locky | 21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6

Analysis

max time kernel
189s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
13-07-2022 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe
Size

372KB
MD5

e3b3e285390c0e2f7d04bd040bec790d
SHA1

dbee71535e9f1fb23b3f01e25989d22d51237e68
SHA256

21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6
SHA512

6156a6b0ff4f41c823cba68a4596676e357ceb5b8c0848c2828a72321dbc2a731d9ae8f1a417fe27aef7de0080001ad3f77b3809b64a93c610ae99f95b35f5be

Score

10^/10

locky locky_osiris ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	\??\c:\Users\Admin\Pictures\ResolveGrant.tiff	21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4116	21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe

C:\Users\Admin\AppData\Local\Temp\21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe
"C:\Users\Admin\AppData\Local\Temp\21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe"
1⤵
- Modifies extensions of user files
- Suspicious behavior: GetForegroundWindowSpam
PID:4116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4116-130-0x0000000002FF0000-0x0000000003017000-memory.dmp

Filesize
156KB

Download
memory/4116-131-0x0000000002FF0000-0x0000000003017000-memory.dmp

Filesize
156KB

Download
memory/4116-132-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4116-134-0x0000000003AB0000-0x0000000003AD7000-memory.dmp

Filesize
156KB

Download
memory/4116-135-0x0000000003AB0000-0x0000000003AD7000-memory.dmp

Filesize
156KB

Download