Analysis
-
max time kernel
25s -
max time network
109s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:37
Static task
static1
Behavioral task
behavioral1
Sample
good5.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
good5.exe
Resource
win10v20201028
General
-
Target
good5.exe
-
Size
134KB
-
MD5
5f3450647a951c4c8a262f603ca8aabf
-
SHA1
0dc1e18dc14a9e6d5dedf644b4d690075e77bbff
-
SHA256
ea05817e0614fd085e2775d01e7197e93bde58cf57789aeb49ed39f6c295973c
-
SHA512
8f2eff9a18b27b3bce75f9b7c0c0b3d947344c7acd71e54ee398ca15b089f1000dbb1643ad2c8d0d21dccf5dc54fd4af7c15e3a4cafa150dd8e13bcb5a8e04e0
Malware Config
Signatures
-
Ostap JavaScript Downloader 1 IoCs
Ostap is a JavaScript downloader that's been active since 2016. It's used to deliver several families, inluding TrickBot
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\magnium.jse family_ostap -
ostap
Ostap is a JS downloader, used to deliver other families.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
good5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" good5.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce good5.exe -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\magnium.jse js -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings cmd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
good5.execmd.exedescription pid process target process PID 412 wrote to memory of 3212 412 good5.exe cmd.exe PID 412 wrote to memory of 3212 412 good5.exe cmd.exe PID 412 wrote to memory of 3212 412 good5.exe cmd.exe PID 3212 wrote to memory of 3016 3212 cmd.exe WScript.exe PID 3212 wrote to memory of 3016 3212 cmd.exe WScript.exe PID 3212 wrote to memory of 3016 3212 cmd.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\good5.exe"C:\Users\Admin\AppData\Local\Temp\good5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\cmd.execmd /c type xi.bmp & magnium.jse & set2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\magnium.jse"3⤵PID:3016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
cefa4cd1c856c134d30e51ecdbcf4d4e
SHA1e7cc4a5138b1c822aa0bd4dc126a9baae7eb87e2
SHA2568a619a8801d3406749581d7a3ebc3ccfe4a35d83f670facaa70442a9dc64d1a4
SHA51258b2dc6ab357fc65e5eca1f6b64aa717911f99987ca8232dc8c7a5054f52418e09d7b4d9899cea992bc01294128c350ec5a2af5f1902a6eb231e17988db58ed6
-
MD5
46719cdc2ef2ad73627786236f1850e2
SHA1f8e30b99a00f847c01f7d95cdee3ce907039414e
SHA25622348fbbaaba665b18258e28db1f02ec66f0eefc9a2f0b4ac711254dd4f3582d
SHA51207ca32756b6a57ddfd64980650cdc0aff6920b6640d9b3be9d810b6fa99fd02b02b247da682293647859de2e50934e59a4a3cb9fb555bf7640b4cf9768502096