd9713adfd0b5bf05df4598f410a1331

General

Target

20161205_100008bbc736af07046b2402686345ab.js
Size

12KB
MD5

b58572a8058a0b867d43ebfa00f357df
SHA1

4d6e8ac1afee83f07c60e18aff413778b5a9ee40
SHA256

8a1d1c5e75724f1ddc46071f3bb38d6ddd9713adfd0b5bf05df4598f410a1331
SHA512

a3e2e4bf1da37a26db6ea8263f7604f52387f5841f50a8a8f6e950932dff664443f0b24de204d9040d89ff76b65e906de03b40ef99307fb324afc163c1aae195

Score

10^/10

locky locky_osiris ransomware suricata

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris
suricata: ET MALWARE Nemucod JS Downloader Aug 01 2017
suricata: ET MALWARE Nemucod JS Downloader Aug 01 2017
suricata

Blocklisted process makes network request 13 IoCs

flow	pid	Process
6	368	wscript.exe
8	368	wscript.exe
10	368	wscript.exe
12	368	wscript.exe
14	368	wscript.exe
16	368	wscript.exe
17	368	wscript.exe
19	368	wscript.exe
22	2020	rundll32.exe
23	2020	rundll32.exe
26	2020	rundll32.exe
27	2020	rundll32.exe
28	2020	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2020	rundll32.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp"	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Control Panel\Desktop\WallpaperStyle = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Control Panel\Desktop\TileWallpaper = "0"	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{89E55461-47A8-11EC-BC95-42884776E148} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1012	iexplore.exe
2040	DllHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1012	iexplore.exe
1012	iexplore.exe
1488	IEXPLORE.EXE
1488	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 1144	368	wscript.exe	30
PID 368 wrote to memory of 1144	368	wscript.exe	30
PID 368 wrote to memory of 1144	368	wscript.exe	30
PID 1144 wrote to memory of 2020	1144	rundll32.exe	31
PID 1144 wrote to memory of 2020	1144	rundll32.exe	31
PID 1144 wrote to memory of 2020	1144	rundll32.exe	31
PID 1144 wrote to memory of 2020	1144	rundll32.exe	31
PID 1144 wrote to memory of 2020	1144	rundll32.exe	31
PID 1144 wrote to memory of 2020	1144	rundll32.exe	31
PID 1144 wrote to memory of 2020	1144	rundll32.exe	31
PID 2020 wrote to memory of 1012	2020	rundll32.exe	35
PID 2020 wrote to memory of 1012	2020	rundll32.exe	35
PID 2020 wrote to memory of 1012	2020	rundll32.exe	35
PID 2020 wrote to memory of 1012	2020	rundll32.exe	35
PID 1012 wrote to memory of 1488	1012	iexplore.exe	37
PID 1012 wrote to memory of 1488	1012	iexplore.exe	37
PID 1012 wrote to memory of 1488	1012	iexplore.exe	37
PID 1012 wrote to memory of 1488	1012	iexplore.exe	37

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\20161205_100008bbc736af07046b2402686345ab.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\PCNKZV~1.ZK,TOxNKCZjUHCfTf9D
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\PCNKZV~1.ZK,TOxNKCZjUHCfTf9D
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Sets desktop wallpaper using registry
    - Modifies Control Panel
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1012
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1012 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1488

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2020-58-0x00000000751C1000-0x00000000751C3000-memory.dmp

Filesize
8KB

Download
memory/2020-61-0x0000000074C30000-0x0000000074C6A000-memory.dmp

Filesize
232KB

Download
memory/2020-60-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2040-65-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/2040-67-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads