Overview

overview

10

Static

static

f6045c3d60...0f.exe

windows7_x64

10

f6045c3d60...0f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    129s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    04-07-2022 12:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe

  • Size

    329KB

  • MD5

    b99c2748e46c0f8ed8da08fd933e0d9f

  • SHA1

    b86e4150446e189259db650270edcc02296b4ca5

  • SHA256

    f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f

  • SHA512

    da239c429c2bc7e24f1a4ad1420d501a29e7abde4b89e474f290b4678d10a571c84b2cddb6994104ec2dc80d260122f3f8289e9113b2d0b54c483f249207167f

Score
10/10
lockylocky_osirisransomwaresuricata

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Locky (Osiris variant)

    Variant of the Locky ransomware seen in the wild since early 2017.

    ransomwarelocky_osiris
  • suricata: ET MALWARE Locky CnC Checkin Dec 5 M1

    suricata: ET MALWARE Locky CnC Checkin Dec 5 M1

    suricata
  • suricata: ET MALWARE Locky CnC Checkin HTTP Pattern

    suricata: ET MALWARE Locky CnC Checkin HTTP Pattern

    suricata
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe
    "C:\Users\Admin\AppData\Local\Temp\f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1640 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1776
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\f6045c3d60fb2e0ddbb264cd61adc37736508471aa5b3881f2510ec36ea6c00f.exe"
      2⤵
        PID:1824
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:868

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\X0W95K40.txt
      Filesize

      599B

      MD5

      081f80bc63c70d14336120589f548f43

      SHA1

      dc80578d01a4800a9096f63ce82d7c12f61ce661

      SHA256

      8c57b99002d956cc2fa985d7bef014fc57b70fee9d57da3dbadec53a026d92a8

      SHA512

      49bd56a29aaf5c5fdcb33a1ac5a62886434dd61df0056cafa010a0447032f97c7dc449fd2932645fbbd02eab8f4cc1d3e8fff211e352cb3e4bc80b1b09781ad9

      Download Submit

    • C:\Users\Admin\DesktopOSIRIS.bmp
      Filesize

      3.7MB

      MD5

      2f48f18d0477a8631b5c9f5a9d63d5ad

      SHA1

      d9b7c383eac8ae8b3487a5489a973db4041bfc26

      SHA256

      b7cfaed395c91df6b7115ba92b9f2175e845021df83a8ee9acb806bcbd6ee0d0

      SHA512

      28b67a669971df8e256a94eecfbbc99ef839a265cefe78555d18203059e96c07de3b04160c33c350d4a4fbbaa3c5d54d36db8277271487397f5035a3721cb7b5

      Download Submit

    • C:\Users\Admin\DesktopOSIRIS.htm
      Filesize

      8KB

      MD5

      e5ca32e37ff4840d596d2c10f98da870

      SHA1

      d304252322ae47c313c441c1666f5ab3506b7883

      SHA256

      c5ae6f51fe9b2601939780a556ed4e6ccb5e108a0828b1ef4cc97362e4020f27

      SHA512

      2d3fb0aaca6902b57e591540c0586377e05a7cc366ebae5ab65116760daf68e6ab8a3f0bac673ad341f1c543cf03c4d9b13e50d897794de27f057e68e2016e31

      Download Submit

    • memory/1516-54-0x00000000755A1000-0x00000000755A3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1516-55-0x00000000027B0000-0x00000000027D7000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1516-56-0x0000000000400000-0x0000000000456000-memory.dmp

      Filesize

      344KB

      Download

    • memory/1516-58-0x0000000002C90000-0x00000000038DA000-memory.dmp

      Filesize

      12.3MB

      Download

    • memory/1516-62-0x00000000027B0000-0x00000000027D7000-memory.dmp

      Filesize

      156KB

      Download

    • memory/1824-60-0x0000000000000000-mapping.dmp

      Download