Overview

overview

10

Static

static

good5.exe

windows7_x64

10

good5.exe

windows10_x64

10

Analysis

  • max time kernel
    34s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 20:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    good5.exe

  • Size

    134KB

  • MD5

    5f3450647a951c4c8a262f603ca8aabf

  • SHA1

    0dc1e18dc14a9e6d5dedf644b4d690075e77bbff

  • SHA256

    ea05817e0614fd085e2775d01e7197e93bde58cf57789aeb49ed39f6c295973c

  • SHA512

    8f2eff9a18b27b3bce75f9b7c0c0b3d947344c7acd71e54ee398ca15b089f1000dbb1643ad2c8d0d21dccf5dc54fd4af7c15e3a4cafa150dd8e13bcb5a8e04e0

Score
10/10
ostapdownloaderpersistence

Malware Config

Signatures

  • Ostap JavaScript Downloader 1 IoCs

    Ostap is a JavaScript downloader that's been active since 2016. It's used to deliver several families, inluding TrickBot

  • ostap

    Ostap is a JS downloader, used to deliver other families.

    downloaderostap
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • JavaScript code in executable 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\good5.exe
    "C:\Users\Admin\AppData\Local\Temp\good5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c type xi.bmp & magnium.jse & set
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\magnium.jse"
        3⤵
          PID:1532

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads