Overview

overview

10

Static

static

305153b144...11.exe

windows7_x64

10

305153b144...11.exe

windows10-2004_x64

3

Analysis

  • max time kernel
    124s
  • max time network
    99s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-06-2022 04:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exe

  • Size

    357KB

  • MD5

    31e4d13c5d776036ac3603565ddc4db3

  • SHA1

    6e8aa64ca4daec8e3e97c74c442c6e4c8143a63b

  • SHA256

    305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811

  • SHA512

    3ecd27df132d599d7f16268c8501a71330a33d1e0b94fd340629db54d8fc2f09736ae2b86d9570b198bc5969973ef19feabf3980a21ab394eec99c0ed6e32d9e

Score
10/10
lockylocky_osirisransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Locky (Osiris variant)

    Variant of the Locky ransomware seen in the wild since early 2017.

    ransomwarelocky_osiris
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exe
    "C:\Users\Admin\AppData\Local\Temp\305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:948
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:848
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:848 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:992
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exe"
      2⤵
        PID:1264
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:560

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\DesktopOSIRIS.bmp
      Filesize

      3.3MB

      MD5

      03d9e5221a584257831976e1c6bc9390

      SHA1

      9a2f059936f66efedc5176545ffb4928a195b812

      SHA256

      88a29375c137eec07b8b1323aac43adba8671c647db3c90e4678b99f8873fd7b

      SHA512

      b2f769412446ae8faa5e691c729a5aff513ed998933c29e803c9d112eeb687307822ce5bbd5666b5d2841451879467256a55ea1c1f6dad6a4027cb8056925bd9

      Download Submit
    • C:\Users\Admin\DesktopOSIRIS.htm
      Filesize

      8KB

      MD5

      8d19e4bb73299cc751209a9e0c7cee64

      SHA1

      1f73fb7a61b6be535e3d196402151f449b557629

      SHA256

      fab3af38dd7ad629a34a0a1999a13c8bf86b5c297f7699d39515b66e14f4da00

      SHA512

      1313f4106b3c93197e9a44178d71a579188d3c21ba9468e198b19efdb28f820f01a52d97a5b46b91ae71b5c54f3c03f68a2f2dc87ed02f3415391439f1edb210

      Download Submit
    • memory/948-54-0x0000000074F21000-0x0000000074F23000-memory.dmp
      Filesize

      8KB

      Download
    • memory/948-55-0x0000000000510000-0x0000000000534000-memory.dmp
      Filesize

      144KB

      Download
    • memory/948-56-0x0000000000400000-0x000000000045E000-memory.dmp
      Filesize

      376KB

      Download
    • memory/948-58-0x0000000000460000-0x0000000000487000-memory.dmp
      Filesize

      156KB

      Download
    • memory/948-62-0x0000000000460000-0x0000000000487000-memory.dmp
      Filesize

      156KB

      Download
    • memory/1264-60-0x0000000000000000-mapping.dmp
      Download