Analysis
-
max time kernel
129s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
04-07-2022 12:31
Static task
static1
Behavioral task
behavioral1
Sample
f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe
Resource
win10v2004-20220414-en
General
-
Target
f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe
-
Size
329KB
-
MD5
b99c2748e46c0f8ed8da08fd933e0d9f
-
SHA1
b86e4150446e189259db650270edcc02296b4ca5
-
SHA256
f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f
-
SHA512
da239c429c2bc7e24f1a4ad1420d501a29e7abde4b89e474f290b4678d10a571c84b2cddb6994104ec2dc80d260122f3f8289e9113b2d0b54c483f249207167f
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
-
suricata: ET MALWARE Locky CnC Checkin Dec 5 M1
suricata: ET MALWARE Locky CnC Checkin Dec 5 M1
-
suricata: ET MALWARE Locky CnC Checkin HTTP Pattern
suricata: ET MALWARE Locky CnC Checkin HTTP Pattern
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exedescription ioc process File opened for modification \??\c:\Users\Admin\Pictures\MergeOut.tiff f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp" f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 2 IoCs
Processes:
f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\WallpaperStyle = "0" f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\Desktop\TileWallpaper = "0" f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b0000000002000000000010660000000100002000000055eff07226191034eb7c1c28cbcf89645419131a76989a47ff16680becda0e80000000000e80000000020000200000001fcf90c998e85d894500a3b4ce79d6c73f6b432377dbdb81a06c2b874abce832200000007605e9c3b402a9ae85146a50a24f50d84942743464904abe4210afd385cce5c240000000750c9cf6d5194b5ca6f29f2e3fb0640c77d1220566a79a1632a469cd690a6f3d5436b5125a3f14c907c76f18f1987c260abe0322bf26b0caef4cfeaca3cc8946 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004863fcdc101a3947b120786fa95ba35b0000000002000000000010660000000100002000000071070bbf7a067363dbdd7a0e3210c4163fb1614523577ebc9c33f8fbf2f91866000000000e80000000020000200000005f7589b0604d9e40cb1b62389dcd001be5dde8faf03a71288b9eb45e2ab292f090000000da16a9300a1cdb4a6a90afde74914d180465e9447f930e126cc7458c778aff6f48cc12d3b7e421d0d6c06b228faaa7842e7c1a26c652b01c1d06724c956b854694a652c72e2c00e5c4fdc05ca27ac742613120156bcffbdce4b5e9d6eccfe6bf6dad12ad0d38043b4e1b72c6177174877ed85b1d6e7a9198a4be191bba387f3f01de245f5dcf3adfd4179bd22db4eb2740000000694f5c0047899d829d89103e5e47b08abb0063f73f58861db17150902fdbb37e8b3a468e2836233c921d8db370b4bc22d1fb4640627d0363565f01ca2ab2816e iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "363702918" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{568E9B01-FB95-11EC-AF2C-D2F97027F5CF} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70dc2a2ca28fd801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exeDllHost.exepid process 284 iexplore.exe 1304 DllHost.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exeiexplore.exeIEXPLORE.EXEpid process 872 f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe 284 iexplore.exe 284 iexplore.exe 624 IEXPLORE.EXE 624 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exeiexplore.exedescription pid process target process PID 872 wrote to memory of 284 872 f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe iexplore.exe PID 872 wrote to memory of 284 872 f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe iexplore.exe PID 872 wrote to memory of 284 872 f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe iexplore.exe PID 872 wrote to memory of 284 872 f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe iexplore.exe PID 872 wrote to memory of 800 872 f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe cmd.exe PID 872 wrote to memory of 800 872 f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe cmd.exe PID 872 wrote to memory of 800 872 f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe cmd.exe PID 872 wrote to memory of 800 872 f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe cmd.exe PID 284 wrote to memory of 624 284 iexplore.exe IEXPLORE.EXE PID 284 wrote to memory of 624 284 iexplore.exe IEXPLORE.EXE PID 284 wrote to memory of 624 284 iexplore.exe IEXPLORE.EXE PID 284 wrote to memory of 624 284 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe"C:\Users\Admin\AppData\Local\Temp\f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:284 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe"2⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VYOQKRVS.txtFilesize
606B
MD566cdb5b21b142aef3d1ef991746fc61b
SHA1027d3395bad0aef7475e62e411eb0131cca8dafb
SHA2560dae320915d52da419582604bce5bc96e80220be306dc2010b8e4471b61c6caf
SHA512a50c4100f18e4b149a44bcc62fe2948df68db08e118d8b0ccf781218120d058a223c61cdbf10cea143d5ab9a333e10d4984b8fbbe28e4f2c0592d8c2ee0b0796
-
C:\Users\Admin\DesktopOSIRIS.bmpFilesize
3.7MB
MD5b759767af9c07aea74d7c8c4ef4a024c
SHA1159661a64cfdae0835946b640a9962e12d1ab61a
SHA256e842ff4c948916675bdc94663d4bf85fb143227b3a0bc1635bc17c43f43b9342
SHA51250189686434dd67b61cc64b01919bc2ad6f3f19249a3de90fcef5304e6d7c37e85778451ca99d2c8639ed4ddbf4d6bdb81e2368cc6edbbc990eda771581654b4
-
C:\Users\Admin\DesktopOSIRIS.htmFilesize
8KB
MD538c9f510712ae3988c85b6f14299e1d5
SHA1c3f026aaaaf84483e83af80942e65719cb12f581
SHA25657df947ee955f4e06970ecf737abf605dc55ff3834a88592b29459b7bf136aaa
SHA5129f17831e9b325825179074207d4bc9f251dac0a67a23dc1a8b85c794a7d53682d14b76fc401a739fbe7a092a542ff5531ad86a2ebeeb25e3ed2c4241ab006468
-
memory/800-61-0x0000000000000000-mapping.dmp
-
memory/872-54-0x00000000768D1000-0x00000000768D3000-memory.dmpFilesize
8KB
-
memory/872-55-0x00000000024C0000-0x00000000024E7000-memory.dmpFilesize
156KB
-
memory/872-56-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/872-58-0x0000000002C60000-0x00000000038AA000-memory.dmpFilesize
12.3MB
-
memory/872-59-0x00000000024C0000-0x00000000024E7000-memory.dmpFilesize
156KB
-
memory/872-63-0x00000000024C0000-0x00000000024E7000-memory.dmpFilesize
156KB