Overview

overview

10

Static

static

21a0201874...b6.exe

windows7_x64

10

21a0201874...b6.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    137s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    24-06-2022 13:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe

  • Size

    372KB

  • MD5

    e3b3e285390c0e2f7d04bd040bec790d

  • SHA1

    dbee71535e9f1fb23b3f01e25989d22d51237e68

  • SHA256

    21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6

  • SHA512

    6156a6b0ff4f41c823cba68a4596676e357ceb5b8c0848c2828a72321dbc2a731d9ae8f1a417fe27aef7de0080001ad3f77b3809b64a93c610ae99f95b35f5be

Score
10/10
lockylocky_osirisransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Locky (Osiris variant)

    Variant of the Locky ransomware seen in the wild since early 2017.

    ransomwarelocky_osiris
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe
    "C:\Users\Admin\AppData\Local\Temp\21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:736
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:736 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1108
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe"
      2⤵
        PID:924
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:580

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0G848L4O.txt
      Filesize

      602B

      MD5

      bac393f24deebe30cfa2bf8c732a70e0

      SHA1

      71a63935a3b8bb33dc3dc9e6df6ce605922c99c1

      SHA256

      485189d8eb960e26714c7928d14b972b9bba17ca081fe305ccff9605d88ba3b6

      SHA512

      fad3744863223ba738372091fe0e661f1abc90d2ba1880afb3987b416ae137e7828d73ccf2e27b6a3bf91863ee2e15038908f1c392a1422209f79a81f3e8c92b

      Download Submit
    • C:\Users\Admin\DesktopOSIRIS.bmp
      Filesize

      3.4MB

      MD5

      82be359a4ad0035f744264627eed9879

      SHA1

      336a8f90c1d402caf3e639ed9cfdab13b22fb58c

      SHA256

      37dbd7f0689aad5d22a3f5ffab1427269e4c26c4c544771052f6702d79eff19e

      SHA512

      3afa084698554c13aa51feb3131b3033f4e93db9e98036211e46907b605c9a2e8439cfed2d4d6d5a36b4998ba13118e982fd3f1588269989a2df2548f5c16a99

      Download Submit
    • C:\Users\Admin\DesktopOSIRIS.htm
      Filesize

      8KB

      MD5

      8b6601b37849bd55e87528c19ee8fde3

      SHA1

      242bfb05fd90d9ee7786a2f7e1a1c1e40f88a24c

      SHA256

      223af78ac38fed6a1595656bfe0c73f953ba5dd47d7022ba6bff2793019bd52d

      SHA512

      e73354fdd4442233d18dd617f4c0c480778e0eba495652dbe144b03995aca9dad0d7df796eb0b1cc8b8f1cbd71a0e82ce30040d7497301247f0e78bc95d37695

      Download Submit
    • memory/924-60-0x0000000000000000-mapping.dmp
      Download
    • memory/1644-54-0x00000000769D1000-0x00000000769D3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1644-55-0x0000000003210000-0x0000000003E5A000-memory.dmp
      Filesize

      12.3MB

      Download
    • memory/1644-56-0x0000000000400000-0x0000000000462000-memory.dmp
      Filesize

      392KB

      Download
    • memory/1644-58-0x0000000003210000-0x0000000003E5A000-memory.dmp
      Filesize

      12.3MB

      Download