Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
17-02-2024 09:19
General
-
Target
openme.exe
-
Size
372KB
-
MD5
e3b3e285390c0e2f7d04bd040bec790d
-
SHA1
dbee71535e9f1fb23b3f01e25989d22d51237e68
-
SHA256
21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6
-
SHA512
6156a6b0ff4f41c823cba68a4596676e357ceb5b8c0848c2828a72321dbc2a731d9ae8f1a417fe27aef7de0080001ad3f77b3809b64a93c610ae99f95b35f5be
-
SSDEEP
6144:C9dswuuW1sVyO6x5x6bQ5PJIgNdsalkFrgikCxEwdrDY2AotYSNlx4:CtuuiswO696bQXIqSa2FjJG0Y2AotYW4
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
-
Deletes itself 1 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\openme.exe"C:\Users\Admin\AppData\Local\Temp\openme.exe"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\openme.exe"2⤵
- Deletes itself
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\OSIRIS-7e69.htmFilesize
8KB
MD5921419dc4106338654207f16e27f193c
SHA12d76df99d67ce5ea84c42ce7ef1142a650ca60f7
SHA25622a324ca9bf7ac94d75823eefd7a98d085e4cb36fbd5fa17a94da42ee4b84102
SHA512f517e88646075f382d654b1e3d1af3b37e0e467434aca5f66e5fe47c07160eb8bd9aabab335d88ef990b43bec4b069dad7140feeb4f173642549b38670a84fa1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5ce3778526bc9f0badfbb590470067c8a
SHA104f6996532d69c225ab7c002cc28d38957d69992
SHA256df02ffa054e92043b5775cf07a1ba8fedbdb3ba1587efcfd6b5d7ac6fc87e7cd
SHA51209e3a7912bfebf195c4a0b6422d99f632cbca5d769ebb0a445b6f41d59096148dd4e95a9a68459171708ad870f51851e968db9decb702c2ef28e68cccaa4e5db
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5c92541301c32211c33e105b5e2b8450b
SHA16b6c7f29831991acf94228f1280cab4697aace1d
SHA256b9ace72dc15032403d50b5c3961d189a7fe8603e9f81e33359ef862dcb2c8f6c
SHA5127e6789a38fbc6e40a6b51d40e8ae738ac045d22340658ee27dc7c599b7f7a5c559a772cbcb760e1045bd7077831f62247775b8158a9a126a20ad3ebba13244bb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD589d24467b8ac83ab4b887557eae52af7
SHA10298fa90441c13ff579592c897b21293dc4d7576
SHA256661e46a2befa02aa42065efd88b2439cf1cbe5e291980ae5520be8b2327ed518
SHA512b54a84ceb8636363b2c11a0d479a39cbc978eeffacbe5a2acc3a0dca172a89d0630235f1e93bd212e9c534eca583ce59517f3690156ac5a54176942d1183dcbb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD54ff692b4dd93e8a5d1cf5f6e7d6108b2
SHA1f202fdc9ff3fef7faf6b7bd0c8c602aa138d996a
SHA2569501d5397331252e41f7e2f5cf369f4af7ba6715372943cd66aedb4c484ae8c6
SHA5121b8912084269c2760395780c203cdb5853ca02dfe0a39a251d5bab12975b4b51d7553c528976963135b510fd17e22fda8ba334d25f013d99381d7c5a24bd86cd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5cb6ae3e384f1ef74c0bc99fee2f209ef
SHA164a3758067032bfba79cba9da447e01b3bdf334a
SHA256385bcde1efcd005d52704f11a9f45a597de67925375594c0883072cf9878093c
SHA512fd1dc9dc94665f43f611ddd7c597cc7aa7145fb987700a0ffbef7fe316453ea5dc2860fb444cb618d771eb9433b5af50a68f50f305d7571f5cf31d8068cdf0de
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5f9c4cc3fc37358d9a137b722014f2a4e
SHA16776255124e9805a9edb662ca753f96fee90181a
SHA256c4a1f8fd021ef85dab91279a98112719bb816e8b34706337ee1d574d974a05bd
SHA512c8e878039f27a347228f84069f50af9691f9cd7c35ffc0ab63455b4c5f03951d89114e7a5cd73fae85bd87eefad16189bea1797f2dae8075e97f6a1158a5b847
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD549110607b6eda9c4675b85ded6afa738
SHA164ea6ea20ddc3613cc7e4ec7cad92f7034e6ab77
SHA256d99b00963fe011bc0de56934392edfa381f08c77347f7c68281c750974d4ed29
SHA51228f193ab3d0600a97ed141a59d7089ebe268c1be2afc1e48e60ff6cd3e0322c93cc6b1da08d0e223bc04dc19f50f70ed0a797a725c2ec1ad4478045653138197
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5341aac4c7492920d3d0f00a61205e927
SHA1ae7852cc653327d1bd540efa1a4caab0f68571b5
SHA2566ed40e3f8568a3e9bc923109a1932f6078265dfde28ce1ac6ec3cf5c7ae65528
SHA512cb3d850ff1659665eed7fdd07fe2fb9236eaa975b5ac7dda326489bbd58749ec4a72ecc679520db77fbcd935f8a62ce8f3e733bc8c0aa9c1e14003b6baaa007d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5ac2f14faef2344563e6715cc61b9e45c
SHA1c0a0914c59caabf3b62b9ffc8d65ba54a84747ae
SHA256186b8d59bb51233674965f41c748d252a8b67f17c0dcd2d5a8438c947af8729e
SHA512703eca34e13e33720e92e7c86aef919ed939e957a9a65d19713857bd2453c87194e453173512e846c35eb722135cbd58b61ca6e2f6dd6bf4531598ce887174da
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5d7a21471fc2d4ffb7b636578cb9f95d3
SHA15d26b8df30d226c4afaf071c6ba24272bc1428fc
SHA2566db3f6ecbd2ac1e4a0a59062546efe1ef8fcb31fcaaf113601b304ff22c17774
SHA512efb79775f0d95cac4a0c0f651f9e4cfe6c3b257254827319aed40b75c53672ea0194b52e24899d4f9afc576ac8d5d654993b34af9bb6587eb6ca111bc54a64e1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD546c03abb8c96b530b96284bc628201aa
SHA1861e3605f201c079f8ebe64808bfed1bbbc6290c
SHA256d966479fe006f16656136fd396ee36c5ca32bf8cf5962445c8e78becbfd4ae0d
SHA512c45217fa257d60826baeaeaccadae163f8d37c727be9c5b76361c53e504819c2243a708dd565950b13fc3efddc406d36647326434c1f354b04ee5ba1f8fb4a34
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5badbe9e2a727030c82652ec00990265c
SHA1d3f1659085284ecc754c95eeb6a0dd69e3f9fc17
SHA25657c437e6cc0bf2b03ef470ff9761d5b81adba7013f008104b885eb63a1d706c6
SHA512261b774869ecad8d20fac510973155091979e376642e479f4ea58517b9fd9098a139aa5343e15490b7652a23de0a8e9c192be8218ee61af798f4d700d79d5e44
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD56ba9ac14be17dd7f43b1176f1c103c92
SHA15431aabaa197d8d5b72cb1a1825e9473337f8426
SHA25616c6c71e5ebd3affc0d7eae48f1bb7c99c29736f95bea4b6321e86ea9e19f0e5
SHA512382e4a669d9a90f4d2612603729b496311270c747ad4c6e86ba7d0c39a680433dcd09fbcc2d142bf0e70dc4d280e35cce9b91330d6364208fade34a65bae8427
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD55e16866aeae6e22ace8a193bcdbaa5a9
SHA12dfe3135fb820450744bde10f9dac51727d365c2
SHA25696d5c5ab61d698ddde2bc444ad2c3e6243cf8daed7fa1ce296b904681e74e0f0
SHA512016e3b5b7b4569f1078aed7775d8992890ba003b137d89dac560fcd4fd16fe1775dabe28f83d9716ebf91ed8f23bac870c77bf571dd82fa322648ad5f89385d2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5020fe0eaa867f9a2b8a651bd6de462a7
SHA1eb7c8c541c44ba4d94aa6e58f4c79bfbbbea25d4
SHA256214f6a4be5ae90370aafbf44f3e0bcfc2c155f2cef1c6c7787741f910a757bea
SHA512959a3f2e617f0119686124f475842db28a6e1f0e24c6a8f5a5b878a19a91576c3c67d4c96c20380d94e8b97a82255e12183011cea527559ea2300656d88d1943
