locky | f329ea2c754ab196d15c20fbf9abd722fa63630631144c5a409bd2a20172196b

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

s1-d.dll
Size

159KB
MD5

7932ee5fa6f83b149569752c47e04b87
SHA1

6eb115feadc5808507fb5a666dd18aa89a45616c
SHA256

f329ea2c754ab196d15c20fbf9abd722fa63630631144c5a409bd2a20172196b
SHA512

17ba26e69f7536f5adaa52454fbd407338be61d97bc396baa591de9fa19aab3e539b4ca32059b2ddb1b901ac7ecd341dff9ead706fc0d058086e6b3795642f58
SSDEEP

3072:pusrpo1j49JvKa0ePbh37E6ZO78buZKxrF:ZQcvKpE37E6nmKhF

Score

10^/10

locky locky_osiris ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris

Blocklisted process makes network request 5 IoCs

flow	pid	Process
16	1532	rundll32.exe
18	1532	rundll32.exe
26	1532	rundll32.exe
42	1532	rundll32.exe
46	1532	rundll32.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp"	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\WallpaperStyle = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\TileWallpaper = "0"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1056	msedge.exe
1056	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
3132	identity_helper.exe
3132	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 1532	4844	rundll32.exe	86
PID 4844 wrote to memory of 1532	4844	rundll32.exe	86
PID 4844 wrote to memory of 1532	4844	rundll32.exe	86
PID 1532 wrote to memory of 4648	1532	rundll32.exe	100
PID 1532 wrote to memory of 4648	1532	rundll32.exe	100
PID 4648 wrote to memory of 4516	4648	msedge.exe	101
PID 4648 wrote to memory of 4516	4648	msedge.exe	101
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 4892	4648	msedge.exe	102
PID 4648 wrote to memory of 1056	4648	msedge.exe	103
PID 4648 wrote to memory of 1056	4648	msedge.exe	103
PID 4648 wrote to memory of 2064	4648	msedge.exe	104
PID 4648 wrote to memory of 2064	4648	msedge.exe	104
PID 4648 wrote to memory of 2064	4648	msedge.exe	104
PID 4648 wrote to memory of 2064	4648	msedge.exe	104
PID 4648 wrote to memory of 2064	4648	msedge.exe	104
PID 4648 wrote to memory of 2064	4648	msedge.exe	104
PID 4648 wrote to memory of 2064	4648	msedge.exe	104
PID 4648 wrote to memory of 2064	4648	msedge.exe	104
PID 4648 wrote to memory of 2064	4648	msedge.exe	104
PID 4648 wrote to memory of 2064	4648	msedge.exe	104
PID 4648 wrote to memory of 2064	4648	msedge.exe	104
PID 4648 wrote to memory of 2064	4648	msedge.exe	104
PID 4648 wrote to memory of 2064	4648	msedge.exe	104
PID 4648 wrote to memory of 2064	4648	msedge.exe	104
PID 4648 wrote to memory of 2064	4648	msedge.exe	104

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\s1-d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\s1-d.dll,#1
  2⤵
  - Blocklisted process makes network request
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\DesktopOSIRIS.htm
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7fff87cb46f8,0x7fff87cb4708,0x7fff87cb4718
      4⤵
      PID:4516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,8105197493472915727,14368684334941134686,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
      4⤵
      PID:4892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,8105197493472915727,14368684334941134686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,8105197493472915727,14368684334941134686,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
      4⤵
      PID:2064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,8105197493472915727,14368684334941134686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
      4⤵
      PID:2284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,8105197493472915727,14368684334941134686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
      4⤵
      PID:3240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,8105197493472915727,14368684334941134686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:8
      4⤵
      PID:4220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,8105197493472915727,14368684334941134686,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,8105197493472915727,14368684334941134686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
      4⤵
      PID:3448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,8105197493472915727,14368684334941134686,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
      4⤵
      PID:3772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,8105197493472915727,14368684334941134686,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
      4⤵
      PID:460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,8105197493472915727,14368684334941134686,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
      4⤵
      PID:3652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1b45169ebca0dceadb0f45697799d62

SHA1
803604277318898e6f5c6fb92270ca83b5609cd5

SHA256
4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60

SHA512
357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9ffb5f81e8eccd0963c46cbfea1abc20

SHA1
a02a610afd3543de215565bc488a4343bb5c1a59

SHA256
3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc

SHA512
2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
32ab18153154885fee5e0730e4ce6e2f

SHA1
32851f3e647f290a9455585f01949b6e3ea6a7ad

SHA256
301a82e21e13e11a929f0b6d85671bfc48624ad5e42f15e1cb9d9821c4d9fa9c

SHA512
68b1bec358acce3b401c96e1837bd87e5351f6fcd9ddcd3a024936390641d40dabd6a63f0c83dcd6360e81bffb58910196346b700890d49e97c91bad7fcab89b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9e19d42abb50e28a27ce178724a14a51

SHA1
f96601e5ab506cd01795240d2d15afb45ff2f7fb

SHA256
db9a857c6ebc1249104ff384943bde039b452134df36da8a8b785fb88c77f3d9

SHA512
8cc7d678be7636aedbf55617834969d1bb1acb626919c761e1052e35305fd14e7115d7bcaa41c34577ed42547efa0817a9f0d639fe0ca2cc278d259247f68865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fabf4fcc28cc27640cf0945990317a1a

SHA1
88af74d40775e8db1bdb6f49ef3b3a3d46fce2af

SHA256
2dffff88d538e008c8e98e31e9f62e2021beaf82566200f27091248cb4982116

SHA512
25f98b0dd0c93f679fba341567e4b0e22e7d8948da77e1f6e8355742e07d9f14e541f719991667244ca9b14c8a5b679f41338c276e5545a86165e43ae81644e9

Download Submit
C:\Users\Admin\Music\OSIRIS-10f3.htm

Filesize
8KB

MD5
be9ade4942981c31a7a0034d8e6253e9

SHA1
477d375557132ba5228438821e18d8fbcca432d2

SHA256
2cc208216fbffb892ee9c165e47506418dd2c3d2201e2049aa0ceda745fbc02e

SHA512
58e08cd38c580a876b0559edd805afe5e7db228ab0f33da6cd41e4e6e0ea63957c0c75fffa419d42b4531a5bf5e90432ccaa888bafec19d865614e11c827d2d4

Download Submit
memory/1532-6-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/1532-14-0x0000000075620000-0x0000000075652000-memory.dmp

Filesize
200KB

Download
memory/1532-260-0x0000000075620000-0x0000000075652000-memory.dmp

Filesize
200KB

Download
memory/1532-12-0x0000000075620000-0x0000000075652000-memory.dmp

Filesize
200KB

Download
memory/1532-9-0x0000000075620000-0x0000000075652000-memory.dmp

Filesize
200KB

Download
memory/1532-7-0x0000000075620000-0x0000000075652000-memory.dmp

Filesize
200KB

Download
memory/1532-0-0x0000000075620000-0x0000000075652000-memory.dmp

Filesize
200KB

Download
memory/1532-4-0x0000000075620000-0x0000000075652000-memory.dmp

Filesize
200KB

Download
memory/1532-2-0x0000000075620000-0x0000000075652000-memory.dmp

Filesize
200KB

Download
memory/1532-1-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download