locky | d3f7159425c0e6b1c076d12eacb62345188cd9fbc7fb74052a5b3b220df91e2f

General

Target

20161205_bc36f1ce16f62adcd3368593f2c4ece0.js
Size

12KB
MD5

ec1eaa7630980202c2ea84f4f99d8f14
SHA1

7458ab3e869639e7e4fa55dd98994961ebd94f66
SHA256

d3f7159425c0e6b1c076d12eacb62345188cd9fbc7fb74052a5b3b220df91e2f
SHA512

9ff4b87c973694ae2ddf8102b06d9de2dc1758d71e70239cd2ade1e83352f1e324d225bd6a63d2045631f52e34c96c774af24fb8fdaa7e35598349f99cf92d9f

Score

10^/10

locky locky_osiris ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris

Blocklisted process makes network request 11 IoCs

Processes:

wscript.exerundll32.exe

flow	pid	process
6	964	wscript.exe
8	964	wscript.exe
9	964	wscript.exe
11	964	wscript.exe
13	964	wscript.exe
15	964	wscript.exe
18	1064	rundll32.exe
21	1064	rundll32.exe
22	1064	rundll32.exe
23	1064	rundll32.exe
24	1064	rundll32.exe

Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

rundll32.exe

description ioc process

File opened for modification \??\c:\Users\Admin\Pictures\MeasureRepair.tiff rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1064 rundll32.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\Pictures\MeasureRepair.tiff	rundll32.exe

pid	process
1064	rundll32.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp"	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop\TileWallpaper = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\Desktop\WallpaperStyle = "0"	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2AC2FE21-4883-11EC-ADBE-4ECD28260268} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

904 iexplore.exe
1188 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

904 iexplore.exe
904 iexplore.exe
1696 IEXPLORE.EXE
1696 IEXPLORE.EXE

pid	process
904	iexplore.exe
1188	DllHost.exe

pid	process
904	iexplore.exe
904	iexplore.exe
1696	IEXPLORE.EXE
1696	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

wscript.exerundll32.exerundll32.exeiexplore.exe

description	pid	process	target process
PID 964 wrote to memory of 764	964	wscript.exe	rundll32.exe
PID 964 wrote to memory of 764	964	wscript.exe	rundll32.exe
PID 964 wrote to memory of 764	964	wscript.exe	rundll32.exe
PID 764 wrote to memory of 1064	764	rundll32.exe	rundll32.exe
PID 764 wrote to memory of 1064	764	rundll32.exe	rundll32.exe
PID 764 wrote to memory of 1064	764	rundll32.exe	rundll32.exe
PID 764 wrote to memory of 1064	764	rundll32.exe	rundll32.exe
PID 764 wrote to memory of 1064	764	rundll32.exe	rundll32.exe
PID 764 wrote to memory of 1064	764	rundll32.exe	rundll32.exe
PID 764 wrote to memory of 1064	764	rundll32.exe	rundll32.exe
PID 1064 wrote to memory of 904	1064	rundll32.exe	iexplore.exe
PID 1064 wrote to memory of 904	1064	rundll32.exe	iexplore.exe
PID 1064 wrote to memory of 904	1064	rundll32.exe	iexplore.exe
PID 1064 wrote to memory of 904	1064	rundll32.exe	iexplore.exe
PID 904 wrote to memory of 1696	904	iexplore.exe	IEXPLORE.EXE
PID 904 wrote to memory of 1696	904	iexplore.exe	IEXPLORE.EXE
PID 904 wrote to memory of 1696	904	iexplore.exe	IEXPLORE.EXE
PID 904 wrote to memory of 1696	904	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\20161205_bc36f1ce16f62adcd3368593f2c4ece0.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\MTCLMW~1.ZK,TOxNKCZjUHCfTf9D
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\MTCLMW~1.ZK,TOxNKCZjUHCfTf9D
    3⤵
    - Blocklisted process makes network request
    - Modifies extensions of user files
    - Loads dropped DLL
    - Sets desktop wallpaper using registry
    - Modifies Control Panel
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:904
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:904 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1696

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MTCLMW~1.ZK

MD5
6b760fbbefa7f8dd1daaa93ebc38725a

SHA1
81841f24244485dae1c1834df3e544893d258f06

SHA256
c564dcc24fa9909a4482feb46d52fa96869a2ad6c8c87b5cbeee19b9b36a0ff6

SHA512
6ea91469538c40dada22b66373da0deb57f48d9d535e5ebd8199b5074a26c93a297386389a58468032dec1aef36423271d7ffaf84feba772b531c9ccd46fc68a

Download Submit
C:\Users\Admin\DesktopOSIRIS.bmp

MD5
1056ff9edf498d030635670d19e90b11

SHA1
e6a926c3a905cfd0440f98dc3175d31ab59d6208

SHA256
ac009b4c9a14a9f48b64424ed7a4c399bd3434aab9bbb9a459b447747c728506

SHA512
2668801596ae78fe6048ae5692ec9f2a4c2b05bad725f5dd48cac6c8e9429820eef0730138b0cbcef1bff64e60aed084c004a93e9a26dd1d842a8cb007a0f2ff

Download Submit
C:\Users\Admin\DesktopOSIRIS.htm

MD5
f46976011b5d21460f0a9e65a7226ab3

SHA1
dc4534126cb7d4987e5f4b243bca55bdaec26c45

SHA256
9bffa45bde974a13984fc8a839b6a6f2c9147bd5a5c1fc6f6775bff5f7f0c4fa

SHA512
7bba1d2dc33d50b76971a977248645729260858eddb2b169d30879f41994c523fd2b8e550be3a6dd3c52f01fea9be54422280107d8c50c17203ac73d826ae935

Download Submit
\Users\Admin\AppData\Local\Temp\MTCLMW~1.ZK

MD5
6b760fbbefa7f8dd1daaa93ebc38725a

SHA1
81841f24244485dae1c1834df3e544893d258f06

SHA256
c564dcc24fa9909a4482feb46d52fa96869a2ad6c8c87b5cbeee19b9b36a0ff6

SHA512
6ea91469538c40dada22b66373da0deb57f48d9d535e5ebd8199b5074a26c93a297386389a58468032dec1aef36423271d7ffaf84feba772b531c9ccd46fc68a

Download Submit
memory/764-55-0x0000000000000000-mapping.dmp

Download
memory/904-63-0x0000000000000000-mapping.dmp

Download
memory/1064-62-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1064-60-0x0000000075430000-0x000000007546A000-memory.dmp

Filesize
232KB

Download
memory/1064-58-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1064-57-0x0000000000000000-mapping.dmp

Download
memory/1188-66-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/1188-67-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1696-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads