Overview

overview

10

Static

static

8

559b4ec0b9...a0.xls

windows7_x64

10

559b4ec0b9...a0.xls

windows10_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    06-10-2020 14:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    559b4ec0b99a8e268d3dddd0c6a73f04317cdc9f597255fd1ce90015dfcfaea0.xls

  • Size

    1.6MB

  • MD5

    a34a2058c8eec7685d35736f193b187c

  • SHA1

    1009d8aeb10174624cff7dde7307610b4a9c6fb8

  • SHA256

    559b4ec0b99a8e268d3dddd0c6a73f04317cdc9f597255fd1ce90015dfcfaea0

  • SHA512

    ea435eacbb26748fdbbb9f07066347afb96b32fcf03f49844a907e67d5e343e926d57ed3907a6171e06ff1413aed43f6bd0eb84b086385c44ba374cdbe587f36

Score
10/10
ostapdownloader

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ostap

    Ostap is a JS downloader, used to deliver other families.

    downloaderostap
  • Blocklisted process makes network request 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\559b4ec0b99a8e268d3dddd0c6a73f04317cdc9f597255fd1ce90015dfcfaea0.xls
    1⤵
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1480
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\dot.jpegom.jse"
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      PID:1864

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\dot.jpegom.jse
    MD5

    e84d3086b045a60e1b6c5d20e218b6cf

    SHA1

    8d0c79e6801b830ec403663283cf4f4ac7617ba8

    SHA256

    9ae0909134cae1160ab1a4c6fd801b7ca4bf017865cc45d6f3a80daeb7d16377

    SHA512

    3c592e97d7b3b4c0d425cb8660502c42093072cb0bfa133584dd384c551e45d5a98cf8e9cbd35ca7c5fe0e48bc8404c2f8d332226795fcbbb0307a88eb1e0bbc

    Download Submit

  • memory/1480-0-0x00000000061E0000-0x00000000061E4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1480-1-0x0000000007F39000-0x0000000007F3D000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1480-2-0x0000000007F39000-0x0000000007F3D000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1480-3-0x00000000095D0000-0x00000000095D4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1480-4-0x0000000008083000-0x0000000008087000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1480-5-0x0000000007F39000-0x0000000007F3D000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1480-6-0x0000000008B3A000-0x0000000008B3C000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1480-7-0x0000000008B37000-0x0000000008B3A000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1480-8-0x0000000008B3A000-0x0000000008B3C000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1864-9-0x0000000000000000-mapping.dmp

    Download