locky | b3788a0198990f230055f57d6a9e5d9266a516377ebbceb9faf06df2c05c7c08

Analysis

max time kernel
149s
max time network
133s
platform
windows10_x64
resource
win10-en-20211014
submitted
17-11-2021 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20161205_b11151ebee219a3140ba5b78ee0d23cd.js
Size

12KB
MD5

01ae471f8f3c4f98266cd341b2e35558
SHA1

198b36251e58b3ab1a87dac25bb7605ea65ee489
SHA256

b3788a0198990f230055f57d6a9e5d9266a516377ebbceb9faf06df2c05c7c08
SHA512

7770598ff77641da11357da7d6691d91cfd7b8b2ede53c00da6d2d7aced60a54f3e3be13247d64b00de1f66bdde3bfcc0496cfb1e18ffb2b07a2dacda329048d

Score

10^/10

locky locky_osiris ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris

Blocklisted process makes network request 8 IoCs

flow	pid	Process
8	2716	wscript.exe
10	2716	wscript.exe
15	2716	wscript.exe
28	2308	rundll32.exe
42	2308	rundll32.exe
43	2308	rundll32.exe
47	2308	rundll32.exe
50	2308	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2308	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 3956	2716	wscript.exe	69
PID 2716 wrote to memory of 3956	2716	wscript.exe	69
PID 3956 wrote to memory of 2308	3956	rundll32.exe	70
PID 3956 wrote to memory of 2308	3956	rundll32.exe	70
PID 3956 wrote to memory of 2308	3956	rundll32.exe	70

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\20161205_b11151ebee219a3140ba5b78ee0d23cd.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\YCVNNH~1.ZK,TOxNKCZjUHCfTf9D
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\YCVNNH~1.ZK,TOxNKCZjUHCfTf9D
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:2308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2308-119-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/2308-120-0x0000000073980000-0x00000000739BA000-memory.dmp

Filesize
232KB

Download