Overview

overview

10

Static

static

good.exe

windows7_x64

10

good.exe

windows10_x64

10

Analysis

  • max time kernel
    11s
  • max time network
    111s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 19:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    good.exe

  • Size

    117KB

  • MD5

    3656d2dfcd4f9ebf97e03fa2c9a05ade

  • SHA1

    bd9ecbe901ff4366c789fa63eaffdda9d3f4e931

  • SHA256

    b479533a51ba629bd5f20a7e9faa3bcccfddc72218b23dfd5a4ab15825204944

  • SHA512

    2eb3f78eb1e6dd34563c78a5bd656813a4e80f49676a9fec5ab33290b9fa487d8817ff5cf8c3241031fadf0a010c8a0bf3c9afa5dda9e5c519838a3089350738

Score
10/10
ostapdownloaderpersistence

Malware Config

Signatures

  • Ostap JavaScript Downloader 1 IoCs

    Ostap is a JavaScript downloader that's been active since 2016. It's used to deliver several families, inluding TrickBot

  • ostap

    Ostap is a JS downloader, used to deliver other families.

    downloaderostap
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • JavaScript code in executable 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\good.exe
    "C:\Users\Admin\AppData\Local\Temp\good.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c title ok && config.jse && type dr.txt && exit
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3204
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\config.jse"
        3⤵
          PID:4056

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads