ostap | ea05817e0614fd085e2775d01e7197e93bde58cf57789aeb49ed39f6c295973c

General

Target

good5.exe
Size

134KB
MD5

5f3450647a951c4c8a262f603ca8aabf
SHA1

0dc1e18dc14a9e6d5dedf644b4d690075e77bbff
SHA256

ea05817e0614fd085e2775d01e7197e93bde58cf57789aeb49ed39f6c295973c
SHA512

8f2eff9a18b27b3bce75f9b7c0c0b3d947344c7acd71e54ee398ca15b089f1000dbb1643ad2c8d0d21dccf5dc54fd4af7c15e3a4cafa150dd8e13bcb5a8e04e0

Score

10^/10

Malware Config

Signatures

Ostap JavaScript Downloader 1 IoCs

Ostap is a JavaScript downloader that's been active since 2016. It's used to deliver several families, inluding TrickBot

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\magnium.jse	family_ostap

ostap
Ostap is a JS downloader, used to deliver other families.
downloader ostap

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

good5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	good5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	good5.exe

JavaScript code in executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\magnium.jse	js

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

good5.execmd.exe

description	pid	process	target process
PID 412 wrote to memory of 3212	412	good5.exe	cmd.exe
PID 412 wrote to memory of 3212	412	good5.exe	cmd.exe
PID 412 wrote to memory of 3212	412	good5.exe	cmd.exe
PID 3212 wrote to memory of 3016	3212	cmd.exe	WScript.exe
PID 3212 wrote to memory of 3016	3212	cmd.exe	WScript.exe
PID 3212 wrote to memory of 3016	3212	cmd.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\good5.exe
"C:\Users\Admin\AppData\Local\Temp\good5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c type xi.bmp & magnium.jse & set
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\magnium.jse"
    3⤵
    PID:3016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\magnium.jse

MD5
cefa4cd1c856c134d30e51ecdbcf4d4e

SHA1
e7cc4a5138b1c822aa0bd4dc126a9baae7eb87e2

SHA256
8a619a8801d3406749581d7a3ebc3ccfe4a35d83f670facaa70442a9dc64d1a4

SHA512
58b2dc6ab357fc65e5eca1f6b64aa717911f99987ca8232dc8c7a5054f52418e09d7b4d9899cea992bc01294128c350ec5a2af5f1902a6eb231e17988db58ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xi.bmp

MD5
46719cdc2ef2ad73627786236f1850e2

SHA1
f8e30b99a00f847c01f7d95cdee3ce907039414e

SHA256
22348fbbaaba665b18258e28db1f02ec66f0eefc9a2f0b4ac711254dd4f3582d

SHA512
07ca32756b6a57ddfd64980650cdc0aff6920b6640d9b3be9d810b6fa99fd02b02b247da682293647859de2e50934e59a4a3cb9fb555bf7640b4cf9768502096

Download Submit
memory/3016-3-0x0000000000000000-mapping.dmp

Download
memory/3212-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads