Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 09:15

General

  • Target

    OsLock.exe

  • Size

    385KB

  • MD5

    675ea787630f596da0474830ffb49723

  • SHA1

    c8e18cbc3cca1ded47eb5860a71b9f22d46409e1

  • SHA256

    ad861f41bb4a31ee778bf60cecf0a7bdd9c0cc91d5cc17775d15199c214fbccf

  • SHA512

    fa3c2c6edd3435bd16ec652c1738695cd1e8cdbd010b55fd856cefdbebd50552074d06e9b66860fae9c3a2f71ffe1076bb0227944b49286f05e1a3a4c871014d

  • SSDEEP

    6144:Z1IE/9oydPc4IvjTZlyZsDDyr3rAUp48zUCpM69/KImQi/6ebkY:Z1vlc4IrTZlyGDc54

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 13 IoCs
  • Drops desktop.ini file(s) 45 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 6 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs
  • Views/modifies file attributes 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OsLock.exe
    "C:\Users\Admin\AppData\Local\Temp\OsLock.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Windows\system32\cmd.exe
      cmd.exe /c F: & attrib +h +s +r +i /D /S * & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D /S *
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:2924
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-lox.txt
        3⤵
        • Views/modifies file attributes
        PID:2680
    • C:\Windows\system32\cmd.exe
      cmd.exe /c cd "%userprofile%\desktop"&attrib +h +s +r +i /D /S * & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D /S *
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:2796
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-lox.txt
        3⤵
        • Views/modifies file attributes
        PID:2656
    • C:\Windows\system32\cmd.exe
      cmd.exe /c cd "%systemdrive%\Users\Public\Desktop"&attrib +h +s +r +i /D /S * & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D /S *
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:2764
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-lox.txt
        3⤵
        • Views/modifies file attributes
        PID:2636
    • C:\Windows\system32\cmd.exe
      cmd.exe /c cd "%userprofile%\downloads"&attrib +h +s +r +i /D /S * & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:2824
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D /S *
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:2800
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-lox.txt
        3⤵
        • Views/modifies file attributes
        PID:2688
    • C:\Windows\system32\cmd.exe
      cmd.exe /c cd "%userprofile%\documents"&attrib +h +s +r +i /D /S * & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D /S *
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:2624
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-lox.txt
        3⤵
        • Views/modifies file attributes
        PID:2748
    • C:\Windows\system32\cmd.exe
      cmd.exe /c cd "%userprofile%"&attrib +h +s +r +i /D /S * & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D /S *
        3⤵
        • Drops startup file
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:1632
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-lox.txt
        3⤵
        • Views/modifies file attributes
        PID:2852
    • C:\Windows\system32\taskkill.exe
      taskkill.exe /im Explorer.exe /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\$unlocker_id.ux-cryptobytes

    Filesize

    6B

    MD5

    c2ddb87fcd81f868895dc5e4cce00702

    SHA1

    90d6c9d00c574088776887f3863a849233856333

    SHA256

    c27e7902281a66630c499d0d7c1013f0cb17a7f5ea333ab35fde73d6e5d8ac36

    SHA512

    3407ae2d3caa0928b1f3fb7b6e48856dfc6048f8f55eb2502abee0aa0196e373eb2cdc840a10b79f80edb79d5db021ed7f7ca93ca2aff4c016d0de1f2ef84b49

  • C:\Users\Admin\Documents\info-0v92.txt

    Filesize

    56B

    MD5

    5250167e9ed5616c92f2c49b7e295375

    SHA1

    6ca4f968809543f95a7c476bf39a9000231a4a4e

    SHA256

    0a8ce0b30dffe9ca968d05f8067a017bc48e0f5a432d75b4b7d25d59ad58a40d

    SHA512

    df65c59ba2c3b5033b85c4a526957c0ecd508acb2222b95133fa574df7a77abd3007a682d56312357e3ace87b88bd386c5463884d2c28c184808cf7c0608aeec

  • memory/1872-0-0x000007FEF53E3000-0x000007FEF53E4000-memory.dmp

    Filesize

    4KB

  • memory/1872-1-0x0000000000180000-0x00000000001E6000-memory.dmp

    Filesize

    408KB

  • memory/1872-2-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

    Filesize

    9.9MB

  • memory/1872-16-0x000007FEF53E3000-0x000007FEF53E4000-memory.dmp

    Filesize

    4KB

  • memory/1872-17-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

    Filesize

    9.9MB