ad861f41bb4a31ee778bf60cecf0a7bdd9c0cc91d5cc17775d15199c214fbccf

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/11/2024, 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OsLock.exe
Size

385KB
MD5

675ea787630f596da0474830ffb49723
SHA1

c8e18cbc3cca1ded47eb5860a71b9f22d46409e1
SHA256

ad861f41bb4a31ee778bf60cecf0a7bdd9c0cc91d5cc17775d15199c214fbccf
SHA512

fa3c2c6edd3435bd16ec652c1738695cd1e8cdbd010b55fd856cefdbebd50552074d06e9b66860fae9c3a2f71ffe1076bb0227944b49286f05e1a3a4c871014d
SSDEEP

6144:Z1IE/9oydPc4IvjTZlyZsDDyr3rAUp48zUCpM69/KImQi/6ebkY:Z1vlc4IrTZlyGDc54

Score

10^/10

defense_evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\OsLock.exe\""	OsLock.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	attrib.exe

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsInstaller = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\OsLock.exe\" -startup"	OsLock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSEdgeUpdateX = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\OsLock.exe\""	OsLock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIN32_2 = "taskhost.exe"	OsLock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIN32_4 = "System.exe"	OsLock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIN32_5 = "_default64.exe"	OsLock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIN32_7 = "ux-cryptor.exe"	OsLock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\System3264Wow = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\OsLock.exe\" --init"	OsLock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\OneDrive10293 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\OsLock.exe\" /setup"	OsLock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\WINDOWS = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\OsLock.exe\" --wininit"	OsLock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIN32_1 = "AWindowsService.exe"	OsLock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIN32_3 = "windowsx-c.exe"	OsLock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIN32_6 = "native.exe"	OsLock.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIN32_8 = "crypt0rsx.exe"	OsLock.exe

Drops desktop.ini file(s) 45 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\63WZ73PY\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	attrib.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L2BFB2JG\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	attrib.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROVWYKHE\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9C9T5AL\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MYC3PENY\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\7CO3PKGI\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YQ90JXIE\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\IQBL5G2Z\desktop.ini	attrib.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 6 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2172	cmd.exe
2280	cmd.exe
2500	cmd.exe
3060	cmd.exe
2468	cmd.exe
2692	cmd.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1552	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1700	OsLock.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	OsLock.exe
Token: SeDebugPrivilege	1552	taskkill.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2500	1700	OsLock.exe	31
PID 1700 wrote to memory of 2500	1700	OsLock.exe	31
PID 1700 wrote to memory of 2500	1700	OsLock.exe	31
PID 1700 wrote to memory of 3060	1700	OsLock.exe	32
PID 1700 wrote to memory of 3060	1700	OsLock.exe	32
PID 1700 wrote to memory of 3060	1700	OsLock.exe	32
PID 1700 wrote to memory of 2468	1700	OsLock.exe	33
PID 1700 wrote to memory of 2468	1700	OsLock.exe	33
PID 1700 wrote to memory of 2468	1700	OsLock.exe	33
PID 1700 wrote to memory of 2692	1700	OsLock.exe	34
PID 1700 wrote to memory of 2692	1700	OsLock.exe	34
PID 1700 wrote to memory of 2692	1700	OsLock.exe	34
PID 1700 wrote to memory of 2172	1700	OsLock.exe	35
PID 1700 wrote to memory of 2172	1700	OsLock.exe	35
PID 1700 wrote to memory of 2172	1700	OsLock.exe	35
PID 1700 wrote to memory of 2280	1700	OsLock.exe	36
PID 1700 wrote to memory of 2280	1700	OsLock.exe	36
PID 1700 wrote to memory of 2280	1700	OsLock.exe	36
PID 1700 wrote to memory of 1552	1700	OsLock.exe	37
PID 1700 wrote to memory of 1552	1700	OsLock.exe	37
PID 1700 wrote to memory of 1552	1700	OsLock.exe	37
PID 2500 wrote to memory of 2724	2500	cmd.exe	45
PID 2500 wrote to memory of 2724	2500	cmd.exe	45
PID 2500 wrote to memory of 2724	2500	cmd.exe	45
PID 3060 wrote to memory of 2232	3060	cmd.exe	46
PID 3060 wrote to memory of 2232	3060	cmd.exe	46
PID 3060 wrote to memory of 2232	3060	cmd.exe	46
PID 2500 wrote to memory of 2904	2500	cmd.exe	47
PID 2500 wrote to memory of 2904	2500	cmd.exe	47
PID 2500 wrote to memory of 2904	2500	cmd.exe	47
PID 2692 wrote to memory of 2628	2692	cmd.exe	48
PID 2692 wrote to memory of 2628	2692	cmd.exe	48
PID 2692 wrote to memory of 2628	2692	cmd.exe	48
PID 2172 wrote to memory of 2788	2172	cmd.exe	49
PID 2172 wrote to memory of 2788	2172	cmd.exe	49
PID 2172 wrote to memory of 2788	2172	cmd.exe	49
PID 2692 wrote to memory of 2624	2692	cmd.exe	50
PID 2692 wrote to memory of 2624	2692	cmd.exe	50
PID 2692 wrote to memory of 2624	2692	cmd.exe	50
PID 2468 wrote to memory of 2900	2468	cmd.exe	51
PID 2468 wrote to memory of 2900	2468	cmd.exe	51
PID 2468 wrote to memory of 2900	2468	cmd.exe	51
PID 2280 wrote to memory of 2736	2280	cmd.exe	52
PID 2280 wrote to memory of 2736	2280	cmd.exe	52
PID 2280 wrote to memory of 2736	2280	cmd.exe	52
PID 3060 wrote to memory of 2712	3060	cmd.exe	53
PID 3060 wrote to memory of 2712	3060	cmd.exe	53
PID 3060 wrote to memory of 2712	3060	cmd.exe	53
PID 2172 wrote to memory of 2872	2172	cmd.exe	54
PID 2172 wrote to memory of 2872	2172	cmd.exe	54
PID 2172 wrote to memory of 2872	2172	cmd.exe	54
PID 2468 wrote to memory of 2600	2468	cmd.exe	55
PID 2468 wrote to memory of 2600	2468	cmd.exe	55
PID 2468 wrote to memory of 2600	2468	cmd.exe	55
PID 2280 wrote to memory of 2720	2280	cmd.exe	56
PID 2280 wrote to memory of 2720	2280	cmd.exe	56
PID 2280 wrote to memory of 2720	2280	cmd.exe	56

Views/modifies file attributes 1 TTPs 12 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2232	attrib.exe
2904	attrib.exe
2628	attrib.exe
2788	attrib.exe
2624	attrib.exe
2900	attrib.exe
2724	attrib.exe
2736	attrib.exe
2872	attrib.exe
2712	attrib.exe
2600	attrib.exe
2720	attrib.exe

C:\Users\Admin\AppData\Local\Temp\OsLock.exe
"C:\Users\Admin\AppData\Local\Temp\OsLock.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\system32\cmd.exe
  cmd.exe /c F: & attrib +h +s +r +i /D /S * & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\system32\attrib.exe
    attrib +h +s +r +i /D /S *
    3⤵
    - Drops desktop.ini file(s)
    - Views/modifies file attributes
    PID:2724
- - C:\Windows\system32\attrib.exe
    attrib -h +s +r info-lox.txt
    3⤵
    - Views/modifies file attributes
    PID:2904
- C:\Windows\system32\cmd.exe
  cmd.exe /c cd "%userprofile%\desktop"&attrib +h +s +r +i /D /S * & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\system32\attrib.exe
    attrib +h +s +r +i /D /S *
    3⤵
    - Drops desktop.ini file(s)
    - Views/modifies file attributes
    PID:2232
- - C:\Windows\system32\attrib.exe
    attrib -h +s +r info-lox.txt
    3⤵
    - Views/modifies file attributes
    PID:2712
- C:\Windows\system32\cmd.exe
  cmd.exe /c cd "%systemdrive%\Users\Public\Desktop"&attrib +h +s +r +i /D /S * & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\system32\attrib.exe
    attrib +h +s +r +i /D /S *
    3⤵
    - Drops desktop.ini file(s)
    - Views/modifies file attributes
    PID:2900
- - C:\Windows\system32\attrib.exe
    attrib -h +s +r info-lox.txt
    3⤵
    - Views/modifies file attributes
    PID:2600
- C:\Windows\system32\cmd.exe
  cmd.exe /c cd "%userprofile%\downloads"&attrib +h +s +r +i /D /S * & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\system32\attrib.exe
    attrib +h +s +r +i /D /S *
    3⤵
    - Drops desktop.ini file(s)
    - Views/modifies file attributes
    PID:2628
- - C:\Windows\system32\attrib.exe
    attrib -h +s +r info-lox.txt
    3⤵
    - Views/modifies file attributes
    PID:2624
- C:\Windows\system32\cmd.exe
  cmd.exe /c cd "%userprofile%\documents"&attrib +h +s +r +i /D /S * & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\system32\attrib.exe
    attrib +h +s +r +i /D /S *
    3⤵
    - Drops desktop.ini file(s)
    - Views/modifies file attributes
    PID:2788
- - C:\Windows\system32\attrib.exe
    attrib -h +s +r info-lox.txt
    3⤵
    - Views/modifies file attributes
    PID:2872
- C:\Windows\system32\cmd.exe
  cmd.exe /c cd "%userprofile%"&attrib +h +s +r +i /D /S * & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
  2⤵
  - Hide Artifacts: Hidden Files and Directories
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\system32\attrib.exe
    attrib +h +s +r +i /D /S *
    3⤵
    - Drops startup file
    - Drops desktop.ini file(s)
    - Views/modifies file attributes
    PID:2736
- - C:\Windows\system32\attrib.exe
    attrib -h +s +r info-lox.txt
    3⤵
    - Views/modifies file attributes
    PID:2720
- C:\Windows\system32\taskkill.exe
  taskkill.exe /im Explorer.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$unlocker_id.ux-cryptobytes

Filesize
6B

MD5
98fd28488691b97f8aed01144bb97f47

SHA1
1709c2674bc9cfa4ed617d124fbf1ea286e770c6

SHA256
fddd3f4fe7d29c4ea94a5d730abc089c792a5e3d0d7d6e1fed00d5addc7c1222

SHA512
6a4adeeed346a05aa167e7ee1eaed5f70180618bd1d9b472150eac3b3b841c51d337c965f24fb7d9c728d6b2f7cd9245cd050d45c011087b93c29808eedbde5d

Download Submit
C:\Users\Public\Desktop\info-0v92.txt

Filesize
56B

MD5
a7a7aa1dc2eb7b65c62d1d6ad9d928f7

SHA1
9c4068e4d309a577a10c2f1e233d620701dfb337

SHA256
2da0de605984896a6c294ad2e8aa7e2b7c8e8c6d22a985a6380ce0a7ea2a3753

SHA512
87b1a26336842fbdf0ebdb6d9bcb3a53690e45c8191459f57eee75df71916c960b61acfe98d8d808223022123310c8ce977ea1237358967e90bc3791fe2ffe58

Download Submit
memory/1700-0-0x000007FEF6343000-0x000007FEF6344000-memory.dmp

Filesize
4KB

Download
memory/1700-1-0x0000000001080000-0x00000000010E6000-memory.dmp

Filesize
408KB

Download
memory/1700-2-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/1700-16-0x000007FEF6343000-0x000007FEF6344000-memory.dmp

Filesize
4KB

Download
memory/1700-17-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download