Overview

overview

10

Static

static

0a2bc257eb...9b.exe

windows7_x64

10

0a2bc257eb...9b.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    126s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    24-05-2022 18:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a2bc257eb1e266e2fd7c608bbb7e1f2ed34660c8ff21f32999fe49c6997329b.exe

  • Size

    303KB

  • MD5

    d5fee0c6f1d0d730de259c64e6373a0c

  • SHA1

    894f45f50454001bd21ad2713fefc15eb25b2b8b

  • SHA256

    0a2bc257eb1e266e2fd7c608bbb7e1f2ed34660c8ff21f32999fe49c6997329b

  • SHA512

    fa39d6cdf1c00ec33ce02df71d16d83d58095d09d6a2a1c9d31ceb0bcd1d0c01abbe39daa49de37fab525a59678db241d2d2ebb36359c203a2e25c808c6b5f79

Score
10/10
lockylocky_osirisransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Locky (Osiris variant)

    Variant of the Locky ransomware seen in the wild since early 2017.

    ransomwarelocky_osiris
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a2bc257eb1e266e2fd7c608bbb7e1f2ed34660c8ff21f32999fe49c6997329b.exe
    "C:\Users\Admin\AppData\Local\Temp\0a2bc257eb1e266e2fd7c608bbb7e1f2ed34660c8ff21f32999fe49c6997329b.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of WriteProcessMemory
    PID:976
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:912
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:912 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1932
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\0a2bc257eb1e266e2fd7c608bbb7e1f2ed34660c8ff21f32999fe49c6997329b.exe"
      2⤵
        PID:1896
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:2008

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\DesktopOSIRIS.bmp
      Filesize

      3.4MB

      MD5

      a6a79f46fc52dce2c41399b44563d26f

      SHA1

      23a07b8760fc7b64667e8d1b7e14f821fab0c6a6

      SHA256

      a19e2518f78ff7978140a15e274c1642a6b22858ef9daf436e9b22722989540d

      SHA512

      972923eace70c6754f327a8f55f4f872a0904703a90f3958225d8dca067a93c6c0dbf4fa75bb7aa78d8b0439d7819329403a58658b9f3f75f1f302d45114c092

      Download Submit

    • C:\Users\Admin\DesktopOSIRIS.htm
      Filesize

      7KB

      MD5

      68933acb55f35c16ad916ebf4a6fb323

      SHA1

      f25e71bdbffebf8c27cffce30543c5a7dd4f5aed

      SHA256

      0e0696e382bd19a38d41c31eafbc1cd61a8f63633efaf416c0eb855b93e0fb3f

      SHA512

      a3e14159ea53880ff92a24e8d56440b45685af91860d3b5ee51a7d90d7f755225a4ff77238969f0ec95a473504e5972a1c752506dddbd7f235e1143fc4d58c21

      Download Submit

    • memory/976-54-0x00000000752D1000-0x00000000752D3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/976-55-0x0000000002F70000-0x0000000002F95000-memory.dmp

      Filesize

      148KB

      Download

    • memory/976-56-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

      Download

    • memory/976-58-0x0000000002010000-0x0000000002037000-memory.dmp

      Filesize

      156KB

      Download