Overview

overview

10

Static

static

3

sample01_deob.dll

windows7-x64

10

sample01_deob.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-09-2024 06:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample01_deob.dll

  • Size

    159KB

  • MD5

    7932ee5fa6f83b149569752c47e04b87

  • SHA1

    6eb115feadc5808507fb5a666dd18aa89a45616c

  • SHA256

    f329ea2c754ab196d15c20fbf9abd722fa63630631144c5a409bd2a20172196b

  • SHA512

    17ba26e69f7536f5adaa52454fbd407338be61d97bc396baa591de9fa19aab3e539b4ca32059b2ddb1b901ac7ecd341dff9ead706fc0d058086e6b3795642f58

  • SSDEEP

    3072:pusrpo1j49JvKa0ePbh37E6ZO78buZKxrF:ZQcvKpE37E6nmKhF

Score
10/10
lockylocky_osirisdiscoveryransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Locky (Osiris variant)

    Variant of the Locky ransomware seen in the wild since early 2017.

    ransomwarelocky_osiris
  • Blocklisted process makes network request 6 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\sample01_deob.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\sample01_deob.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Sets desktop wallpaper using registry
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2760 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2668
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2420
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      PID:2324

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\OSIRIS-063e.htm
      Filesize

      8KB

      MD5

      df5da6d2f4cd542296e43590bbbcdcf0

      SHA1

      61ffdec9a486d7be7da6605eb5ef40f7426402a8

      SHA256

      848365e4d9ef13388301ce03406506c5f71bb10f60e45c08f6d86d1b0739eda1

      SHA512

      4f1a6e11c4146c6149372c7901f9a97fdadde96509dd93799c6f962a4b16392f92270db8cdd39ede78c697cc03f80a2469c55bc8a2d33b99a84e13e616c32df4

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      3a33cc7860ae26212d4d95ad13e60c9f

      SHA1

      0ab66493eddfdb383a94db8e867d258bfec94cd6

      SHA256

      16e6ae22e4e3b45b4236797fdbaea0f8dc18d4aafc0d85df66ff5b0cd89ef32c

      SHA512

      161540efa66129c9377c2c181235505eda940e988adf795365075165fe68891495d443b2f33d23fa5d92fc85d159e328cb38b5c724fc4c217a8f33582dbd8930

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      bfab926ad11397dc094404d9884111df

      SHA1

      685bd7cf6047458f6f28ab8a81ed5b44114e11e6

      SHA256

      da3d3f1503050e716dcc1905da30fd36199daffb2f1c9a6e243f64cbd3a3f3e3

      SHA512

      206156564c2893699adb6d34acf99a0aca5f86abd0130797684c2120352d9ce01dbcd9f4403c917e249e16c003d03543dd5f83132856888b7515fba08282354a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      6879d3b1fea8029d2add46dd0721b16c

      SHA1

      77e9325c84ef2b2bc67dc7adfff93f159d5a9fbb

      SHA256

      c276eda62ee7d06f7d1a13edc0f3daa5ebc3fda76aab375eb59e5d36275e3f94

      SHA512

      0dd8de854be07294b06734278631798547a8a2638e32bceacd4b86a7d3eacd91b4f14400381156c08836fa4c34b5c57c546a44da012840df95044c85a2b0aa45

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      4c3c04d75d2ce1e2be9a1ae3e4fcdb34

      SHA1

      707c4e1d71bccf538f191896ab859f04ca6b92bc

      SHA256

      dce44f75096aee2387592247b84566d13ef74a53db85af60891e23f9ffbac0a2

      SHA512

      8050a7843fda6a990f51f0c45b3101e341846495efdc6fbc1c209d2d1a8ecb38d1b9f378ce489f5f25f86125ca9376f8941484a076a656c247efccd5b632f543

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      8e16707347cf1deac97ffc7dd485bd24

