Overview

overview

10

Static

static

3

f329ea2c75...6b.dll

windows7-x64

10

f329ea2c75...6b.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/03/2025, 03:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f329ea2c754ab196d15c20fbf9abd722fa63630631144c5a409bd2a20172196b.dll

  • Size

    159KB

  • MD5

    7932ee5fa6f83b149569752c47e04b87

  • SHA1

    6eb115feadc5808507fb5a666dd18aa89a45616c

  • SHA256

    f329ea2c754ab196d15c20fbf9abd722fa63630631144c5a409bd2a20172196b

  • SHA512

    17ba26e69f7536f5adaa52454fbd407338be61d97bc396baa591de9fa19aab3e539b4ca32059b2ddb1b901ac7ecd341dff9ead706fc0d058086e6b3795642f58

  • SSDEEP

    3072:pusrpo1j49JvKa0ePbh37E6ZO78buZKxrF:ZQcvKpE37E6nmKhF

Score
10/10
lockylocky_osirisdiscoveryransomware

Malware Config

Signatures

  • Locky

    Ransomware strain released in 2016, with advanced features like anti-analysis.

    ransomwarelocky
  • Locky (Osiris variant)

    Variant of the Locky ransomware seen in the wild since early 2017.

    ransomwarelocky_osiris
  • Locky family
    locky
  • Locky_osiris family
    locky_osiris
  • Blocklisted process makes network request 6 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f329ea2c754ab196d15c20fbf9abd722fa63630631144c5a409bd2a20172196b.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1480
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f329ea2c754ab196d15c20fbf9abd722fa63630631144c5a409bd2a20172196b.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Sets desktop wallpaper using registry
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Suspicious use of WriteProcessMemory
      PID:3816
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\DesktopOSIRIS.htm
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2488
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd71a046f8,0x7ffd71a04708,0x7ffd71a04718
          4⤵
            PID:2000
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,9276660524825219031,136883551129848597,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
            4⤵
              PID:3548
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,9276660524825219031,136883551129848597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:620
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,9276660524825219031,136883551129848597,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
              4⤵
                PID:1168
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9276660524825219031,136883551129848597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
                4⤵
                  PID:1324
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9276660524825219031,136883551129848597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
                  4⤵
                    PID:3184
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,9276660524825219031,136883551129848597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
                    4⤵
                      PID:2340
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,9276660524825219031,136883551129848597,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
                      4⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1952
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9276660524825219031,136883551129848597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
                      4⤵
                        PID:2108
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9276660524825219031,136883551129848597,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
                        4⤵
                          PID:2104
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9276660524825219031,136883551129848597,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
                          4⤵
                            PID:2336
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9276660524825219031,136883551129848597,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
                            4⤵
                              PID:212
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:1020
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:1424

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            0621e31d12b6e16ab28de3e74462a4ce

                            SHA1

                            0af6f056aff6edbbc961676656d8045cbe1be12b

                            SHA256

                            1fd3365fdb49f26471ce9e348ce54c9bc7b66230118302b32074029d88fb6030

                            SHA512

                            bf0aa5b97023e19013d01abd3387d074cdd5b57f98ec4b0241058b39f9255a7bbab296dce8617f3368601a3d751a6a66dc207d8dd3fc1cba9cac5f98e3127f6f

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                            Filesize

                            152B

                            MD5

                            56361f50f0ee63ef0ea7c91d0c8b847a

                            SHA1

                            35227c31259df7a652efb6486b2251c4ee4b43fc

                            SHA256

                            7660beecfee70d695225795558f521c3fb2b01571c224b373d202760b02055c0

                            SHA512

                            94582035220d2a78dfea9dd3377bec3f4a1a1c82255b3b74f4e313f56eb2f7b089e36af9fceea9aa83b7c81432622c3c7f900008a1bdb6b1cd12c4073ae4b8a2

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            5KB

                            MD5

                            b7036a500e6da9d871951eccc0bc21fe

                            SHA1

                            a5ee8dd6052fe22c576fcdd742bfd77dea0c95bf

                            SHA256

                            dafe9d6c0728fd8b84be84cf6883639ef2f81bab27a79173a5caa060619685b3

                            SHA512

                            8990cf936a3a44a95e5a491a0e780a6773f9f740d25d4aaef06b48f35e907fe3011a3e9a4209f7f65d168ac4558c864c165560da5c8ed7360cb15ffeae458802

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                            Filesize

                            6KB

                            MD5

                            21318cc90b1f8d1c8042b8616a923812

                            SHA1

                            ccc1c77b361b228533bd72e59218f8f2d5485fe6

                            SHA256

                            7bb1b54a0e73643e8c5b270380810bb5eeb3a73ea56952edbe15685b89ec68a9

                            SHA512

                            c9adb016ee7e6ac96c72975902d1593a73c962d69eab40b1cf7f4369b5e3541006cf319b150fab5698a5dca667a0115cd549cdc3de722b5495d94c32f18af97c

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                            Filesize

                            16B

                            MD5

                            6752a1d65b201c13b62ea44016eb221f

                            SHA1

                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                            SHA256

                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                            SHA512

                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                            Filesize

                            11KB

                            MD5

                            2709cfc4a346b8d225eb39ff1a7e187a

                            SHA1

                            bc8e0f2975f03b00fac84cb7066e1a60d4553165

                            SHA256

                            91fb6cc2ada987443aa0d521fe635b052aee2ff1b67cbdde0ee2d9b5f73415be

                            SHA512

                            bc423c0834672d314fd09e720a8b35d39382c393d858552352ef64ea4010a45399fc3fb34996e4ffcf7271886077ee8afa96eab940acc14eaf62ca6a68c2df61

                            Download Submit

                          • C:\Users\Admin\Downloads\OSIRIS-5ce9.htm
                            Filesize

                            8KB

                            MD5

                            f2b0d918319d554ec5ec1e3311b1fe7c

                            SHA1

                            ef5c210abab29015eb702728245eb1b5cd5c1b7f

                            SHA256

                            25f41566ba5200d4a8abc5a2792bc1f8c3cc5cde6979b1cc5e015b51fd75bf98

                            SHA512

                            94a7649b04ce35abe8f49b7f0906fe811205bdfd1af09787acc4568a24dd120415ea6facb84c5606b3a7918525ee26782e8475c19a6dac4eb89db85d4c70a293

                            Download Submit

                          • memory/3816-5-0x0000000000910000-0x0000000000911000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/3816-14-0x00000000758F0000-0x0000000075922000-memory.dmp

                            Filesize

                            200KB

                            Download

                          • memory/3816-16-0x00000000758F0000-0x0000000075922000-memory.dmp

                            Filesize

                            200KB

                            Download

                          • memory/3816-12-0x00000000758F0000-0x0000000075922000-memory.dmp

                            Filesize

                            200KB

                            Download

                          • memory/3816-9-0x00000000758F0000-0x0000000075922000-memory.dmp

                            Filesize

                            200KB

                            Download

                          • memory/3816-7-0x00000000758F0000-0x0000000075922000-memory.dmp

                            Filesize

                            200KB

                            Download

                          • memory/3816-0-0x00000000758F0000-0x0000000075922000-memory.dmp

                            Filesize

                            200KB

                            Download

                          • memory/3816-4-0x00000000758F0000-0x0000000075922000-memory.dmp

                            Filesize

                            200KB

                            Download

                          • memory/3816-3-0x00000000758F0000-0x0000000075922000-memory.dmp

                            Filesize

                            200KB

                            Download

                          • memory/3816-1-0x0000000000910000-0x0000000000911000-memory.dmp

                            Filesize

                            4KB

                            Download