Overview

overview

10

Static

static

f6045c3d60...0f.exe

windows7_x64

10

f6045c3d60...0f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    129s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    04-07-2022 12:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe

  • Size

    329KB

  • MD5

    b99c2748e46c0f8ed8da08fd933e0d9f

  • SHA1

    b86e4150446e189259db650270edcc02296b4ca5

  • SHA256

    f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f

  • SHA512

    da239c429c2bc7e24f1a4ad1420d501a29e7abde4b89e474f290b4678d10a571c84b2cddb6994104ec2dc80d260122f3f8289e9113b2d0b54c483f249207167f

Score
10/10
lockylocky_osirisransomwaresuricata

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Locky (Osiris variant)

    Variant of the Locky ransomware seen in the wild since early 2017.

    ransomwarelocky_osiris
  • suricata: ET MALWARE Locky CnC Checkin Dec 5 M1

    suricata: ET MALWARE Locky CnC Checkin Dec 5 M1

    suricata
  • suricata: ET MALWARE Locky CnC Checkin HTTP Pattern

    suricata: ET MALWARE Locky CnC Checkin HTTP Pattern

    suricata
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe
    "C:\Users\Admin\AppData\Local\Temp\f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:872
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:284
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:284 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:624
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe"
      2⤵
        PID:800
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:1304

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VYOQKRVS.txt
      Filesize

      606B

      MD5

      66cdb5b21b142aef3d1ef991746fc61b

      SHA1

      027d3395bad0aef7475e62e411eb0131cca8dafb

      SHA256

      0dae320915d52da419582604bce5bc96e80220be306dc2010b8e4471b61c6caf

      SHA512

      a50c4100f18e4b149a44bcc62fe2948df68db08e118d8b0ccf781218120d058a223c61cdbf10cea143d5ab9a333e10d4984b8fbbe28e4f2c0592d8c2ee0b0796

      Download Submit
    • C:\Users\Admin\DesktopOSIRIS.bmp
      Filesize

      3.7MB

      MD5

      b759767af9c07aea74d7c8c4ef4a024c

      SHA1

      159661a64cfdae0835946b640a9962e12d1ab61a

      SHA256

      e842ff4c948916675bdc94663d4bf85fb143227b3a0bc1635bc17c43f43b9342

      SHA512

      50189686434dd67b61cc64b01919bc2ad6f3f19249a3de90fcef5304e6d7c37e85778451ca99d2c8639ed4ddbf4d6bdb81e2368cc6edbbc990eda771581654b4

      Download Submit
    • C:\Users\Admin\DesktopOSIRIS.htm
      Filesize

      8KB

      MD5

      38c9f510712ae3988c85b6f14299e1d5

      SHA1

      c3f026aaaaf84483e83af80942e65719cb12f581

      SHA256

      57df947ee955f4e06970ecf737abf605dc55ff3834a88592b29459b7bf136aaa

      SHA512

      9f17831e9b325825179074207d4bc9f251dac0a67a23dc1a8b85c794a7d53682d14b76fc401a739fbe7a092a542ff5531ad86a2ebeeb25e3ed2c4241ab006468

      Download Submit
    • memory/800-61-0x0000000000000000-mapping.dmp
      Download
    • memory/872-54-0x00000000768D1000-0x00000000768D3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/872-55-0x00000000024C0000-0x00000000024E7000-memory.dmp
      Filesize

      156KB

      Download
    • memory/872-56-0x0000000000400000-0x0000000000456000-memory.dmp
      Filesize

      344KB

      Download
    • memory/872-58-0x0000000002C60000-0x00000000038AA000-memory.dmp
      Filesize

      12.3MB

      Download
    • memory/872-59-0x00000000024C0000-0x00000000024E7000-memory.dmp
      Filesize

      156KB

      Download
    • memory/872-63-0x00000000024C0000-0x00000000024E7000-memory.dmp
      Filesize

      156KB

      Download