Overview

overview

10

Static

static

21a0201874...b6.exe

windows7-x64

10

21a0201874...b6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    97s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    17-07-2022 11:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe

  • Size

    372KB

  • MD5

    e3b3e285390c0e2f7d04bd040bec790d

  • SHA1

    dbee71535e9f1fb23b3f01e25989d22d51237e68

  • SHA256

    21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6

  • SHA512

    6156a6b0ff4f41c823cba68a4596676e357ceb5b8c0848c2828a72321dbc2a731d9ae8f1a417fe27aef7de0080001ad3f77b3809b64a93c610ae99f95b35f5be

Score
10/10
lockylocky_osirisransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Locky (Osiris variant)

    Variant of the Locky ransomware seen in the wild since early 2017.

    ransomwarelocky_osiris
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe
    "C:\Users\Admin\AppData\Local\Temp\21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe"
    1⤵
    • Modifies extensions of user files
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1624
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1624 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:824
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6.exe"
      2⤵
        PID:1804
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:2000
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x514
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1588
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
        1⤵
        • Suspicious use of FindShellTrayWindow
        PID:1408
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
        1⤵
          PID:1492

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\DesktopOSIRIS.bmp
          Filesize

          3.4MB

          MD5

          c39bee4c1119b0180f71dafc0c64e22e

          SHA1

          e0c55767057f91e760c92a66d2133cf141751e26

          SHA256

          fadad59a135de69bcbe225372a473ca1c014f477a910ea84f23e966dc1707fc5

          SHA512

          572978bab41419628909d2a87ff10ad4a67ccbc8700027d2ac2d31978385c9535e2bbb0102d89c071f9ddb70ba6d38215906d6935b4853b5c0039f7bb2fa62d2

          Download Submit

        • C:\Users\Admin\DesktopOSIRIS.htm
          Filesize

          8KB

          MD5

          b761e70b02f7639e662788f0a7915e0b

          SHA1

          f3e04d866b4c48018974561e91a2157f43eb50af

          SHA256

          04dcf106c3c374a0fb3add8bc9dd9f7b11343a4c04d11488ffe05a9ef5e9a138

          SHA512

          9a0f23d0999b0e067e0f9f3bf8e4e33a386a2f3ba23ad749902273d87debef4197dc17e121a7fa3fa62063e4dec866e92cb7b11e499dc6c09035895eabe81196

          Download Submit

        • memory/1492-65-0x0000000072351000-0x0000000072353000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1808-55-0x0000000075021000-0x0000000075023000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1808-56-0x0000000003040000-0x0000000003C8A000-memory.dmp

          Filesize

          12.3MB

          Download

        • memory/1808-57-0x0000000000400000-0x0000000000462000-memory.dmp

          Filesize

          392KB

          Download

        • memory/1808-59-0x0000000003040000-0x0000000003C8A000-memory.dmp

          Filesize

          12.3MB

          Download

        • memory/2000-54-0x000007FEFB961000-0x000007FEFB963000-memory.dmp

          Filesize

          8KB

          Download