locky | c0f47f5a597be7135d9d2fc23cf2563a3b7117f8272bc794cc745266394e287e

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/02/2025, 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0f47f5a597be7135d9d2fc23cf2563a3b7117f8272bc794cc745266394e287eN.exe
Size

4.0MB
MD5

7e0e9d61b4719a57f69301984f2e29e0
SHA1

ad08f2cc627d9d1bddea42b99003a3ffcb20a1f7
SHA256

c0f47f5a597be7135d9d2fc23cf2563a3b7117f8272bc794cc745266394e287e
SHA512

b7e6a8013fc863107f2b7b3be0fef863a435dc492e4ee3afa4820e1ffc262b947bed009f0ed3567c9eb06b213948a1211117db44142101f3a9d46152006c93a7
SSDEEP

98304:J8NPKZC3KHXThoNyx8bOpgSrU4d5SOAy1pHbMuJ:JoPKZC3KHXThoNyx8bOpgSTfX1dFJ

Score

10^/10

locky locky_osiris defense_evasion discovery ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris
Locky family
locky
Locky_osiris family
locky_osiris

Deletes itself 1 IoCs

pid	Process
1624	cmd.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\DesktopOSIRIS.bmp"	c0f47f5a597be7135d9d2fc23cf2563a3b7117f8272bc794cc745266394e287eN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0f47f5a597be7135d9d2fc23cf2563a3b7117f8272bc794cc745266394e287eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Control Panel 2 IoCs

defense_evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\WallpaperStyle = "0"	c0f47f5a597be7135d9d2fc23cf2563a3b7117f8272bc794cc745266394e287eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\TileWallpaper = "0"	c0f47f5a597be7135d9d2fc23cf2563a3b7117f8272bc794cc745266394e287eN.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A4C9D241-E6F6-11EF-8DAE-C28ADB222BBA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
716	iexplore.exe
324	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
716	iexplore.exe
716	iexplore.exe
3024	IEXPLORE.EXE
3024	IEXPLORE.EXE
324	DllHost.exe
324	DllHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 716	2756	c0f47f5a597be7135d9d2fc23cf2563a3b7117f8272bc794cc745266394e287eN.exe	32
PID 2756 wrote to memory of 716	2756	c0f47f5a597be7135d9d2fc23cf2563a3b7117f8272bc794cc745266394e287eN.exe	32
PID 2756 wrote to memory of 716	2756	c0f47f5a597be7135d9d2fc23cf2563a3b7117f8272bc794cc745266394e287eN.exe	32
PID 2756 wrote to memory of 716	2756	c0f47f5a597be7135d9d2fc23cf2563a3b7117f8272bc794cc745266394e287eN.exe	32
PID 716 wrote to memory of 3024	716	iexplore.exe	34
PID 716 wrote to memory of 3024	716	iexplore.exe	34
PID 716 wrote to memory of 3024	716	iexplore.exe	34
PID 716 wrote to memory of 3024	716	iexplore.exe	34
PID 2756 wrote to memory of 1624	2756	c0f47f5a597be7135d9d2fc23cf2563a3b7117f8272bc794cc745266394e287eN.exe	35
PID 2756 wrote to memory of 1624	2756	c0f47f5a597be7135d9d2fc23cf2563a3b7117f8272bc794cc745266394e287eN.exe	35
PID 2756 wrote to memory of 1624	2756	c0f47f5a597be7135d9d2fc23cf2563a3b7117f8272bc794cc745266394e287eN.exe	35
PID 2756 wrote to memory of 1624	2756	c0f47f5a597be7135d9d2fc23cf2563a3b7117f8272bc794cc745266394e287eN.exe	35

C:\Users\Admin\AppData\Local\Temp\c0f47f5a597be7135d9d2fc23cf2563a3b7117f8272bc794cc745266394e287eN.exe
"C:\Users\Admin\AppData\Local\Temp\c0f47f5a597be7135d9d2fc23cf2563a3b7117f8272bc794cc745266394e287eN.exe"
1⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\DesktopOSIRIS.htm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:716
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:716 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3024
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\c0f47f5a597be7135d9d2fc23cf2563a3b7117f8272bc794cc745266394e287eN.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1624

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSIRIS-c523.htm

Filesize
8KB

MD5
91617ed86b074c66075fb87330be4a76

SHA1
b156eea4e9ec27e56785a10bc4b400d5f1834ebb

SHA256
8b54175bc33e818e9a56965e8232f7bdf6c387b5945cb1d7fd78dc4d714d072a

SHA512
d64f6d5a83a640eedd4c9f768845ca86274e9cddcd5b35f5fb11c4403893490e05e0b50893b4ecd1b3687a89177f8ccf5d0a92c79048371cba605f13dcc94203

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f65836a9aba63a429381c14afdcbdfcd

