locky | 8a1d1c5e75724f1ddc46071f3bb38d6ddd9713adfd0b5bf05df4598f410a1331

General

Target

20161205_100008bbc736af07046b2402686345ab.js
Size

12KB
MD5

b58572a8058a0b867d43ebfa00f357df
SHA1

4d6e8ac1afee83f07c60e18aff413778b5a9ee40
SHA256

8a1d1c5e75724f1ddc46071f3bb38d6ddd9713adfd0b5bf05df4598f410a1331
SHA512

a3e2e4bf1da37a26db6ea8263f7604f52387f5841f50a8a8f6e950932dff664443f0b24de204d9040d89ff76b65e906de03b40ef99307fb324afc163c1aae195

Score

10^/10

locky locky_osiris ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris

Blocklisted process makes network request 14 IoCs

Processes:

wscript.exerundll32.exe

flow	pid	process
9	3488	wscript.exe
11	3488	wscript.exe
13	3488	wscript.exe
15	3488	wscript.exe
19	3488	wscript.exe
23	3488	wscript.exe
25	3488	wscript.exe
26	3488	wscript.exe
28	3488	wscript.exe
41	936	rundll32.exe
42	936	rundll32.exe
43	936	rundll32.exe
44	936	rundll32.exe
45	936	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

936 rundll32.exe

pid	process
936	rundll32.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp"	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\Desktop\WallpaperStyle = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\Desktop\TileWallpaper = "0"	rundll32.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

wscript.exerundll32.exe

description	pid	process	target process
PID 3488 wrote to memory of 1040	3488	wscript.exe	rundll32.exe
PID 3488 wrote to memory of 1040	3488	wscript.exe	rundll32.exe
PID 1040 wrote to memory of 936	1040	rundll32.exe	rundll32.exe
PID 1040 wrote to memory of 936	1040	rundll32.exe	rundll32.exe
PID 1040 wrote to memory of 936	1040	rundll32.exe	rundll32.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\20161205_100008bbc736af07046b2402686345ab.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\PCNKZV~1.ZK,TOxNKCZjUHCfTf9D
2⤵
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\PCNKZV~1.ZK,TOxNKCZjUHCfTf9D
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Modifies Control Panel
PID:936

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:2136

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:2740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PCNKZV~1.ZK
MD5
6b760fbbefa7f8dd1daaa93ebc38725a

SHA1
81841f24244485dae1c1834df3e544893d258f06

SHA256
c564dcc24fa9909a4482feb46d52fa96869a2ad6c8c87b5cbeee19b9b36a0ff6

SHA512
6ea91469538c40dada22b66373da0deb57f48d9d535e5ebd8199b5074a26c93a297386389a58468032dec1aef36423271d7ffaf84feba772b531c9ccd46fc68a

Download Submit
\Users\Admin\AppData\Local\Temp\PCNKZV~1.ZK
MD5
6b760fbbefa7f8dd1daaa93ebc38725a

SHA1
81841f24244485dae1c1834df3e544893d258f06

SHA256
c564dcc24fa9909a4482feb46d52fa96869a2ad6c8c87b5cbeee19b9b36a0ff6

SHA512
6ea91469538c40dada22b66373da0deb57f48d9d535e5ebd8199b5074a26c93a297386389a58468032dec1aef36423271d7ffaf84feba772b531c9ccd46fc68a

Download Submit
memory/936-120-0x0000000000000000-mapping.dmp

Download
memory/936-122-0x0000000073BC0000-0x0000000073BFA000-memory.dmp

Filesize
232KB

Download
memory/936-124-0x0000000000C00000-0x0000000000CAE000-memory.dmp

Filesize
696KB

Download
memory/1040-118-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads