Overview

overview

10

Static

static

21a0201874...b6.exe

windows7_x64

10

21a0201874...b6.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    08-07-2022 11:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe

  • Size

    372KB

  • MD5

    e3b3e285390c0e2f7d04bd040bec790d

  • SHA1

    dbee71535e9f1fb23b3f01e25989d22d51237e68

  • SHA256

    21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6

  • SHA512

    6156a6b0ff4f41c823cba68a4596676e357ceb5b8c0848c2828a72321dbc2a731d9ae8f1a417fe27aef7de0080001ad3f77b3809b64a93c610ae99f95b35f5be

Score
10/10
lockylocky_osirisransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Locky (Osiris variant)

    Variant of the Locky ransomware seen in the wild since early 2017.

    ransomwarelocky_osiris
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe
    "C:\Users\Admin\AppData\Local\Temp\21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1524
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1524 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1004
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe"
      2⤵
        PID:304
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x4c8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1000
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:632

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VJPM0MT3.txt
      Filesize

      608B

      MD5

      acc54942a7f9b8a112d59180b2b9174b

      SHA1

      45d6bc7b4a9152f227cfa9cefbed811684e6fc48

      SHA256

      41cce3245996e0dfd8a3d3b293afc87b9f060f31fde27342304577861de7c34b

      SHA512

      474281fde9ed3d8bdcfdf73399234c2ef2a82b527f28411ae57c3c545b9a44e824e6c92bc29e2fd7197b0dc262885fb31a114400539205ff0c423ec483bff7fe

      Download Submit
    • C:\Users\Admin\DesktopOSIRIS.bmp
      Filesize

      3.4MB

      MD5

      5031f31c470595a1390358728e30e527

      SHA1

      a122ce032945231abbf2859523fd8cda8d9f4057

      SHA256

      965ffcd671a2cfb304678c77fa06392194c15c9cfb1864b0050ed7f2b7adb5e2

      SHA512

      e5a8e46dfb392371ad3e336b11fc106cfc8f7f3c56b58410638229856f3761b9e272130c56db4958338faaa3ce8fcbfb19e57394a98d47463168ca4d00db9f48

      Download Submit
    • C:\Users\Admin\DesktopOSIRIS.htm
      Filesize

      8KB

      MD5

      0ea14921853b18d6eba56be1bc1ee2d0

      SHA1

      0d351d4f7009d17c584d14ffefdcaa58601f7cd5

      SHA256

      0519a8dd784ccd2b3d97caa480d4ac53edf71f573002e9fca031d72218b88622

      SHA512

      2871e0b4661b6b4dfd3c0074dc35134cba7d08b2e1bbf33b15c7d183d650e67786fe43f757d1af11fa4f7eb64f8d440892b1f3d60ced46d6cf703fdad9d0c78d

      Download Submit
    • memory/304-60-0x0000000000000000-mapping.dmp
      Download
    • memory/1032-54-0x00000000758D1000-0x00000000758D3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1032-55-0x0000000003040000-0x0000000003C8A000-memory.dmp
      Filesize

      12.3MB

      Download
    • memory/1032-56-0x0000000000400000-0x0000000000462000-memory.dmp
      Filesize

      392KB

      Download
    • memory/1032-58-0x0000000003040000-0x0000000003C8A000-memory.dmp
      Filesize

      12.3MB

      Download