Overview

overview

10

Static

static

3

OsLock.exe

windows7-x64

10

OsLock.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/11/2024, 09:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OsLock.exe

  • Size

    385KB

  • MD5

    675ea787630f596da0474830ffb49723

  • SHA1

    c8e18cbc3cca1ded47eb5860a71b9f22d46409e1

  • SHA256

    ad861f41bb4a31ee778bf60cecf0a7bdd9c0cc91d5cc17775d15199c214fbccf

  • SHA512

    fa3c2c6edd3435bd16ec652c1738695cd1e8cdbd010b55fd856cefdbebd50552074d06e9b66860fae9c3a2f71ffe1076bb0227944b49286f05e1a3a4c871014d

  • SSDEEP

    6144:Z1IE/9oydPc4IvjTZlyZsDDyr3rAUp48zUCpM69/KImQi/6ebkY:Z1vlc4IrTZlyGDc54

Score
10/10
defense_evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 13 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 6 IoCs
    defense_evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • Views/modifies file attributes 1 TTPs 12 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\OsLock.exe
    "C:\Users\Admin\AppData\Local\Temp\OsLock.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4892
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c F: & attrib +h +s +r +i /D & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:1268
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Views/modifies file attributes
        PID:4944
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-lox.txt
        3⤵
        • Views/modifies file attributes
        PID:836
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%\desktop"&attrib +h +s +r +i /D & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4024
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:5008
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-lox.txt
        3⤵
        • Views/modifies file attributes
        PID:4636
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%systemdrive%\Users\Public\Desktop"&attrib +h +s +r +i /D & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:3188
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-lox.txt
        3⤵
        • Views/modifies file attributes
        PID:4732
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%\downloads"&attrib +h +s +r +i /D & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:2488
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:2956
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-lox.txt
        3⤵
        • Views/modifies file attributes
        PID:536
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%\documents"&attrib +h +s +r +i /D & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4780
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:212
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-lox.txt
        3⤵
        • Views/modifies file attributes
        PID:3900
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%"&attrib +h +s +r +i /D & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Views/modifies file attributes
        PID:2316
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-lox.txt
        3⤵
        • Views/modifies file attributes
        PID:1888
    • C:\Windows\SYSTEM32\taskkill.exe
      taskkill.exe /im Explorer.exe /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2200

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Desktop\info-0v92.txt
    Filesize

    56B

    MD5

    a7a7aa1dc2eb7b65c62d1d6ad9d928f7

    SHA1

    9c4068e4d309a577a10c2f1e233d620701dfb337

    SHA256

    2da0de605984896a6c294ad2e8aa7e2b7c8e8c6d22a985a6380ce0a7ea2a3753

    SHA512

    87b1a26336842fbdf0ebdb6d9bcb3a53690e45c8191459f57eee75df71916c960b61acfe98d8d808223022123310c8ce977ea1237358967e90bc3791fe2ffe58

    Download Submit

  • memory/4892-0-0x00007FFB52293000-0x00007FFB52295000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4892-1-0x0000000000760000-0x00000000007C6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4892-2-0x00007FFB52290000-0x00007FFB52D51000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4892-12-0x00007FFB52293000-0x00007FFB52295000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4892-13-0x00007FFB52290000-0x00007FFB52D51000-memory.dmp

    Filesize

    10.8MB

    Download