      SHA1

      30c85e46ecd6426a42cc9f28cd64da3b43134270

      SHA256

      43ee0cbc3bdcc939f523ed57a009c1c3871f2072601dd7db0ae6099d047f87c6

      SHA512

      df37523dfe3618a86415c90f68bee56fc9fa63d844c2deeb5925628b49c0b67b7aff4c87677d7d68459aa30c828c0f38b73f205f7641aa304d0f72e2e93073c2

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      c4037923a7b8cc98ba0ac933e156fcfe

      SHA1

      553930906f442da0e4f7e10c4a4b03859d3bf13d

      SHA256

      bc4439a23837d31cd24b718b112e95a366d6240755ff1194a56a632f6064af3b

      SHA512

      f04d8cd3f8bb5ab7b045b2be6b4442a349e2968b29b8db1ef15fde21a274a2adc108fe4a65af2c3507d9f7634338c5360ddd5514fb22bc454bb8723f639519cb

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      aead0af1e07270ed6a7c3c2348f8de72

      SHA1

      61c3cbd51e891fa64d02cb23503f887898e28ece

      SHA256

      83aad3b16476950f7be7fb6d2821e54829b3646fae85868f1a187e5b5998d34c

      SHA512

      8f278f922e49d590369677e66e9c4cff19747cb1f882dbe025b56e8495f0c9422da71f9608229e6ed04229301e2db7f5f15f0b0e463150cc8a62c7b869c69ce1

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      ef41d58ce8f4222e94635a7d3e6210a2

      SHA1

      89dd6f33ffbf57b5f2de32ab511ae3f635279ef7

      SHA256

      7535083efffaff804a3e41b8c7c035dc5c6c8213ab17400b3094f3ccb8000dd9

      SHA512

      4d76035fb438475ffa21a24873b61718a926468b66b4da83b5a852907c71c7b793551585a09522ee853704aea0b412413c05bb25e2d44815c8c65cecf58d643e

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      c6a35f0c44ce095c4dd2979228dafc76

      SHA1

      53503a7f901a87b4293b0d1e19b8093589b525b4

      SHA256

      de93f98fc12b03ed788bc23f4c5f6cd95f7ec73ddb72b0236f5a68124d4ac66b

      SHA512

      e0e76460b449a772896b7003329d70c5f4844f90baf9cc0940bc05a7b792df9cef63e6e1166bf47503c72b8bdfa1cd87196e4f6ab3a90ecbae66c58e36800add

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab9C90.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar9CF1.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\DesktopOSIRIS.bmp
      Filesize

      3.4MB

      MD5

      7faffd2f546a9db305995ed1f59636fb

      SHA1

      863a0fda13f71c4c8c16d7dd448dbbd931491863

      SHA256

      3cb2d43c1845ebc7edace2a36b05f84ce4dfaa55a6e45c0d6597920bca80dcc2

      SHA512

      448dabf77e165ff5313017223bfb90ee31d5b57a2863c460dd13b47ccc2b21dc121f348eb9206feb95803e4b02bddf971e29cc1831d8140f612409d540131485

      Download Submit

    • memory/2324-354-0x00000000000B0000-0x00000000000B2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2384-14-0x0000000074700000-0x0000000074732000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2384-3-0x0000000074700000-0x0000000074732000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2384-20-0x0000000074700000-0x0000000074732000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2384-18-0x0000000074700000-0x0000000074732000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2384-17-0x0000000074710000-0x0000000074742000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2384-16-0x00000000746F0000-0x0000000074722000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2384-4-0x00000000000C0000-0x00000000000C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2384-0-0x00000000746F0000-0x0000000074722000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2384-1-0x0000000074700000-0x0000000074732000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2384-353-0x0000000000690000-0x0000000000692000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2384-12-0x0000000074700000-0x0000000074732000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2384-9-0x0000000074700000-0x0000000074732000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2384-7-0x0000000074700000-0x0000000074732000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2384-6-0x00000000000C0000-0x00000000000C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2384-2-0x0000000074710000-0x0000000074742000-memory.dmp

      Filesize

      200KB

      Download