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5861013c603d86dffd48a35fa1a397db8
SHA16f9e2922e00a004992a4cb06e1abbc3b86271a60
SHA2567cc278b378080441823fdcfc56fe91e6e7499e5eee4d4f407bf0301c7b57c22a
SHA512482218362d153b2893f2c06e070c9e5886ae4facbd67af94e868d2d1fd479d5942a498b8d5f7b290f29a9187a8e2a16a19235db4799f12c34de57f0f5d8ed166
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5e2569db362fe179f7f3af0f35b8b5ab0
SHA18467b8431d15b6fda0fbbecc15ae3426d2dde0c8
SHA256d03548bb9570d9342efc2c3307fd95da566489c9ff03a84961b9a21388298cd5
SHA5127ad16c3cb5a92f5c6516b083cccf2be3aa4f0d4694e6b0e57746d1f147a9e55856fac5e114d1a1df73622e07f67767475a17dcd35ec3d0ad632e1ca88858a214
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD576a24649d7d61d0e33debcc9f5eeeb18
SHA140413a0dc60056e169db6d3af73481fbb1f7a693
SHA2566f42ac0ead17b1f0e0702d8d47fd7952670ac5c2f102563a8cd627302f21d566
SHA51295d5ad0c9b2bfe2b8c0f926fa1a9084b74445eb7a1cdaab6f9ca23a37eb870ccca7c826a10827d5886cf5ae13a6614ce16ae359745c700d854270bdd5712fdce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD552ce37b59d17564aab6b3751775abee0
SHA1d17ee06df90aab4813053606647e4f63c3d51a33
SHA256e4868bb16e2c682868c59c6201cda2d880f33b04f18179c80b5720edafff435b
SHA51284ae31c61d260339e4d0dcd306df3d6114859e48e07ee9075e32d744443d55d06201ef013c034bf431972d1bd3a4064766f36f4e30b1317a51d0b63cfbc7a60d
-
C:\Users\Admin\AppData\Local\Temp\CabDCBB.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\TarDD3B.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
C:\Users\Admin\DesktopOSIRIS.bmpFilesize
3.4MB
MD5dd39684aeeb69669164e8f51d9a5199d
SHA1a9fd0d1df6b2f14ca8bb32729214b12ba17fd96e
SHA256bba038caee5eca9a1808318f0b5fee7aa53290a88a7292065961f218b843ea4b
SHA5126c42c2e8de62295208fe5c6890d01136031114fcbfbd53797726820f0f4bd45ab32e04733b86e67514fe829bdb15f93bf4b959af3b4a74fac561bc55d4ad55bc
-
memory/1704-8-0x0000000003B50000-0x0000000003B77000-memory.dmpFilesize
156KB
-
memory/1704-0-0x0000000003180000-0x0000000003215000-memory.dmpFilesize
596KB
-
memory/1704-7-0x0000000002C80000-0x0000000002C81000-memory.dmpFilesize
4KB
-
memory/1704-338-0x0000000003B50000-0x0000000003B77000-memory.dmpFilesize
156KB
-
memory/1704-1-0x0000000002C80000-0x0000000002C81000-memory.dmpFilesize
4KB
-
memory/1704-2-0x0000000002C80000-0x0000000002C81000-memory.dmpFilesize
4KB
-
memory/1704-3-0x0000000003180000-0x0000000003215000-memory.dmpFilesize
596KB
-
memory/1704-334-0x0000000004AB0000-0x0000000004AB2000-memory.dmpFilesize
8KB
-
memory/1704-328-0x0000000003B50000-0x0000000003B77000-memory.dmpFilesize
156KB
-
memory/1704-135-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/1704-4-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/1704-10-0x0000000003B50000-0x0000000003B77000-memory.dmpFilesize
156KB
-
memory/1704-9-0x0000000003B50000-0x0000000003B77000-memory.dmpFilesize
156KB
-
memory/1704-6-0x0000000003B50000-0x0000000003B77000-memory.dmpFilesize
156KB
-
memory/2616-768-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/2616-335-0x0000000000120000-0x0000000000122000-memory.dmpFilesize
8KB
-
memory/2616-336-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
