locky | 0881cd733dd584863daaf87341e4d0c38815a5aa62a9dc7f2608af2a3f1dc3e8

General

Target

20161205_eb2df1e72525f9d332e3179c4d432c70.js
Size

13KB
MD5

4962f8c69418e2a963a2efcf37718d8d
SHA1

aeab75634c68d8505e9f64dcabb1e415e9f53840
SHA256

0881cd733dd584863daaf87341e4d0c38815a5aa62a9dc7f2608af2a3f1dc3e8
SHA512

c2cfc24d90cc8bee452f8cf10d87b038221c9b0c7a5ea5733ccd2ce7ea74b829f15116695f0315f6765adf9aa1922653ecbda249f66aaef9e9b3fa98e2664cd8

Score

10^/10

locky locky_osiris ransomware suricata

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris
suricata: ET MALWARE Nemucod JS Downloader Aug 01 2017
suricata: ET MALWARE Nemucod JS Downloader Aug 01 2017
suricata
Blocklisted process makes network request 6 IoCs

Processes:

wscript.exerundll32.exe

flow pid process

5 1652 wscript.exe
6 1060 rundll32.exe
7 1060 rundll32.exe
8 1060 rundll32.exe
9 1060 rundll32.exe
10 1060 rundll32.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

rundll32.exe

description ioc process

File opened for modification \??\c:\Users\Admin\Pictures\JoinDismount.tiff rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1060 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
5	1652	wscript.exe
6	1060	rundll32.exe
7	1060	rundll32.exe
8	1060	rundll32.exe
9	1060	rundll32.exe
10	1060	rundll32.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\Pictures\JoinDismount.tiff	rundll32.exe

pid	process
1060	rundll32.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

wscript.exerundll32.exe

description	pid	process	target process
PID 1652 wrote to memory of 1832	1652	wscript.exe	rundll32.exe
PID 1652 wrote to memory of 1832	1652	wscript.exe	rundll32.exe
PID 1652 wrote to memory of 1832	1652	wscript.exe	rundll32.exe
PID 1832 wrote to memory of 1060	1832	rundll32.exe	rundll32.exe
PID 1832 wrote to memory of 1060	1832	rundll32.exe	rundll32.exe
PID 1832 wrote to memory of 1060	1832	rundll32.exe	rundll32.exe
PID 1832 wrote to memory of 1060	1832	rundll32.exe	rundll32.exe
PID 1832 wrote to memory of 1060	1832	rundll32.exe	rundll32.exe
PID 1832 wrote to memory of 1060	1832	rundll32.exe	rundll32.exe
PID 1832 wrote to memory of 1060	1832	rundll32.exe	rundll32.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\20161205_eb2df1e72525f9d332e3179c4d432c70.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\Z0MEK8~1.ZK,TOxNKCZjUHCfTf9D
2⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\Z0MEK8~1.ZK,TOxNKCZjUHCfTf9D
3⤵
- Blocklisted process makes network request
- Modifies extensions of user files
- Loads dropped DLL
PID:1060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Z0MEK8~1.ZK

MD5
6b760fbbefa7f8dd1daaa93ebc38725a

SHA1
81841f24244485dae1c1834df3e544893d258f06

SHA256
c564dcc24fa9909a4482feb46d52fa96869a2ad6c8c87b5cbeee19b9b36a0ff6

SHA512
6ea91469538c40dada22b66373da0deb57f48d9d535e5ebd8199b5074a26c93a297386389a58468032dec1aef36423271d7ffaf84feba772b531c9ccd46fc68a

Download Submit
\Users\Admin\AppData\Local\Temp\Z0MEK8~1.ZK

MD5
6b760fbbefa7f8dd1daaa93ebc38725a

SHA1
81841f24244485dae1c1834df3e544893d258f06

SHA256
c564dcc24fa9909a4482feb46d52fa96869a2ad6c8c87b5cbeee19b9b36a0ff6

SHA512
6ea91469538c40dada22b66373da0deb57f48d9d535e5ebd8199b5074a26c93a297386389a58468032dec1aef36423271d7ffaf84feba772b531c9ccd46fc68a

Download Submit
memory/1060-57-0x0000000000000000-mapping.dmp

Download
memory/1060-58-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1060-60-0x0000000075480000-0x00000000754BA000-memory.dmp

Filesize
232KB

Download
memory/1060-62-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1832-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing