locky | a53f9d5213aea33f49e7f679fb5c436da2890430c0c3a4611638d3a64154784d

General

Target

20161205_68bb06732c39ba6463f32b8bcca60632.js
Size

13KB
MD5

a8c790a74fc4e6393c2e313850ade203
SHA1

bf379612245b298ed742fbbf3634f8557781f098
SHA256

a53f9d5213aea33f49e7f679fb5c436da2890430c0c3a4611638d3a64154784d
SHA512

f1de9ab8c9b39643c8c66602a9de6185ff3dc1ebbe4bdfd9b5678f5e8f3cac43ae57c5a51cf55bf7357eda28bb04dacead7f7222077917eade83f1a40690add5

Score

10^/10

locky locky_osiris ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris

Blocklisted process makes network request 6 IoCs

flow	pid	Process
5	1048	wscript.exe
6	1676	rundll32.exe
9	1676	rundll32.exe
10	1676	rundll32.exe
11	1676	rundll32.exe
12	1676	rundll32.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	\??\c:\Users\Admin\Pictures\MergeExpand.tiff	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\SplitSkip.tiff	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
1676	rundll32.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp"	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Control Panel\Desktop\WallpaperStyle = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Control Panel\Desktop\TileWallpaper = "0"	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 420	1048	wscript.exe	30
PID 1048 wrote to memory of 420	1048	wscript.exe	30
PID 1048 wrote to memory of 420	1048	wscript.exe	30
PID 420 wrote to memory of 1676	420	rundll32.exe	31
PID 420 wrote to memory of 1676	420	rundll32.exe	31
PID 420 wrote to memory of 1676	420	rundll32.exe	31
PID 420 wrote to memory of 1676	420	rundll32.exe	31
PID 420 wrote to memory of 1676	420	rundll32.exe	31
PID 420 wrote to memory of 1676	420	rundll32.exe	31
PID 420 wrote to memory of 1676	420	rundll32.exe	31
PID 1676 wrote to memory of 1564	1676	rundll32.exe	35
PID 1676 wrote to memory of 1564	1676	rundll32.exe	35
PID 1676 wrote to memory of 1564	1676	rundll32.exe	35
PID 1676 wrote to memory of 1564	1676	rundll32.exe	35

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\20161205_68bb06732c39ba6463f32b8bcca60632.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\T9EUNK~1.ZK,TOxNKCZjUHCfTf9D
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:420
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\T9EUNK~1.ZK,TOxNKCZjUHCfTf9D
    3⤵
    - Blocklisted process makes network request
    - Modifies extensions of user files
    - Loads dropped DLL
    - Sets desktop wallpaper using registry
    - Modifies Control Panel
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
      4⤵
      PID:1564

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1676-58-0x0000000074E51000-0x0000000074E53000-memory.dmp

Filesize
8KB

Download
memory/1676-60-0x00000000749F0000-0x0000000074A2A000-memory.dmp

Filesize
232KB

Download
memory/1676-62-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing