locky | acd6287f7fa2e10f6cd00f8fc8e9d8aa6553b2e95186c3190958f5ef40259f66

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-03-2024 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b65b194c6cc134d56ba3acdcc7bd3051.exe
Size

328KB
MD5

b65b194c6cc134d56ba3acdcc7bd3051
SHA1

98c7e593d956776addd16d0d3f4647d5d69e8fcc
SHA256

acd6287f7fa2e10f6cd00f8fc8e9d8aa6553b2e95186c3190958f5ef40259f66
SHA512

a076f13f9b9c07bbf34ea9105d63ae24c2996f1b4cb77f58c3b080e333cb4f19bcbf75d1f3bafe34ee85defed00be41fd22c7af859ca3473d96e3764da202339
SSDEEP

6144:WLTEviCT+6HQEs6fwpOqb+kO506PqR0zhIx8mN8e9X5Zlev:diCT+gzGn+tqieNfJS

Score

10^/10

locky locky_osiris ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris
Executes dropped EXE 1 IoCs

Processes:

vt2.exe

pid process

3064 vt2.exe
Loads dropped DLL 1 IoCs

Processes:

b65b194c6cc134d56ba3acdcc7bd3051.exe

pid process

1308 b65b194c6cc134d56ba3acdcc7bd3051.exe

pid	process
3064	vt2.exe

pid	process
1308	b65b194c6cc134d56ba3acdcc7bd3051.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

vt2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp"	vt2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

vt2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\WallpaperStyle = "0"	vt2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\Desktop\TileWallpaper = "0"	vt2.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5DA28B01-DB67-11EE-9D31-EA483E0BCDAF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

2488 iexplore.exe
1056 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2488 iexplore.exe
2488 iexplore.exe
1640 IEXPLORE.EXE
1640 IEXPLORE.EXE

pid	process
2488	iexplore.exe
1056	DllHost.exe

pid	process
2488	iexplore.exe
2488	iexplore.exe
1640	IEXPLORE.EXE
1640	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

b65b194c6cc134d56ba3acdcc7bd3051.exevt2.exeiexplore.exe

description	pid	process	target process
PID 1308 wrote to memory of 3064	1308	b65b194c6cc134d56ba3acdcc7bd3051.exe	vt2.exe
PID 1308 wrote to memory of 3064	1308	b65b194c6cc134d56ba3acdcc7bd3051.exe	vt2.exe
PID 1308 wrote to memory of 3064	1308	b65b194c6cc134d56ba3acdcc7bd3051.exe	vt2.exe
PID 1308 wrote to memory of 3064	1308	b65b194c6cc134d56ba3acdcc7bd3051.exe	vt2.exe
PID 3064 wrote to memory of 2488	3064	vt2.exe	iexplore.exe
PID 3064 wrote to memory of 2488	3064	vt2.exe	iexplore.exe
PID 3064 wrote to memory of 2488	3064	vt2.exe	iexplore.exe
PID 3064 wrote to memory of 2488	3064	vt2.exe	iexplore.exe
PID 2488 wrote to memory of 1640	2488	iexplore.exe	IEXPLORE.EXE
PID 2488 wrote to memory of 1640	2488	iexplore.exe	IEXPLORE.EXE
PID 2488 wrote to memory of 1640	2488	iexplore.exe	IEXPLORE.EXE
PID 2488 wrote to memory of 1640	2488	iexplore.exe	IEXPLORE.EXE
PID 3064 wrote to memory of 1216	3064	vt2.exe	cmd.exe
PID 3064 wrote to memory of 1216	3064	vt2.exe	cmd.exe
PID 3064 wrote to memory of 1216	3064	vt2.exe	cmd.exe
PID 3064 wrote to memory of 1216	3064	vt2.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b65b194c6cc134d56ba3acdcc7bd3051.exe
"C:\Users\Admin\AppData\Local\Temp\b65b194c6cc134d56ba3acdcc7bd3051.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Admin\AppData\Local\Temp\vt2.exe
"C:\Users\Admin\AppData\Local\Temp\vt2.exe"
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:3064

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2488 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\vt2.exe"
3⤵
PID:1216

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1056

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSIRIS-975c.htm
Filesize
7KB

MD5
848c24ac4ea3cc99fe50c1c7160e1328

SHA1
13a96ffdb411140d65d7ef988ea0d73c55ffef63

SHA256
8fe3f639798d0a8152d5c57fdeb8aa9bd5a15232fe7a1ef00ab6e44576713c37

SHA512
3d545ede61b763d7ab1f78ea6d139e4d85cacb8b9652aa3c25d05024e79475529c63c8623c9ecd699a3760671c9156da0b61af88fea4025eb55c8faaedf59f83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2babc38230b3a80079ed6921caedddf2

SHA1
02f0544e0e0bc84de783904c751bee5d0fe5d520

SHA256
d7cde116e00b64af8a15994a10351c1c0e19c5f4cf39200e16a3cf49651a5289

SHA512
9cb03c1791bc4f90d1abd4d035388fc8a5bedaaf2d621182c6fd501ddc57defbf22092413b4cbbbfb002ee8e4e881a07bc699495becb0cb341670a88ae00eb4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
73314929840c365b789319ebdd59cd2b

SHA1
333a886ad8db8d520f928317976c8921e37a9b1d

SHA256
2df86acc2bd24cb59e710222cb6e8bdc3f571ff223b6a164fd16a957cc5d15a4

SHA512
fdd46f6cedc93a20106e0bdc7c02d627c8c528eee430a534f075408fe6419fb39c76b0160ff69d86fa234c89225b67d363f19b3192a3da5ddb248f0701aa6088

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a49cfb0320024f828e6199d6ccc0d140

SHA1
8261e153e638cf7510fa3cbef3a27d37acbf1f4e

SHA256
371fdbc576d78e197438678364e5f2e73d34a1cf49ca3db76eb687b49abb3e29

SHA512
a5440ba9e30c7a5232c11b8a74fb6e4e0ba5a11d63db4173e32d97a36b63e3224a63bd991a798632f2319f4b35818356c9423156da5c556d6cfa1a508c65423c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
aef77ca0cc8d63d58dcc9a54b548e778

SHA1
1615ee150e8e2d1b32501c25b21733593e3f0afe

SHA256
e00f3c4e8b312a7bb3b9183bbe80c2e3ed36b0e4bceaf30db12ac9fa82951d2b

SHA512
b607728f630e3def8d7b17eaaf36bcc0f42648d47f5a58753e578aab7ef3d1d84946868f90f1cb7b2a3a5f886fc305a95ce576fb3eecc443266908722695343d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab608A.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar65FE.tmp
Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\DesktopOSIRIS.bmp
Filesize
3.4MB

MD5
ed9a803d46b5856e026f0bde354eea56

SHA1
85e25019cc90d5bbf58eada93d3ae7faf335c11f

SHA256
11306d9e647b25b8036f2e7c2d2dca4561747c880d9f5e284a7a7458bd8a4f0d

SHA512
5b53f33074c9200bde7c0d25d8fc4721de01bb3a8880313210afb47425d620c135179e59947a74e0817c8206b6457e93ad82d901930ef85e9b889f85bbf80772

Download Submit
\Users\Admin\AppData\Local\Temp\vt2.exe
Filesize
303KB

MD5
d5fee0c6f1d0d730de259c64e6373a0c

SHA1
894f45f50454001bd21ad2713fefc15eb25b2b8b

SHA256
0a2bc257eb1e266e2fd7c608bbb7e1f2ed34660c8ff21f32999fe49c6997329b

SHA512
fa39d6cdf1c00ec33ce02df71d16d83d58095d09d6a2a1c9d31ceb0bcd1d0c01abbe39daa49de37fab525a59678db241d2d2ebb36359c203a2e25c808c6b5f79

Download Submit
memory/1056-360-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1056-358-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1308-6-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3064-29-0x0000000002220000-0x0000000002247000-memory.dmp

Filesize
156KB

Download
memory/3064-15-0x0000000002220000-0x0000000002247000-memory.dmp

Filesize
156KB

Download
memory/3064-30-0x0000000002220000-0x0000000002247000-memory.dmp

Filesize
156KB

Download
memory/3064-19-0x0000000002220000-0x0000000002247000-memory.dmp

Filesize
156KB

Download
memory/3064-351-0x0000000002220000-0x0000000002247000-memory.dmp

Filesize
156KB

Download
memory/3064-17-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3064-357-0x0000000011500000-0x0000000011502000-memory.dmp

Filesize
8KB

Download
memory/3064-16-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3064-362-0x0000000002220000-0x0000000002247000-memory.dmp

Filesize
156KB

Download
memory/3064-28-0x0000000002220000-0x0000000002247000-memory.dmp

Filesize
156KB

Download
memory/3064-13-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3064-12-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3064-11-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3064-10-0x0000000002260000-0x0000000002300000-memory.dmp

Filesize
640KB

Download
memory/3064-9-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3064-8-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3064-7-0x0000000002260000-0x0000000002300000-memory.dmp

Filesize
640KB

Download