Overview

overview

10

Static

static

20161205_3...bbf.js

windows7_x64

10

20161205_3...bbf.js

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    17-11-2021 11:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20161205_3f1d7664595d2ff885b9fa3bf8a96bbf.js

  • Size

    13KB

  • MD5

    181a0ef665583fb02134e9effa90f86f

  • SHA1

    815bd5e80fb2ba833514548c70a5e35014a993b1

  • SHA256

    c4370948896e4b1d2fded7d0a85127f5c2e1564e41ecbc47c810ae76b1473ac4

  • SHA512

    650b1f77700ea60e0c8bfca25b364a35722a1f6b26ed2358d553adb0ae100ececffb11fa1af873ecf2318e3002e115fb2ce5d7b98f5e16c6428baae18e2d0a10

Score
10/10
lockylocky_osirisransomwaresuricata

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Locky (Osiris variant)

    Variant of the Locky ransomware seen in the wild since early 2017.

    ransomwarelocky_osiris
  • suricata: ET MALWARE Nemucod JS Downloader Aug 01 2017

    suricata: ET MALWARE Nemucod JS Downloader Aug 01 2017

    suricata
  • Blocklisted process makes network request 9 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\20161205_3f1d7664595d2ff885b9fa3bf8a96bbf.js
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\EBB852~1.ZK,TOxNKCZjUHCfTf9D
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1676
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\EBB852~1.ZK,TOxNKCZjUHCfTf9D
        3⤵
        • Blocklisted process makes network request
        • Modifies extensions of user files
        • Loads dropped DLL
        PID:1028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\EBB852~1.ZK
    MD5

    6b760fbbefa7f8dd1daaa93ebc38725a

    SHA1

    81841f24244485dae1c1834df3e544893d258f06

    SHA256

    c564dcc24fa9909a4482feb46d52fa96869a2ad6c8c87b5cbeee19b9b36a0ff6

    SHA512

    6ea91469538c40dada22b66373da0deb57f48d9d535e5ebd8199b5074a26c93a297386389a58468032dec1aef36423271d7ffaf84feba772b531c9ccd46fc68a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\EBB852~1.ZK
    MD5

    6b760fbbefa7f8dd1daaa93ebc38725a

    SHA1

    81841f24244485dae1c1834df3e544893d258f06

    SHA256

    c564dcc24fa9909a4482feb46d52fa96869a2ad6c8c87b5cbeee19b9b36a0ff6

    SHA512

    6ea91469538c40dada22b66373da0deb57f48d9d535e5ebd8199b5074a26c93a297386389a58468032dec1aef36423271d7ffaf84feba772b531c9ccd46fc68a

    Download Submit
  • memory/1028-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1028-58-0x0000000074E51000-0x0000000074E53000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1028-60-0x00000000000F0000-0x00000000000F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1028-61-0x00000000749F0000-0x0000000074A2A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/1676-55-0x0000000000000000-mapping.dmp
    Download