Analysis
-
max time kernel
162s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
06-03-2024 03:10
General
-
Target
b65b194c6cc134d56ba3acdcc7bd3051.exe
-
Size
328KB
-
MD5
b65b194c6cc134d56ba3acdcc7bd3051
-
SHA1
98c7e593d956776addd16d0d3f4647d5d69e8fcc
-
SHA256
acd6287f7fa2e10f6cd00f8fc8e9d8aa6553b2e95186c3190958f5ef40259f66
-
SHA512
a076f13f9b9c07bbf34ea9105d63ae24c2996f1b4cb77f58c3b080e333cb4f19bcbf75d1f3bafe34ee85defed00be41fd22c7af859ca3473d96e3764da202339
-
SSDEEP
6144:WLTEviCT+6HQEs6fwpOqb+kO506PqR0zhIx8mN8e9X5Zlev:diCT+gzGn+tqieNfJS
Malware Config
Signatures
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b65b194c6cc134d56ba3acdcc7bd3051.exe"C:\Users\Admin\AppData\Local\Temp\b65b194c6cc134d56ba3acdcc7bd3051.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vt2.exe"C:\Users\Admin\AppData\Local\Temp\vt2.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\vt2.exeFilesize
190KB
MD5e3edf16fa03360cc235e4cb125469697
SHA13c13bfc2ac7884cdabb9f427a4b9dc11a6390d9d
SHA2566409be4244693a4392eea0f819cc55e2a5a01cfda65b0d55744ed871e4d33508
SHA51213ceb2e06f85fbbbe1a4310640151a2d43aa993fe0d61e1b47ddf2c45a7a89134f9eee2d9f88dc5bd1e53a021b208b5aa3b357ace41f81132913bf214d708d77
-
C:\Users\Admin\AppData\Local\Temp\vt2.exeFilesize
303KB
MD5d5fee0c6f1d0d730de259c64e6373a0c
SHA1894f45f50454001bd21ad2713fefc15eb25b2b8b
SHA2560a2bc257eb1e266e2fd7c608bbb7e1f2ed34660c8ff21f32999fe49c6997329b
SHA512fa39d6cdf1c00ec33ce02df71d16d83d58095d09d6a2a1c9d31ceb0bcd1d0c01abbe39daa49de37fab525a59678db241d2d2ebb36359c203a2e25c808c6b5f79
-
C:\Users\Admin\Downloads\OSIRIS-4473.htmFilesize
7KB
MD5b92a261278116cff392e715b8c8adcec
SHA18c8de0ff2246da81ae2f3ef665b6143c4eacd8b4
SHA256192d58cb288ec8a8b137074834c030adeedb85119e68327ca21711481681e91b
SHA512366feccb333fbde99a80c9b52f24fcdaf65665da6755d5e60f627374fff96a1766c34fa221f1bc60072f9d561a03c95fa6b2ccd8841a773312ed73f77e740735
-
memory/1576-20-0x00000000024F0000-0x0000000002517000-memory.dmpFilesize
156KB
-
memory/1576-17-0x0000000002250000-0x0000000002251000-memory.dmpFilesize
4KB
-
memory/1576-11-0x0000000002A50000-0x0000000002AF0000-memory.dmpFilesize
640KB
-
memory/1576-12-0x0000000002250000-0x0000000002251000-memory.dmpFilesize
4KB
-
memory/1576-13-0x0000000002A50000-0x0000000002AF0000-memory.dmpFilesize
640KB
-
memory/1576-14-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1576-16-0x00000000024F0000-0x0000000002517000-memory.dmpFilesize
156KB
-
memory/1576-30-0x00000000024F0000-0x0000000002517000-memory.dmpFilesize
156KB
-
memory/1576-18-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1576-29-0x00000000024F0000-0x0000000002517000-memory.dmpFilesize
156KB
-
memory/1576-28-0x00000000024F0000-0x0000000002517000-memory.dmpFilesize
156KB
-
memory/1968-0-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1968-9-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1968-6-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB