Analysis
-
max time kernel
140s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
17-11-2021 11:46
General
-
Target
20161205_e6efa392712fe75ba2f4d68341a6a701.js
-
Size
12KB
-
MD5
486080aee39682d5c32041351f49f90b
-
SHA1
8692f7c1cbbaad11e1b00468e75cf1bae17fbd7a
-
SHA256
0c2470ec5c4f4cf7bd8aa004cd97a48d92c41f6ec9fe6799f82a31723b5b1b33
-
SHA512
3e02bc3b3cc141a680c05215be3c43236ef63dd9f3383fdda794a45bcf6da917775d354b7c66946783f23442bbd504fa6a734c6817ee0715f5465855db89a294
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
-
Blocklisted process makes network request 6 IoCs
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
-
Loads dropped DLL 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 25 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\20161205_e6efa392712fe75ba2f4d68341a6a701.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\5BDHBJ~1.ZK,TOxNKCZjUHCfTf9D2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\5BDHBJ~1.ZK,TOxNKCZjUHCfTf9D3⤵
- Blocklisted process makes network request
- Modifies extensions of user files
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1972 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
6b760fbbefa7f8dd1daaa93ebc38725a
SHA181841f24244485dae1c1834df3e544893d258f06
SHA256c564dcc24fa9909a4482feb46d52fa96869a2ad6c8c87b5cbeee19b9b36a0ff6
SHA5126ea91469538c40dada22b66373da0deb57f48d9d535e5ebd8199b5074a26c93a297386389a58468032dec1aef36423271d7ffaf84feba772b531c9ccd46fc68a
-
MD5
e093483e826f4d00ec8acd7aa02ad11a
SHA1c36d5cc3cb11ddedd3ba34c2551b86d7ea24a64d
SHA2564ba37f5f6e8775cb4a765e59b3f78d145cab2c15c73fda1eaa3483ccc05a2280
SHA512ea9ae4ab2656962e5bf6e3e3311dcf09a8f0ffc4831e6410e312c42f881dd1c7f654defb0ea11a0ab0fe4d37597ea6dd37b24174844a236716c63eaec9cb7a0b
-
MD5
2a2c183b4a6f732d0b351e2ce80315e9
SHA174aaadded7b03867bf5e9761d6851b452d32fede
SHA256cf7f947d815e683fde77a8dfcf97990f22171b18a60aa33dffb73bbf55b7dcd4
SHA51258d83d008d7eeb8f8c83daab4cbb1cbc8b77de1991dcbade2014684da4016b4d5b1b1d1d6d074a0a4be75cd6039ece0629c795857aca92a810855e687cd02eca
-
MD5
6b760fbbefa7f8dd1daaa93ebc38725a
SHA181841f24244485dae1c1834df3e544893d258f06
SHA256c564dcc24fa9909a4482feb46d52fa96869a2ad6c8c87b5cbeee19b9b36a0ff6
SHA5126ea91469538c40dada22b66373da0deb57f48d9d535e5ebd8199b5074a26c93a297386389a58468032dec1aef36423271d7ffaf84feba772b531c9ccd46fc68a
-
Filesize
4KB
-
Filesize
8KB
-
-
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
232KB
-
-
