There was a recent Locky resurgence with Osiris variant past December. However, it’s too late to post this analysis for others to be benefitted by it, it would still be worth a journal entry.
The infection originated from a set of excel files with Macros (obviously).
Once the macros have been enabled encryption process continues until all the files have been replaced with the encrypted files and the Desktop background is replaced by the following:
The encrypted files have ‘osiris’ extension and an html file containing detailed instructions on decrypting the file (with ransom payment) is written to each folder with encrypted files.
During the encryption process we can see that Excel spawned a rundll32 process (Process Hacker will help).
Using Process Hacker we can see the threads created during this process as well. This tells us what DLLs are loaded during the execution of rundll32.exe. This shows us an unusual file ‘shtefans1.spe’
Now if we search for this file it points us to the temporary directory of the current user. There is another file with the one we pointed out earlier, both have similar timestamps and sizes.
In this post we cursorily went through the conspicuous changes happened after Locky was executed. We will do a deep dive into the Macros used in the next post and try to understand how rundll32 was spawned out of Excel.
Evil Code Analysis 