Analysis
-
max time kernel
149s -
max time network
133s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
17-11-2021 11:51
Static task
static1
Behavioral task
behavioral1
Sample
20161205_b11151ebee219a3140ba5b78ee0d23cd.js
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
20161205_b11151ebee219a3140ba5b78ee0d23cd.js
Resource
win10-en-20211014
General
-
Target
20161205_b11151ebee219a3140ba5b78ee0d23cd.js
-
Size
12KB
-
MD5
01ae471f8f3c4f98266cd341b2e35558
-
SHA1
198b36251e58b3ab1a87dac25bb7605ea65ee489
-
SHA256
b3788a0198990f230055f57d6a9e5d9266a516377ebbceb9faf06df2c05c7c08
-
SHA512
7770598ff77641da11357da7d6691d91cfd7b8b2ede53c00da6d2d7aced60a54f3e3be13247d64b00de1f66bdde3bfcc0496cfb1e18ffb2b07a2dacda329048d
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
-
Blocklisted process makes network request 8 IoCs
Processes:
wscript.exerundll32.exeflow pid process 8 2716 wscript.exe 10 2716 wscript.exe 15 2716 wscript.exe 28 2308 rundll32.exe 42 2308 rundll32.exe 43 2308 rundll32.exe 47 2308 rundll32.exe 50 2308 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2308 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wscript.exerundll32.exedescription pid process target process PID 2716 wrote to memory of 3956 2716 wscript.exe rundll32.exe PID 2716 wrote to memory of 3956 2716 wscript.exe rundll32.exe PID 3956 wrote to memory of 2308 3956 rundll32.exe rundll32.exe PID 3956 wrote to memory of 2308 3956 rundll32.exe rundll32.exe PID 3956 wrote to memory of 2308 3956 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\20161205_b11151ebee219a3140ba5b78ee0d23cd.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\YCVNNH~1.ZK,TOxNKCZjUHCfTf9D2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\YCVNNH~1.ZK,TOxNKCZjUHCfTf9D3⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\YCVNNH~1.ZKMD5
6b760fbbefa7f8dd1daaa93ebc38725a
SHA181841f24244485dae1c1834df3e544893d258f06
SHA256c564dcc24fa9909a4482feb46d52fa96869a2ad6c8c87b5cbeee19b9b36a0ff6
SHA5126ea91469538c40dada22b66373da0deb57f48d9d535e5ebd8199b5074a26c93a297386389a58468032dec1aef36423271d7ffaf84feba772b531c9ccd46fc68a
-
\Users\Admin\AppData\Local\Temp\YCVNNH~1.ZKMD5
6b760fbbefa7f8dd1daaa93ebc38725a
SHA181841f24244485dae1c1834df3e544893d258f06
SHA256c564dcc24fa9909a4482feb46d52fa96869a2ad6c8c87b5cbeee19b9b36a0ff6
SHA5126ea91469538c40dada22b66373da0deb57f48d9d535e5ebd8199b5074a26c93a297386389a58468032dec1aef36423271d7ffaf84feba772b531c9ccd46fc68a
-
memory/2308-117-0x0000000000000000-mapping.dmp
-
memory/2308-119-0x0000000001370000-0x0000000001371000-memory.dmpFilesize
4KB
-
memory/2308-120-0x0000000073980000-0x00000000739BA000-memory.dmpFilesize
232KB
-
memory/3956-115-0x0000000000000000-mapping.dmp