locky | 0881cd733dd584863daaf87341e4d0c38815a5aa62a9dc7f2608af2a3f1dc3e8

Analysis

max time kernel
154s
max time network
130s
platform
windows10_x64
resource
win10-en-20211104
submitted
18/11/2021, 14:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

20161205_eb2df1e72525f9d332e3179c4d432c70.js
Size

13KB
MD5

4962f8c69418e2a963a2efcf37718d8d
SHA1

aeab75634c68d8505e9f64dcabb1e415e9f53840
SHA256

0881cd733dd584863daaf87341e4d0c38815a5aa62a9dc7f2608af2a3f1dc3e8
SHA512

c2cfc24d90cc8bee452f8cf10d87b038221c9b0c7a5ea5733ccd2ce7ea74b829f15116695f0315f6765adf9aa1922653ecbda249f66aaef9e9b3fa98e2664cd8

Score

10^/10

locky locky_osiris ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris

Blocklisted process makes network request 6 IoCs

flow	pid	Process
8	2896	wscript.exe
26	3496	rundll32.exe
34	3496	rundll32.exe
35	3496	rundll32.exe
39	3496	rundll32.exe
40	3496	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
3496	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2368	2896	wscript.exe	69
PID 2896 wrote to memory of 2368	2896	wscript.exe	69
PID 2368 wrote to memory of 3496	2368	rundll32.exe	70
PID 2368 wrote to memory of 3496	2368	rundll32.exe	70
PID 2368 wrote to memory of 3496	2368	rundll32.exe	70

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\20161205_eb2df1e72525f9d332e3179c4d432c70.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\Z0MEK8~1.ZK,TOxNKCZjUHCfTf9D
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\Z0MEK8~1.ZK,TOxNKCZjUHCfTf9D
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:3496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3496-122-0x00000000738F0000-0x000000007392A000-memory.dmp

Filesize
232KB

Download
memory/3496-124-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download