locky | 305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811

General

Target

305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exe
Size

357KB
MD5

31e4d13c5d776036ac3603565ddc4db3
SHA1

6e8aa64ca4daec8e3e97c74c442c6e4c8143a63b
SHA256

305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811
SHA512

3ecd27df132d599d7f16268c8501a71330a33d1e0b94fd340629db54d8fc2f09736ae2b86d9570b198bc5969973ef19feabf3980a21ab394eec99c0ed6e32d9e

Score

10^/10

locky locky_osiris ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exe

description	ioc	process
File opened for modification	\??\c:\Users\Admin\Pictures\SwitchRead.tiff	305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exe
File opened for modification	\??\c:\Users\Admin\Pictures\OpenSync.tiff	305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp"	305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\Desktop\WallpaperStyle = "0"	305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\Desktop\TileWallpaper = "0"	305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c00000000020000000000106600000001000020000000a9e8bfb7d9f31f6af5bd46fa385b8a7e3d79fd677e02d4ead2cd6ab41ea48884000000000e8000000002000020000000ccb9f520f51b3ef94fb2c8915db180ad9922f7b4ee1b4f619d8a89212798a67120000000d81fa59a874f38846128eab094954c9da81d8d13e7e5ca20cb76f6d19296c03740000000907b79ea69d4f48bd31122b72caae90553132130577a9a3c6ddd646bcd7b1a051360cf25e8e27201d34dede44442a065a3d06d884364bdb9ba755879acbc3031	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D22D0291-F133-11EC-A5C5-C6DEEDF3EE1E} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 907fd0a74085d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c000000000200000000001066000000010000200000003fb6c65bdf1074219328bcf2b88383a63f2dea140a753326fbf7ced31beff8b3000000000e80000000020000200000000778f8300b0cf77b5e144bd431fc7d69881c22e8976f509a80f2e14e88733dc190000000dae5ad0ad089b357b87be99dc3390a7b4b9310cc52e6a26762e51bf32d80669c2717b3b037554e27e129a665d8a495fa8c6a4b23feda2bd63430a6166468e4684c2f95f5d080be5cc9a5d8048c063c35121f838e0cdb0b9c35e2610f267f4b8a4d8b53d366f6ca66f029aebb2f3c944ecfc27d446cd0eda5cf6975e722920d949524ffad6d30440e44aaa064c457f67140000000621a6a32fea5349fd02f488017fabccb1fef8e0d4090edcdd1e97fe7f7c083eda7ac1465b804d3416ec7d8022ee7a18dad3e2f4e9effdef4a72bb05f42f73d6f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exeiexplore.exeDllHost.exe

pid process

948 305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exe
848 iexplore.exe
560 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

848 iexplore.exe
848 iexplore.exe
992 IEXPLORE.EXE
992 IEXPLORE.EXE

pid	process
948	305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exe
848	iexplore.exe
560	DllHost.exe

pid	process
848	iexplore.exe
848	iexplore.exe
992	IEXPLORE.EXE
992	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exeiexplore.exe

description	pid	process	target process
PID 948 wrote to memory of 848	948	305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exe	iexplore.exe
PID 948 wrote to memory of 848	948	305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exe	iexplore.exe
PID 948 wrote to memory of 848	948	305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exe	iexplore.exe
PID 948 wrote to memory of 848	948	305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exe	iexplore.exe
PID 948 wrote to memory of 1264	948	305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exe	cmd.exe
PID 948 wrote to memory of 1264	948	305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exe	cmd.exe
PID 948 wrote to memory of 1264	948	305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exe	cmd.exe
PID 948 wrote to memory of 1264	948	305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exe	cmd.exe
PID 848 wrote to memory of 992	848	iexplore.exe	IEXPLORE.EXE
PID 848 wrote to memory of 992	848	iexplore.exe	IEXPLORE.EXE
PID 848 wrote to memory of 992	848	iexplore.exe	IEXPLORE.EXE
PID 848 wrote to memory of 992	848	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exe
"C:\Users\Admin\AppData\Local\Temp\305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exe"
1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:948
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:848 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:992
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\305153b14416391a42cd06338729048cc5a4163bb3a014422745beb5e6572811.exe"
  2⤵
  PID:1264

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\DesktopOSIRIS.bmp

Filesize
3.3MB

MD5
03d9e5221a584257831976e1c6bc9390

SHA1
9a2f059936f66efedc5176545ffb4928a195b812

SHA256
88a29375c137eec07b8b1323aac43adba8671c647db3c90e4678b99f8873fd7b

SHA512
b2f769412446ae8faa5e691c729a5aff513ed998933c29e803c9d112eeb687307822ce5bbd5666b5d2841451879467256a55ea1c1f6dad6a4027cb8056925bd9

Download Submit
C:\Users\Admin\DesktopOSIRIS.htm

Filesize
8KB

MD5
8d19e4bb73299cc751209a9e0c7cee64

SHA1
1f73fb7a61b6be535e3d196402151f449b557629

SHA256
fab3af38dd7ad629a34a0a1999a13c8bf86b5c297f7699d39515b66e14f4da00

SHA512
1313f4106b3c93197e9a44178d71a579188d3c21ba9468e198b19efdb28f820f01a52d97a5b46b91ae71b5c54f3c03f68a2f2dc87ed02f3415391439f1edb210

Download Submit
memory/948-54-0x0000000074F21000-0x0000000074F23000-memory.dmp

Filesize
8KB

Download
memory/948-55-0x0000000000510000-0x0000000000534000-memory.dmp

Filesize
144KB

Download
memory/948-56-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/948-58-0x0000000000460000-0x0000000000487000-memory.dmp

Filesize
156KB

Download
memory/948-62-0x0000000000460000-0x0000000000487000-memory.dmp

Filesize
156KB

Download
memory/1264-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads