locky | d59141259753d70802bc521e85bd4226174ef73871aee39dc4d763290c33281f

Analysis

max time kernel
117s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe
Size

348KB
MD5

bc4a269ef127d108659149b6058ac7d8
SHA1

6e92d9c37f2325a6937a3416b1084fa6cbbfa0b9
SHA256

d59141259753d70802bc521e85bd4226174ef73871aee39dc4d763290c33281f
SHA512

2baf73f8860247a6ac352742e4abed159c20ccde2cdabf5dcbe509843b821e90c149fcf9f841e35d67113561a74729239a896c546ab238f497d193dfc98ed995
SSDEEP

6144:9lLhAgl/XxhG1MLAkCg+3K6xW4UisBfkvR8+0Pn28U+3jRdkVNBfH:D9AgF/G1MLAkCg161Un8vR8m+3jqj

Score

10^/10

locky locky_osiris defense_evasion discovery ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris
Locky family
locky
Locky_osiris family
locky_osiris

Deletes itself 1 IoCs

pid	Process
2692	cmd.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp"	bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\WallpaperStyle = "0"	bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\TileWallpaper = "0"	bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439372248"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d6a347ec6cffa84f8a405ef73ae83242000000000200000000001066000000010000200000001b61bc9ef1878f272067c7721678601c74c0cf3d5a5a7df4246b5dbcabefbbf4000000000e8000000002000020000000de57a62128f04eb54ba2689c3fccdc7694a4f718672966be19e45b46d6c1ab3490000000c2475c5f1217d404a265b60b897d0a25b223ffb870a0c40fadcafa52e72a647bde43dd838244e0cf8aa92878219957925b686f97a4de7d393c7a99920a59a7f4e2f470b860787ca38ed3789eea458ecafd75e91d0272728554702a73ce10dcf63ce8f348e78f613d992eac40c25b0a875ba5f3592a8309bee60440de76954dfa464365c32c90b559f5e6cd6ed9a28fa040000000a5b65ccc4a65d5d97bf3ea7b4236ab4c741b0f2e1abbafa8bcd981354f5809b7e59dc4ace9cb48f9048fb0447da0dac291319c49619f5e3eb74091d43ef5e509	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70d18cca5345db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d6a347ec6cffa84f8a405ef73ae8324200000000020000000000106600000001000020000000d549a287441f78c995e185850069f10830c38adca1916d6b652a8f6c5c34c89c000000000e8000000002000020000000ea839f74904ab36810061ec535a2fdb83fb88bb3dc27fdbae3cfa142af286c1220000000230940a77f694388ead4c526ae43cfab3015a5018fbeb4a76b71f79241c47fbf400000009a92dd931fe1d700ee990c6835571fed7257e7cf03188243eaf49c5c417bb861ee0816399bddb173454684b6c7f9934e5fee9beb935d3bae771eaa340763832f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F5DE91B1-B146-11EF-BBA4-FA59FB4FA467} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2928	iexplore.exe
1916	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2928	iexplore.exe
2928	iexplore.exe
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE
1916	DllHost.exe
1916	DllHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2928	2380	bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2928	2380	bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2928	2380	bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe	31
PID 2380 wrote to memory of 2928	2380	bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe	31
PID 2928 wrote to memory of 2796	2928	iexplore.exe	33
PID 2928 wrote to memory of 2796	2928	iexplore.exe	33
PID 2928 wrote to memory of 2796	2928	iexplore.exe	33
PID 2928 wrote to memory of 2796	2928	iexplore.exe	33
PID 2380 wrote to memory of 2692	2380	bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe	34
PID 2380 wrote to memory of 2692	2380	bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe	34
PID 2380 wrote to memory of 2692	2380	bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe	34
PID 2380 wrote to memory of 2692	2380	bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe"
1⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2928 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2796
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\bc4a269ef127d108659149b6058ac7d8_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2692

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\OSIRIS-a000.htm

Filesize
8KB

MD5
2a5f2b88b7531c38e573fa44d7470fc3

SHA1
6b08e5daa6e344180ce25723dc0301bb40c0090b

SHA256
c650c406857d566def82d83693968ec0455c162a9dc8665f5f38bab3cabead8e

SHA512
ba4c7246f86927f66032b217af632ded4bd568483fadf220992e2d4e897b024328b344f539d346e592bc3d5d08292247ccf3220477dd3cd7660fcb3b4dafa7a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e87fa68c2b2e3aa714d4a2007b843d28

SHA1
e3a4e281f46f9ff077d99cc5b1014ffba0da49b0

SHA256
fd28daccc4b24f24a58e56e894145fd8da1597f0d2d411208b8a4d03825cdd2c

SHA512
ea26bbd55d0fad2d898c2d0f2504ae538e06d0a2336fa80c6f81c3163bd2100873b4457e925cba841767aed76e0bf7a9b459e3cff1f71249908994f094d0c9eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59542f108265f24abf980adcc23b4a26

SHA1
abc7cc57e83111046f531275542d5b734c5a76c3

SHA256
c33541bbbc65c5efb353a3ffe1da80163c823f30f9a279b1ce7f59aebd7c1cd5

SHA512
6ccc9758ec3f91ba317937354a482b7c3469aaf763a8fa2fd233fffee83bd33ee49340058d805145f559ec5af999705d781e2e117d05764329715e5e9332db86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d304cb1ee044164f3d0a599c78694d56

SHA1
baa3ef2bffc4d6181df7df0edce791e03714f7f0

SHA256
edfb39a7ec0f3eba7a2e59a966c74dec78e18b88fdc105bd37e83c78224d3434

SHA512
cacbe4017276da34e6e9ee6b4d671311ea6f2c3fa490290c598d347f90f2e2eb1e0538bedc46a799a4c7f8878db62ed759d31418c2d8eaaf5760c749b2502dda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0700ca993ef3c9ac7b7d30863795669

SHA1
57c248143790ed350de859c718080723dc0b5529

SHA256
49238497bc9cef92acb62cbca4b62def88280d63fde58113aa19dd7e5815f385

SHA512
f17704ef391d7df88fdc6f7cdd2a7e0dc4525bf8347154e48ee4493b564acd1842d8deeda06c0a0baf788d55e4badaab6c6a50f6c79cf171eade45b0d305dfc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c358932d8df279c3b7be5b189c45faa

SHA1
1395b4bbfacf276d576f59bd424de9ee78c46b30

SHA256
6e4ba35b4f487bf34edf3b79dfe9a20f7cbc8047120738444588eb4861884c8b

SHA512
b3a0a129b071180692ac28fc89070c358d0115e1b554afcacf7ca5248e14c7f1927b91e491732d10d86b9d760b1c963fafc4292c97bbcbf05e3fe71760904f4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2dfc4eb28345fa4146b588c69d23d802

SHA1
52908b1a6dbde50bc3d4893cfcaa984f48d26620

SHA256
78295bfd05ae12fe00ec0d68404eb57b6cf9a07366db1d8d321d22f2c2851307

SHA512
75005fcf46657d08dc85073ba22c84d31c0514677d2f5847bc0e7ad6d527b8db4b8e327da17ba876c32b6d5f8b9f98a0e152224fed53f6d237506ee26283d2ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8cfb64d586ef492844ab6d05c027752b

SHA1
c9bdf4574427a1794e21c607a50059cfbed1a228

SHA256
73e9f7b690ac83ff5f33d8d972d64b4b05d4cc7a0aa00e4b54941263353fa2e3

SHA512
a53fd48c1485ca287c07388636069a7539eecd3dc3a0e9d4fbfddd622f8156ce32bf7e7b7a9f54444d7714f9452de699a80e8407d7d2d47b78598bd12b3d590d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
822cca7e712743690b55f5fcde8f9865

SHA1
c180de49a304f2f8132acc12dcba5a72af66a334

SHA256
442ca08e01260146c6d8b96091fa16dcfe420fe7f5b34626d6db88cb8f37057f

SHA512
184444d1ead5ae30e93314cd7553af84d9f7c5e388f9626ffc9b6d41e79defd84b3b2d8250d6f5ffe58c242c7965b99e6fcf0a01a13b1a01cc1e60ff90702540

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3c201acefa387353cfcdb531a129839

SHA1
d45dc86bf196d6a20c170b6ac8ff365264972bb0

SHA256
883add4c6036d91f5a9ed49a19a78a281fff784f78e40febbfd229e7264bd9c3

SHA512
173639be5453ac6503a55d01dba486d26413026b3a333718953f6c537702830fb55b32add1764c0be1790bdf7340f7a05de47d719d55becc25929ae367acbaa9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da8d936428c3f23bf8ef5af8d50d8416

SHA1
055e6b3acd8ffb47d88fc3980239d3eda1ccf0ff

SHA256
6dbcdc3a14ee8df85b31938a9f3e1423cb9e4a8e781555bd6db9f144dbda9716

SHA512
f9d7ffd48749727b6bc16bb718133459194930fe5e13c2dcb2b3fb0910cd2f55013cb3db092bd1319e804b8aa8879a438f2f487c46e0ded16923d5a9b37e6faa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e396f8128232e3dcb4f9537e0d00a93

SHA1
50fc23368d1e4edf0ef54533770075d36ffb9b6d

SHA256
eaa2cbd3c17d9683eba90d568faa7441f43c002c2426780c29e15818853444b1

SHA512
ced2f83cc75975ca182042846d503339af59fe518410d241e5b5951f98aa38b25b15e6fb9a217fad90fda0d6f0f3fa1cb0a01bd5fef666a80738d7744239e31b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2bb4fea931f11ca8259138b9a3274fbb

SHA1
97e17bccb6a53a0286bb083cacab95c340f6af96

SHA256
6d1a8a70afe6aae58ad05bd83c8cd5e09498cfcb9fb32936276e0b7881257fd3

SHA512
50eb37e46728639f736b82a279bad3adac055868fad115158b8b501ef59a2821373da920869318d6bfcf04341c5266d6d163fb0a5d3d56dd7fa944839c8a7555

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0792cb9e2152b2387f08537f8f8f1d6

SHA1
590d7eefd6a9c28e77f4eff67ce29036dd7d4925

SHA256
83c001d5218273c252a3cf41415de9147bbbf145ff033a3e32b5dacf69bccffb

SHA512
e2b1cb81e0e98a95dd480a6d2e7994e8ed1625af534242299d5e727d446db33cb4fdbb31d67d0ba4d9f49b43217e018bce1c6a984cae689c628e8aa21d7de255

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa9ab741da339542cca046d6e9d4a96e

SHA1
54dbfe4a69d8e3815e53d9032c890f98f2c8cc82

SHA256
8a69f4440af8a6cd0fe5c718cbddb5bb061fe2daa9f74a04ff1b9880b594e66d

SHA512
3be24d0997e7f45a8f0f264de79dbe33abb21a1d011fe7bd796720ed40001468b19ff63fbd662e6903abc207dd9a80267160c2b5f20c2543f7c60947058d34fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
716823c433386727c8bc213470e85d40

SHA1
083952183df12a4922e51b274e54e9fab4cc6c24

SHA256
c8d662cf8c2300de1121e6b6bfcc18d04638668d4e541d29408821ff682c71af

SHA512
2a73ec6438c7632e59eeec8c587ad2fced28692cd1046e03e4ac6157c09c6612819c649ed1ea84707e49a5b82098e1c28b593c3ee9872cf7559a6630f13a611d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3fd97fc9f8213c946de6764abf1645ec

SHA1
9d48b350a2e77110756aa369d2de5369397415c9

SHA256
a1f8bfd76ae6e6c7e76d0a004e971197991d2c155d7efb09960038c6049e4ef9

SHA512
ef7a0bd9d1f6df474c6c86fbc2d11a0a9383d5ab5e60c230b120cf238416450364bed01328f9decb66c4a30eea7daa25bb25319b836bfaeca1ba08c9b62bd904

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a925c99cc0b95ee4f33ee4491854817f

SHA1
b2ab43fc93bad81edadfe60d900faad9ffa6edff

SHA256
4e8f0fb06c67f380913d948f5b3567eba7b6c92f8ad6bdd61f82d175dc2b77c9

SHA512
ff965db02d4bff13ac77d31726fc2101e9b19397f9cd28161f5d69d73eaf6faf4ad04ee1eba2692e0f1b8e6ea637bf9052441f84ba8b90b9f1ad2ebf122fb722

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
435835d7e7bb18857bf7baea62b48df8

SHA1
e2c0ac8f9d924ba2987144fe2ec7a481b0cbc0cb

SHA256
d2d59a8181438abd76b8c85faf83b6fce5496c15bcefff19a446cd9fb1ef7631

SHA512
5724b9c139d542ac2e654e76caff4a96f43debeb25ebda00ff5e80ff53bd55bb4e58a8b292485fd28e3cd78458ff9568a8600bb8065cd95af74e4fc3b4127282

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92beb4b80b92175130272f500823950b

SHA1
d3292a233dbbac436613afac9046be8628dcc390

SHA256
3bf7572f0275e8c9416fd39b9d5cc18d6fd606a99a1b03e53efcbe3dc0d5b673

SHA512
b45603e17bdc64cf4f204645aa7526a851bbdfbe75d544e3616be73b29a1b229bfade64bd30abef76c36ec262ce62ef58cd1ea5b0c1cba74e57a330a98f0eabe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab403E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar40AE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\DesktopOSIRIS.bmp

Filesize
3.4MB

MD5
85022020b7b2c7467215662308f2f7ca

SHA1
9f61fef32a81c132a801b53e9c35b9995f44994e

SHA256
42919e49e1564ba676e13b7dad8cc30839a2b51e30b37a3c8b67441f4278a811

SHA512
b398f8abdd799caafb05841c6907961f7052d87013ce95935fc7e8a16822dc161bbf6faac9c0a7a021e65baf777df45809738dadcee637ce5f79eaf4eb46c8e5

Download Submit
memory/1916-326-0x0000000000170000-0x0000000000172000-memory.dmp

Filesize
8KB

Download
memory/2380-9-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2380-325-0x0000000003700000-0x0000000003702000-memory.dmp

Filesize
8KB

Download
memory/2380-320-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/2380-10-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/2380-11-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/2380-12-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/2380-1-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2380-8-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2380-6-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2380-5-0x0000000002210000-0x00000000022A1000-memory.dmp

Filesize
580KB

Download
memory/2380-4-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2380-3-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2380-2-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2380-0-0x0000000002210000-0x00000000022A1000-memory.dmp

Filesize
580KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads