Analysis
-
max time kernel
135s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-07-2022 12:35
Static task
static1
Behavioral task
behavioral1
Sample
f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe
Resource
win10v2004-20220414-en
General
-
Target
f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe
-
Size
329KB
-
MD5
b99c2748e46c0f8ed8da08fd933e0d9f
-
SHA1
b86e4150446e189259db650270edcc02296b4ca5
-
SHA256
f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f
-
SHA512
da239c429c2bc7e24f1a4ad1420d501a29e7abde4b89e474f290b4678d10a571c84b2cddb6994104ec2dc80d260122f3f8289e9113b2d0b54c483f249207167f
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
-
suricata: ET MALWARE Locky CnC Checkin Dec 5 M1
suricata: ET MALWARE Locky CnC Checkin Dec 5 M1
-
suricata: ET MALWARE Locky CnC Checkin HTTP Pattern
suricata: ET MALWARE Locky CnC Checkin HTTP Pattern
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exedescription ioc process File opened for modification \??\c:\Users\Admin\Pictures\TestHide.tiff f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp" f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 2 IoCs
Processes:
f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\Desktop\WallpaperStyle = "0" f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\Desktop\TileWallpaper = "0" f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c0000000002000000000010660000000100002000000082cee55b4c95be321ee6fa1fde5e52d9d81b4495b2f75964166aab9eff95f0e6000000000e80000000020000200000002baf6d24adc032f363edc856f051c3fbbcedadbaf8c89677139a06fe212fdaed200000008f55399245020573ea6ef8f6b0a4b8c6d1852e9b6cea3d060baa0a5e787e8944400000002776beccecb57cf02451faa11ed9ada1431f96daae53a942cb68dff779d863614123741b9f31ca6c915ceb74808bc557f7a4207c275192296472d98f393a0668 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90ab934bea8ed801 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c00000000020000000000106600000001000020000000d2d6b1b4d71480dab9cc2bb807179c791a34116d86797ee6d551d8057bad2d24000000000e80000000020000200000009c66ddb2bfca99c48331477e64d45b034073243a0db92d2b279154101a9340a89000000004ccdba0df0505db2dbfa63ced35e36076ab0cb1717d20a8582d0785161069137f75c5192c28e52f36f57ebe0a9bf170f79ae512d558027fff59467031f020b37e44cd8c248a0a94d7293728bdeda25077e8fbf1955da9104d483771e68eddb20cdb2f33c8df02f123662bbdeb02cb89b7bea6a0b31fc2ead7f4f88acd3b4f4abdd78f13ce9cd6b856327dbfb2880dbf40000000a1dcca7fa438c496f7d57340a8db791602352c1f7c1d5f430b8190a21bd244333cbd6eb1f1cf2a49a79833a215dad6bd62ef93931dd10b726b006ef9fb736b12 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "363623942" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{74D50A31-FADD-11EC-BFD8-4E28EF19992D} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exeDllHost.exepid process 1628 iexplore.exe 888 DllHost.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exeiexplore.exeIEXPLORE.EXEpid process 2040 f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe 1628 iexplore.exe 1628 iexplore.exe 416 IEXPLORE.EXE 416 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exeiexplore.exedescription pid process target process PID 2040 wrote to memory of 1628 2040 f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe iexplore.exe PID 2040 wrote to memory of 1628 2040 f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe iexplore.exe PID 2040 wrote to memory of 1628 2040 f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe iexplore.exe PID 2040 wrote to memory of 1628 2040 f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe iexplore.exe PID 2040 wrote to memory of 1100 2040 f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe cmd.exe PID 2040 wrote to memory of 1100 2040 f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe cmd.exe PID 2040 wrote to memory of 1100 2040 f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe cmd.exe PID 2040 wrote to memory of 1100 2040 f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe cmd.exe PID 1628 wrote to memory of 416 1628 iexplore.exe IEXPLORE.EXE PID 1628 wrote to memory of 416 1628 iexplore.exe IEXPLORE.EXE PID 1628 wrote to memory of 416 1628 iexplore.exe IEXPLORE.EXE PID 1628 wrote to memory of 416 1628 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe"C:\Users\Admin\AppData\Local\Temp\f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1628 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe"2⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9TM1M5EN.txtFilesize
608B
MD52c12d2ea579582ad0daef14d72510600
SHA13664eced31826776d7a6e9d17567befb1a4499cf
SHA256df75214311ee23f983e82a1ec52878d25c9939be794e0c6a8b88c23cd95f1999
SHA5124f8bcf0fc8db89d31b59954d41db57d00acb0552b3bf358dffdfda73931e84bb237f37792e427e5642a6665b2c2cc4236f63747729607323dd33e826bf863c08
-
C:\Users\Admin\DesktopOSIRIS.bmpFilesize
3.7MB
MD544e3af2a46282c92f829dd83b0d87a5d
SHA1edd0a9f1b53a6df16a9585a058a8e306f1fe7ece
SHA256171fea0f94fdb721b90163c0389b2e82c2227bf8e07e5025f1709e54baac33fb
SHA51286c0016464814839bad1cd834c2f12beaedb4990f9e4347836ace97838b2abcba5d14fc9287766526fed9748d1603866ff4567f55760fae5001c964efd80263a
-
C:\Users\Admin\DesktopOSIRIS.htmFilesize
8KB
MD56da3683beec8712fe17caec6133f7e74
SHA18c2037563e58af038318fd965b6e639910d97dac
SHA25605c4cd37c528e452407c9c06701b0bb4ca42751a0418399f051e9c006acbb448
SHA5123dfa31b7939f85d2e409b4911487f7fd04ce2ca6ef492c5e5512caddcd66c1d8b807111e9c7514e391b9c6b2fe9d87c5d7a5d2c8fc1ffd98ba110721fd27299e
-
memory/1100-62-0x0000000000000000-mapping.dmp
-
memory/2040-54-0x0000000076261000-0x0000000076263000-memory.dmpFilesize
8KB
-
memory/2040-55-0x0000000002460000-0x0000000002487000-memory.dmpFilesize
156KB
-
memory/2040-56-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/2040-58-0x0000000002C50000-0x000000000389A000-memory.dmpFilesize
12.3MB
-
memory/2040-59-0x0000000002460000-0x0000000002487000-memory.dmpFilesize
156KB
-
memory/2040-60-0x0000000002C50000-0x000000000389A000-memory.dmpFilesize
12.3MB
-
memory/2040-64-0x0000000002460000-0x0000000002487000-memory.dmpFilesize
156KB