Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
06-03-2024 03:10
General
-
Target
b65b194c6cc134d56ba3acdcc7bd3051.exe
-
Size
328KB
-
MD5
b65b194c6cc134d56ba3acdcc7bd3051
-
SHA1
98c7e593d956776addd16d0d3f4647d5d69e8fcc
-
SHA256
acd6287f7fa2e10f6cd00f8fc8e9d8aa6553b2e95186c3190958f5ef40259f66
-
SHA512
a076f13f9b9c07bbf34ea9105d63ae24c2996f1b4cb77f58c3b080e333cb4f19bcbf75d1f3bafe34ee85defed00be41fd22c7af859ca3473d96e3764da202339
-
SSDEEP
6144:WLTEviCT+6HQEs6fwpOqb+kO506PqR0zhIx8mN8e9X5Zlev:diCT+gzGn+tqieNfJS
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 28 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b65b194c6cc134d56ba3acdcc7bd3051.exe"C:\Users\Admin\AppData\Local\Temp\b65b194c6cc134d56ba3acdcc7bd3051.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vt2.exe"C:\Users\Admin\AppData\Local\Temp\vt2.exe"2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2488 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\vt2.exe"3⤵
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5848c24ac4ea3cc99fe50c1c7160e1328
SHA113a96ffdb411140d65d7ef988ea0d73c55ffef63
SHA2568fe3f639798d0a8152d5c57fdeb8aa9bd5a15232fe7a1ef00ab6e44576713c37
SHA5123d545ede61b763d7ab1f78ea6d139e4d85cacb8b9652aa3c25d05024e79475529c63c8623c9ecd699a3760671c9156da0b61af88fea4025eb55c8faaedf59f83
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
Filesize
344B
MD52babc38230b3a80079ed6921caedddf2
SHA102f0544e0e0bc84de783904c751bee5d0fe5d520
SHA256d7cde116e00b64af8a15994a10351c1c0e19c5f4cf39200e16a3cf49651a5289
SHA5129cb03c1791bc4f90d1abd4d035388fc8a5bedaaf2d621182c6fd501ddc57defbf22092413b4cbbbfb002ee8e4e881a07bc699495becb0cb341670a88ae00eb4e
-
Filesize
344B
MD573314929840c365b789319ebdd59cd2b
SHA1333a886ad8db8d520f928317976c8921e37a9b1d
SHA2562df86acc2bd24cb59e710222cb6e8bdc3f571ff223b6a164fd16a957cc5d15a4
SHA512fdd46f6cedc93a20106e0bdc7c02d627c8c528eee430a534f075408fe6419fb39c76b0160ff69d86fa234c89225b67d363f19b3192a3da5ddb248f0701aa6088
-
Filesize
344B
MD5a49cfb0320024f828e6199d6ccc0d140
SHA18261e153e638cf7510fa3cbef3a27d37acbf1f4e
SHA256371fdbc576d78e197438678364e5f2e73d34a1cf49ca3db76eb687b49abb3e29
SHA512a5440ba9e30c7a5232c11b8a74fb6e4e0ba5a11d63db4173e32d97a36b63e3224a63bd991a798632f2319f4b35818356c9423156da5c556d6cfa1a508c65423c
-
Filesize
344B
MD5aef77ca0cc8d63d58dcc9a54b548e778
SHA11615ee150e8e2d1b32501c25b21733593e3f0afe
SHA256e00f3c4e8b312a7bb3b9183bbe80c2e3ed36b0e4bceaf30db12ac9fa82951d2b
SHA512b607728f630e3def8d7b17eaaf36bcc0f42648d47f5a58753e578aab7ef3d1d84946868f90f1cb7b2a3a5f886fc305a95ce576fb3eecc443266908722695343d
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
3.4MB
MD5ed9a803d46b5856e026f0bde354eea56
SHA185e25019cc90d5bbf58eada93d3ae7faf335c11f
SHA25611306d9e647b25b8036f2e7c2d2dca4561747c880d9f5e284a7a7458bd8a4f0d
SHA5125b53f33074c9200bde7c0d25d8fc4721de01bb3a8880313210afb47425d620c135179e59947a74e0817c8206b6457e93ad82d901930ef85e9b889f85bbf80772
-
Filesize
303KB
MD5d5fee0c6f1d0d730de259c64e6373a0c
SHA1894f45f50454001bd21ad2713fefc15eb25b2b8b
SHA2560a2bc257eb1e266e2fd7c608bbb7e1f2ed34660c8ff21f32999fe49c6997329b
SHA512fa39d6cdf1c00ec33ce02df71d16d83d58095d09d6a2a1c9d31ceb0bcd1d0c01abbe39daa49de37fab525a59678db241d2d2ebb36359c203a2e25c808c6b5f79
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
352KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
320KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
320KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
640KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
640KB
