locky | 21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6

General

Target

21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe
Size

372KB
MD5

e3b3e285390c0e2f7d04bd040bec790d
SHA1

dbee71535e9f1fb23b3f01e25989d22d51237e68
SHA256

21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6
SHA512

6156a6b0ff4f41c823cba68a4596676e357ceb5b8c0848c2828a72321dbc2a731d9ae8f1a417fe27aef7de0080001ad3f77b3809b64a93c610ae99f95b35f5be

Score

10^/10

locky locky_osiris ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp"	21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\Desktop\WallpaperStyle = "0"	21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\Desktop\TileWallpaper = "0"	21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000358f16e0538341458b70f68dad1eafd4000000000200000000001066000000010000200000000730640e31d04f209668b25ed35ee416c93043f4b707e0ee05399638cb79fc7a000000000e8000000002000020000000945d8c389c8ea1bde8234c0b6e54fc815dc1e041596a6f1402f8c9744cd02231900000000b09e848f167edc57768082b3ec924ba64afe898598dac78fbf8df396a7f718faf0cafb58eba7e226c78584592aa65b1cd78bfa1df46276f6676d7702b1b8621538d1739efc94ae53cf48863ee523087dc3f4f0cecce4a1fedcc50b9d71d4ae2d49b8b9ecbea424a765aefc3a7c81ed0541c7715c7d2b70cc3a850f639614a38e5f299bb19086b0dbea14865d95bb2a9400000006ad0dc200784c1ff95d8c39c23e3fc24d30e7b763c8c749038dec3cf889f965783f86378e4270b289294cc65714b5a180aab2aa89500716dcc21c3427183153b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000358f16e0538341458b70f68dad1eafd4000000000200000000001066000000010000200000006a30a2234b2894068c3b4863e5332de2eb7c7981dcabf23512a33779dd4c3f82000000000e800000000200002000000079940595aa86bd661f3ba221cfc7976a3593a8e6d86abd96188623ab479260e42000000023005852842a027d207793471960d525a14be8a2222e70f5cbfc6f24b832c4d840000000ef9037be931862f19405203c7b89e5e437a08454e5e235ed43dde9dd061cbbaa7ade67080ef28e9e561687cb235ecca6ff14fe73d709a36774e502973e893e3c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40f80d82df87d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AC65C821-F3D2-11EC-8B7D-62D05D50A506} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "362849652"	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe

pid process

1644 21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

736 iexplore.exe
580 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

736 iexplore.exe
736 iexplore.exe
1108 IEXPLORE.EXE
1108 IEXPLORE.EXE

pid	process
1644	21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe

pid	process
736	iexplore.exe
580	DllHost.exe

pid	process
736	iexplore.exe
736	iexplore.exe
1108	IEXPLORE.EXE
1108	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exeiexplore.exe

description	pid	process	target process
PID 1644 wrote to memory of 736	1644	21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe	iexplore.exe
PID 1644 wrote to memory of 736	1644	21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe	iexplore.exe
PID 1644 wrote to memory of 736	1644	21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe	iexplore.exe
PID 1644 wrote to memory of 736	1644	21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe	iexplore.exe
PID 1644 wrote to memory of 924	1644	21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe	cmd.exe
PID 1644 wrote to memory of 924	1644	21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe	cmd.exe
PID 1644 wrote to memory of 924	1644	21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe	cmd.exe
PID 1644 wrote to memory of 924	1644	21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe	cmd.exe
PID 736 wrote to memory of 1108	736	iexplore.exe	IEXPLORE.EXE
PID 736 wrote to memory of 1108	736	iexplore.exe	IEXPLORE.EXE
PID 736 wrote to memory of 1108	736	iexplore.exe	IEXPLORE.EXE
PID 736 wrote to memory of 1108	736	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe
"C:\Users\Admin\AppData\Local\Temp\21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe"
1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:736 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe"
  2⤵
  PID:924

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0G848L4O.txt

Filesize
602B

MD5
bac393f24deebe30cfa2bf8c732a70e0

SHA1
71a63935a3b8bb33dc3dc9e6df6ce605922c99c1

SHA256
485189d8eb960e26714c7928d14b972b9bba17ca081fe305ccff9605d88ba3b6

SHA512
fad3744863223ba738372091fe0e661f1abc90d2ba1880afb3987b416ae137e7828d73ccf2e27b6a3bf91863ee2e15038908f1c392a1422209f79a81f3e8c92b

Download Submit
C:\Users\Admin\DesktopOSIRIS.bmp

Filesize
3.4MB

MD5
82be359a4ad0035f744264627eed9879

SHA1
336a8f90c1d402caf3e639ed9cfdab13b22fb58c

SHA256
37dbd7f0689aad5d22a3f5ffab1427269e4c26c4c544771052f6702d79eff19e

SHA512
3afa084698554c13aa51feb3131b3033f4e93db9e98036211e46907b605c9a2e8439cfed2d4d6d5a36b4998ba13118e982fd3f1588269989a2df2548f5c16a99

Download Submit
C:\Users\Admin\DesktopOSIRIS.htm

Filesize
8KB

MD5
8b6601b37849bd55e87528c19ee8fde3

SHA1
242bfb05fd90d9ee7786a2f7e1a1c1e40f88a24c

SHA256
223af78ac38fed6a1595656bfe0c73f953ba5dd47d7022ba6bff2793019bd52d

SHA512
e73354fdd4442233d18dd617f4c0c480778e0eba495652dbe144b03995aca9dad0d7df796eb0b1cc8b8f1cbd71a0e82ce30040d7497301247f0e78bc95d37695

Download Submit
memory/924-60-0x0000000000000000-mapping.dmp

Download
memory/1644-54-0x00000000769D1000-0x00000000769D3000-memory.dmp

Filesize
8KB

Download
memory/1644-55-0x0000000003210000-0x0000000003E5A000-memory.dmp

Filesize
12.3MB

Download
memory/1644-56-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1644-58-0x0000000003210000-0x0000000003E5A000-memory.dmp

Filesize
12.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads