Resubmissions

18-09-2022 19:48

220918-yh3tkaffal 10

18-09-2022 18:14

220918-wveamafebk 10

Analysis

  • max time kernel
    210s
  • max time network
    214s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    18-09-2022 19:48

General

  • Target

    V7bTrYJ4lbO6OS.dll

  • Size

    159KB

  • MD5

    7932ee5fa6f83b149569752c47e04b87

  • SHA1

    6eb115feadc5808507fb5a666dd18aa89a45616c

  • SHA256

    f329ea2c754ab196d15c20fbf9abd722fa63630631144c5a409bd2a20172196b

  • SHA512

    17ba26e69f7536f5adaa52454fbd407338be61d97bc396baa591de9fa19aab3e539b4ca32059b2ddb1b901ac7ecd341dff9ead706fc0d058086e6b3795642f58

  • SSDEEP

    3072:pusrpo1j49JvKa0ePbh37E6ZO78buZKxrF:ZQcvKpE37E6nmKhF

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

  • Locky (Osiris variant)

    Variant of the Locky ransomware seen in the wild since early 2017.

  • Blocklisted process makes network request 6 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\V7bTrYJ4lbO6OS.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1536
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\V7bTrYJ4lbO6OS.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Modifies extensions of user files
      • Sets desktop wallpaper using registry
      • Modifies Control Panel
      • Suspicious use of WriteProcessMemory
      PID:1564
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1308
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1308 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1744
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

2
T1112

Discovery

System Information Discovery

1
T1082

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WYMHWS64.txt
    Filesize

    603B

    MD5

    91aaf184719c335e96c9858c6337f893

    SHA1

    c23226bc7df724c0ab93e23c9bb9a2b43e5aab3e

    SHA256

    767e92aa1a3f23bfd31f3a6e707247a5a515daf353e64fe9ab9a8e05ce7d14eb

    SHA512

    30d83dc32ff05e144f346cb324fa4ff9a9e63d07b35b5e1707f28bd0868488562ecf4038341baeaf5898ef4f70d661ba053274d459b63326f870a5b0fec0c525

  • C:\Users\Admin\DesktopOSIRIS.bmp
    Filesize

    3.4MB

    MD5

    b349f56a6b1cea95b2bed2b46edcca67

    SHA1

    98a2cbf78a36fe927eabf59c0d195593b0c43a50

    SHA256

    56e71fdf6270f50dc6405e83c95a60ae8a5f4e455ed2f8d0c693807858c4eb06

    SHA512

    7f6e3497a026d5e5450099799661629166887ae0789b21b4a29647648ae5d7403b068c292ec2bd7840db6132cfe4ac1ff7e71f2c4ce4dc98b18afc792722ea77

  • C:\Users\Admin\DesktopOSIRIS.htm
    Filesize

    8KB

    MD5

    05a74cd36a44402c8d283f4f399fd43b

    SHA1

    b12b00b369da3c714f4811f40272386889202328

    SHA256

    711b50372ac3db4784d2f703c5feda7bebb48ed20ab9843ba54544e932b80f4c

    SHA512

    ed87555215019f5c666d8ff69d3fd5eb9c237b4f6b0480c1c8fc45b255b1a760f589eda3a57044d4c101888fa2347cb77e8646053c8069e44a8c49648fc9bb00

  • memory/1564-54-0x0000000000000000-mapping.dmp
  • memory/1564-55-0x0000000075681000-0x0000000075683000-memory.dmp
    Filesize

    8KB

  • memory/1564-56-0x0000000074BF0000-0x0000000074C22000-memory.dmp
    Filesize

    200KB

  • memory/1564-58-0x0000000074C30000-0x0000000074C62000-memory.dmp
    Filesize

    200KB

  • memory/1564-59-0x0000000074BF0000-0x0000000074C22000-memory.dmp
    Filesize

    200KB

  • memory/1564-61-0x0000000074C30000-0x0000000074C3F000-memory.dmp
    Filesize

    60KB