Analysis
-
max time kernel
152s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
17-11-2021 11:48
Static task
static1
Behavioral task
behavioral1
Sample
20161205_3f1d7664595d2ff885b9fa3bf8a96bbf.js
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
20161205_3f1d7664595d2ff885b9fa3bf8a96bbf.js
Resource
win10-en-20211104
General
-
Target
20161205_3f1d7664595d2ff885b9fa3bf8a96bbf.js
-
Size
13KB
-
MD5
181a0ef665583fb02134e9effa90f86f
-
SHA1
815bd5e80fb2ba833514548c70a5e35014a993b1
-
SHA256
c4370948896e4b1d2fded7d0a85127f5c2e1564e41ecbc47c810ae76b1473ac4
-
SHA512
650b1f77700ea60e0c8bfca25b364a35722a1f6b26ed2358d553adb0ae100ececffb11fa1af873ecf2318e3002e115fb2ce5d7b98f5e16c6428baae18e2d0a10
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
-
suricata: ET MALWARE Nemucod JS Downloader Aug 01 2017
suricata: ET MALWARE Nemucod JS Downloader Aug 01 2017
-
Blocklisted process makes network request 9 IoCs
Processes:
wscript.exerundll32.exeflow pid process 5 1048 wscript.exe 7 1048 wscript.exe 9 1048 wscript.exe 11 1048 wscript.exe 12 1028 rundll32.exe 15 1028 rundll32.exe 16 1028 rundll32.exe 17 1028 rundll32.exe 18 1028 rundll32.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
rundll32.exedescription ioc process File opened for modification \??\c:\Users\Admin\Pictures\SplitSkip.tiff rundll32.exe File opened for modification \??\c:\Users\Admin\Pictures\MergeExpand.tiff rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1028 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
wscript.exerundll32.exedescription pid process target process PID 1048 wrote to memory of 1676 1048 wscript.exe rundll32.exe PID 1048 wrote to memory of 1676 1048 wscript.exe rundll32.exe PID 1048 wrote to memory of 1676 1048 wscript.exe rundll32.exe PID 1676 wrote to memory of 1028 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 1028 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 1028 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 1028 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 1028 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 1028 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 1028 1676 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\20161205_3f1d7664595d2ff885b9fa3bf8a96bbf.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\EBB852~1.ZK,TOxNKCZjUHCfTf9D2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\EBB852~1.ZK,TOxNKCZjUHCfTf9D3⤵
- Blocklisted process makes network request
- Modifies extensions of user files
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\EBB852~1.ZKMD5
6b760fbbefa7f8dd1daaa93ebc38725a
SHA181841f24244485dae1c1834df3e544893d258f06
SHA256c564dcc24fa9909a4482feb46d52fa96869a2ad6c8c87b5cbeee19b9b36a0ff6
SHA5126ea91469538c40dada22b66373da0deb57f48d9d535e5ebd8199b5074a26c93a297386389a58468032dec1aef36423271d7ffaf84feba772b531c9ccd46fc68a
-
\Users\Admin\AppData\Local\Temp\EBB852~1.ZKMD5
6b760fbbefa7f8dd1daaa93ebc38725a
SHA181841f24244485dae1c1834df3e544893d258f06
SHA256c564dcc24fa9909a4482feb46d52fa96869a2ad6c8c87b5cbeee19b9b36a0ff6
SHA5126ea91469538c40dada22b66373da0deb57f48d9d535e5ebd8199b5074a26c93a297386389a58468032dec1aef36423271d7ffaf84feba772b531c9ccd46fc68a
-
memory/1028-57-0x0000000000000000-mapping.dmp
-
memory/1028-58-0x0000000074E51000-0x0000000074E53000-memory.dmpFilesize
8KB
-
memory/1028-60-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/1028-61-0x00000000749F0000-0x0000000074A2A000-memory.dmpFilesize
232KB
-
memory/1676-55-0x0000000000000000-mapping.dmp