SHA1
e03a26066de707bac956db015f04c692a5106ebb

SHA256
791b4172a2cd98e2b6404ba3224479f57c43bcdb1f23a5c5d2d69c2baafce674

SHA512
4ca4ad666543e7485cb7185c6aafc19f404683fa24d1cd1fc11a4438ebf6343fdd6bff6c9fa98541386ebc46708b7a9217dfc80525313fa77c2ab201c20f5739

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e194f259df959251839c3842a55a898e

SHA1
d8f1671a67b74ffbf83924347f39358819811609

SHA256
4dd7f7cec594bd545f5f406237d4aefeb8379b5bf8bc754229450ea448a277b7

SHA512
d868aebb677e60bb5fd6a63d631c926a8ac970ea0a0b7cb8a89bcd630df9260df33851abce6856505b3240f191da7128da8f1ae205865d209277f67b63d6cd91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d17dda0cadfa69986937a5ec9a63b85

SHA1
05baf7b00261ef320f3043802b259fc661b2baf2

SHA256
857cbd043c0d51c6ffae2e4bb1b1f9968f9428df869542a41312019b5ebea30e

SHA512
f29fb34babff0efc427ff4a380bf8af3ae50ae6727e1da7dd99dec1de0d0b65ecd570302eaacebf51c0e0710af6f31bf1d685e6f5a4de7abba202f4701d7cfb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a7bec7f5f28a00801b694707244972f

SHA1
472ea92c1e8333b26981705ec6420e6b1e7ede65

SHA256
d42c128cde744ef4cd49d04ce779858e74a085dd54baf0a9681342904a875d7f

SHA512
2ae8c31a13fe12dde0c054251befacb9d4f3daad8fbf9cdbfda4f7c62c02528173e532264060d23599a155b3f957ca5964677f2d96e26df4cd183522db208c20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b803d0365d526581273e41043d402dc2

SHA1
cf717b626504d611c2797972343fe4b5301d9c2d

SHA256
0892ed4a1cdbb75e5354e979e517714f0066610a7e39af924d673d5aca782547

SHA512
5e1c0aa0f342ad7b37a0aec465016c52d7b5bf53b75f19774c19ea42f5b364fb5687b9cb812d09efbfab7e379dc0f5d861bf04fbd44a3178d832d06cc8e213ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ed0ded27b042f101c0e63165169036a

SHA1
84c0a2f7cb7e9f7fdb68851993a2181dca8a9de4

SHA256
3b6b702c362c78b4b269b7a62f545b5a41dda122c9c16aa5a0ad58c94e5fab1a

SHA512
fa7183ef0e07aa514a19703e501784148ff6a179806fab8adeb4b6b8d5b33012c932beb6a034ba6e01176a31b462a7beb75bb326ddc4037adaf51ec287b8fa3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc1f708dfcd8fb328603e43095b4f519

SHA1
02b47ffee35075d0c8e66addfd687d0246792742

SHA256
264318b5d43f4725e90d5badeca9d73eec5b2caebd2fa4fd21831f3f49edd7d2

SHA512
29a2a632ef6ac6cd7a5817d2f0362bbb0ae4797fa7be69c293a14ab2ba5bbc80e12bd47c342330bfa5c89933fba346bc8402550a999e9c0757a197df2c5993a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBE41.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBEA4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\DesktopOSIRIS.bmp

Filesize
3.7MB

MD5
f04beaa2c59be89f91155aafe94cd2e6

SHA1
c6349f7eb595592287cd0b0e9d4fb9d00f602a29

SHA256
8da7ee49c99a99a1fc8c0804370f2f6a5da28917c0f6f7d567f2ee3603004bff

SHA512
bafdabb85a07cbadfbf1b5abb3870cf03a844a9bbf56dc2fcc701ef0e62bfb52d3a69ee2f944f53e4c6a52a0a536695110884f7d3cde844fabed5887b5e0bc74

Download Submit
memory/324-331-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2756-10-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2756-8-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2756-11-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2756-21-0x0000000000350000-0x0000000000377000-memory.dmp

Filesize
156KB

Download
memory/2756-324-0x0000000000350000-0x0000000000377000-memory.dmp

Filesize
156KB

Download
memory/2756-330-0x0000000003390000-0x0000000003392000-memory.dmp

Filesize
8KB

Download
memory/2756-22-0x0000000000350000-0x0000000000377000-memory.dmp

Filesize
156KB

Download
memory/2756-2-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2756-20-0x0000000000350000-0x0000000000377000-memory.dmp

Filesize
156KB

Download
memory/2756-0-0x00000000023A0000-0x00000000023E7000-memory.dmp

Filesize
284KB

Download
memory/2756-7-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2756-6-0x00000000023A0000-0x00000000023E7000-memory.dmp

Filesize
284KB

Download
memory/2756-5-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2756-1-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2756-4-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2756-3-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads