locky | b3788a0198990f230055f57d6a9e5d9266a516377ebbceb9faf06df2c05c7c08

Analysis

Target

20161205_b11151ebee219a3140ba5b78ee0d23cd.js
Size

12KB
MD5

01ae471f8f3c4f98266cd341b2e35558
SHA1

198b36251e58b3ab1a87dac25bb7605ea65ee489
SHA256

b3788a0198990f230055f57d6a9e5d9266a516377ebbceb9faf06df2c05c7c08
SHA512

7770598ff77641da11357da7d6691d91cfd7b8b2ede53c00da6d2d7aced60a54f3e3be13247d64b00de1f66bdde3bfcc0496cfb1e18ffb2b07a2dacda329048d

Score

10^/10

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris

Blocklisted process makes network request 8 IoCs

Processes:

wscript.exerundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2308 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2308	rundll32.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

wscript.exerundll32.exe

description	pid	process	target process
PID 2716 wrote to memory of 3956	2716	wscript.exe	rundll32.exe
PID 2716 wrote to memory of 3956	2716	wscript.exe	rundll32.exe
PID 3956 wrote to memory of 2308	3956	rundll32.exe	rundll32.exe
PID 3956 wrote to memory of 2308	3956	rundll32.exe	rundll32.exe
PID 3956 wrote to memory of 2308	3956	rundll32.exe	rundll32.exe

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\YCVNNH~1.ZK,TOxNKCZjUHCfTf9D
2⤵
- Suspicious use of WriteProcessMemory
PID:3956

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\Users\Admin\AppData\Local\Temp\YCVNNH~1.ZK
MD5
6b760fbbefa7f8dd1daaa93ebc38725a

SHA1
81841f24244485dae1c1834df3e544893d258f06

SHA256
c564dcc24fa9909a4482feb46d52fa96869a2ad6c8c87b5cbeee19b9b36a0ff6

SHA512
6ea91469538c40dada22b66373da0deb57f48d9d535e5ebd8199b5074a26c93a297386389a58468032dec1aef36423271d7ffaf84feba772b531c9ccd46fc68a

Download Submit
\Users\Admin\AppData\Local\Temp\YCVNNH~1.ZK
MD5
6b760fbbefa7f8dd1daaa93ebc38725a

SHA1
81841f24244485dae1c1834df3e544893d258f06

SHA256
c564dcc24fa9909a4482feb46d52fa96869a2ad6c8c87b5cbeee19b9b36a0ff6

SHA512
6ea91469538c40dada22b66373da0deb57f48d9d535e5ebd8199b5074a26c93a297386389a58468032dec1aef36423271d7ffaf84feba772b531c9ccd46fc68a

Download Submit
memory/2308-117-0x0000000000000000-mapping.dmp

Download
memory/2308-119-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/2308-120-0x0000000073980000-0x00000000739BA000-memory.dmp

Filesize
232KB

Download
memory/3956-115-0x0000000000000000-mapping.dmp

Download