locky | 0881cd733dd584863daaf87341e4d0c38815a5aa62a9dc7f2608af2a3f1dc3e8

Analysis

max time kernel
152s
max time network
124s
platform
windows7_x64
resource
win7-en-20211014
submitted
18-11-2021 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20161205_eb2df1e72525f9d332e3179c4d432c70.js
Size

13KB
MD5

4962f8c69418e2a963a2efcf37718d8d
SHA1

aeab75634c68d8505e9f64dcabb1e415e9f53840
SHA256

0881cd733dd584863daaf87341e4d0c38815a5aa62a9dc7f2608af2a3f1dc3e8
SHA512

c2cfc24d90cc8bee452f8cf10d87b038221c9b0c7a5ea5733ccd2ce7ea74b829f15116695f0315f6765adf9aa1922653ecbda249f66aaef9e9b3fa98e2664cd8

Score

10^/10

locky locky_osiris ransomware suricata

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris
suricata: ET MALWARE Nemucod JS Downloader Aug 01 2017
suricata: ET MALWARE Nemucod JS Downloader Aug 01 2017
suricata

Blocklisted process makes network request 6 IoCs

flow	pid	Process
5	1652	wscript.exe
6	1060	rundll32.exe
7	1060	rundll32.exe
8	1060	rundll32.exe
9	1060	rundll32.exe
10	1060	rundll32.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	\??\c:\Users\Admin\Pictures\JoinDismount.tiff	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
1060	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 1832	1652	wscript.exe	30
PID 1652 wrote to memory of 1832	1652	wscript.exe	30
PID 1652 wrote to memory of 1832	1652	wscript.exe	30
PID 1832 wrote to memory of 1060	1832	rundll32.exe	31
PID 1832 wrote to memory of 1060	1832	rundll32.exe	31
PID 1832 wrote to memory of 1060	1832	rundll32.exe	31
PID 1832 wrote to memory of 1060	1832	rundll32.exe	31
PID 1832 wrote to memory of 1060	1832	rundll32.exe	31
PID 1832 wrote to memory of 1060	1832	rundll32.exe	31
PID 1832 wrote to memory of 1060	1832	rundll32.exe	31

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\20161205_eb2df1e72525f9d332e3179c4d432c70.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\Z0MEK8~1.ZK,TOxNKCZjUHCfTf9D
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\Z0MEK8~1.ZK,TOxNKCZjUHCfTf9D
    3⤵
    - Blocklisted process makes network request
    - Modifies extensions of user files
    - Loads dropped DLL
    PID:1060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1060-58-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1060-60-0x0000000075480000-0x00000000754BA000-memory.dmp

Filesize
232KB

Download
memory/1060-62-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download