locky | acd6287f7fa2e10f6cd00f8fc8e9d8aa6553b2e95186c3190958f5ef40259f66

Analysis

max time kernel
162s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-03-2024 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b65b194c6cc134d56ba3acdcc7bd3051.exe
Size

328KB
MD5

b65b194c6cc134d56ba3acdcc7bd3051
SHA1

98c7e593d956776addd16d0d3f4647d5d69e8fcc
SHA256

acd6287f7fa2e10f6cd00f8fc8e9d8aa6553b2e95186c3190958f5ef40259f66
SHA512

a076f13f9b9c07bbf34ea9105d63ae24c2996f1b4cb77f58c3b080e333cb4f19bcbf75d1f3bafe34ee85defed00be41fd22c7af859ca3473d96e3764da202339
SSDEEP

6144:WLTEviCT+6HQEs6fwpOqb+kO506PqR0zhIx8mN8e9X5Zlev:diCT+gzGn+tqieNfJS

Score

10^/10

locky locky_osiris ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b65b194c6cc134d56ba3acdcc7bd3051.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	b65b194c6cc134d56ba3acdcc7bd3051.exe

Executes dropped EXE 1 IoCs

Processes:

vt2.exe

pid	Process
1576	vt2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

b65b194c6cc134d56ba3acdcc7bd3051.exe

description	pid	Process	procid_target
PID 1968 wrote to memory of 1576	1968	b65b194c6cc134d56ba3acdcc7bd3051.exe	95
PID 1968 wrote to memory of 1576	1968	b65b194c6cc134d56ba3acdcc7bd3051.exe	95
PID 1968 wrote to memory of 1576	1968	b65b194c6cc134d56ba3acdcc7bd3051.exe	95

C:\Users\Admin\AppData\Local\Temp\b65b194c6cc134d56ba3acdcc7bd3051.exe
"C:\Users\Admin\AppData\Local\Temp\b65b194c6cc134d56ba3acdcc7bd3051.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\vt2.exe
  "C:\Users\Admin\AppData\Local\Temp\vt2.exe"
  2⤵
  - Executes dropped EXE
  PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vt2.exe

Filesize
190KB

MD5
e3edf16fa03360cc235e4cb125469697

SHA1
3c13bfc2ac7884cdabb9f427a4b9dc11a6390d9d

SHA256
6409be4244693a4392eea0f819cc55e2a5a01cfda65b0d55744ed871e4d33508

SHA512
13ceb2e06f85fbbbe1a4310640151a2d43aa993fe0d61e1b47ddf2c45a7a89134f9eee2d9f88dc5bd1e53a021b208b5aa3b357ace41f81132913bf214d708d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\vt2.exe

Filesize
303KB

MD5
d5fee0c6f1d0d730de259c64e6373a0c

SHA1
894f45f50454001bd21ad2713fefc15eb25b2b8b

SHA256
0a2bc257eb1e266e2fd7c608bbb7e1f2ed34660c8ff21f32999fe49c6997329b

SHA512
fa39d6cdf1c00ec33ce02df71d16d83d58095d09d6a2a1c9d31ceb0bcd1d0c01abbe39daa49de37fab525a59678db241d2d2ebb36359c203a2e25c808c6b5f79

Download Submit
C:\Users\Admin\Downloads\OSIRIS-4473.htm

Filesize
7KB

MD5
b92a261278116cff392e715b8c8adcec

SHA1
8c8de0ff2246da81ae2f3ef665b6143c4eacd8b4

SHA256
192d58cb288ec8a8b137074834c030adeedb85119e68327ca21711481681e91b

SHA512
366feccb333fbde99a80c9b52f24fcdaf65665da6755d5e60f627374fff96a1766c34fa221f1bc60072f9d561a03c95fa6b2ccd8841a773312ed73f77e740735

Download Submit
memory/1576-20-0x00000000024F0000-0x0000000002517000-memory.dmp

Filesize
156KB

Download
memory/1576-17-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/1576-11-0x0000000002A50000-0x0000000002AF0000-memory.dmp

Filesize
640KB

Download
memory/1576-12-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/1576-13-0x0000000002A50000-0x0000000002AF0000-memory.dmp

Filesize
640KB

Download
memory/1576-14-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1576-16-0x00000000024F0000-0x0000000002517000-memory.dmp

Filesize
156KB

Download
memory/1576-30-0x00000000024F0000-0x0000000002517000-memory.dmp

Filesize
156KB

Download
memory/1576-18-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1576-29-0x00000000024F0000-0x0000000002517000-memory.dmp

Filesize
156KB

Download
memory/1576-28-0x00000000024F0000-0x0000000002517000-memory.dmp

Filesize
156KB

Download
memory/1968-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1968-9-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1968-6-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download