Overview

overview

10

Static

static

f6045c3d60...0f.exe

windows7_x64

10

f6045c3d60...0f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    03-07-2022 12:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe

  • Size

    329KB

  • MD5

    b99c2748e46c0f8ed8da08fd933e0d9f

  • SHA1

    b86e4150446e189259db650270edcc02296b4ca5

  • SHA256

    f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f

  • SHA512

    da239c429c2bc7e24f1a4ad1420d501a29e7abde4b89e474f290b4678d10a571c84b2cddb6994104ec2dc80d260122f3f8289e9113b2d0b54c483f249207167f

Score
10/10
lockylocky_osirisransomwaresuricata

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Locky (Osiris variant)

    Variant of the Locky ransomware seen in the wild since early 2017.

    ransomwarelocky_osiris
  • suricata: ET MALWARE Locky CnC Checkin Dec 5 M1

    suricata: ET MALWARE Locky CnC Checkin Dec 5 M1

    suricata
  • suricata: ET MALWARE Locky CnC Checkin HTTP Pattern

    suricata: ET MALWARE Locky CnC Checkin HTTP Pattern

    suricata
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe
    "C:\Users\Admin\AppData\Local\Temp\f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1628 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:416
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe"
      2⤵
        PID:1100
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:888

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9TM1M5EN.txt
      Filesize

      608B

      MD5

      2c12d2ea579582ad0daef14d72510600

      SHA1

      3664eced31826776d7a6e9d17567befb1a4499cf

      SHA256

      df75214311ee23f983e82a1ec52878d25c9939be794e0c6a8b88c23cd95f1999

      SHA512

      4f8bcf0fc8db89d31b59954d41db57d00acb0552b3bf358dffdfda73931e84bb237f37792e427e5642a6665b2c2cc4236f63747729607323dd33e826bf863c08

      Download Submit
    • C:\Users\Admin\DesktopOSIRIS.bmp
      Filesize

      3.7MB

      MD5

      44e3af2a46282c92f829dd83b0d87a5d

      SHA1

      edd0a9f1b53a6df16a9585a058a8e306f1fe7ece

      SHA256

      171fea0f94fdb721b90163c0389b2e82c2227bf8e07e5025f1709e54baac33fb

      SHA512

      86c0016464814839bad1cd834c2f12beaedb4990f9e4347836ace97838b2abcba5d14fc9287766526fed9748d1603866ff4567f55760fae5001c964efd80263a

      Download Submit
    • C:\Users\Admin\DesktopOSIRIS.htm
      Filesize

      8KB

      MD5

      6da3683beec8712fe17caec6133f7e74

      SHA1

      8c2037563e58af038318fd965b6e639910d97dac

      SHA256

      05c4cd37c528e452407c9c06701b0bb4ca42751a0418399f051e9c006acbb448

      SHA512

      3dfa31b7939f85d2e409b4911487f7fd04ce2ca6ef492c5e5512caddcd66c1d8b807111e9c7514e391b9c6b2fe9d87c5d7a5d2c8fc1ffd98ba110721fd27299e

      Download Submit
    • memory/1100-62-0x0000000000000000-mapping.dmp
      Download
    • memory/2040-54-0x0000000076261000-0x0000000076263000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2040-55-0x0000000002460000-0x0000000002487000-memory.dmp
      Filesize

      156KB

      Download
    • memory/2040-56-0x0000000000400000-0x0000000000456000-memory.dmp
      Filesize

      344KB

      Download
    • memory/2040-58-0x0000000002C50000-0x000000000389A000-memory.dmp
      Filesize

      12.3MB

      Download
    • memory/2040-59-0x0000000002460000-0x0000000002487000-memory.dmp
      Filesize

      156KB

      Download
    • memory/2040-60-0x0000000002C50000-0x000000000389A000-memory.dmp
      Filesize

      12.3MB

      Download
    • memory/2040-64-0x0000000002460000-0x0000000002487000-memory.dmp
      Filesize

      156KB

      Download