Analysis

  • max time kernel
    134s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    03-12-2020 19:37

General

  • Target

    0a365240a36f0958331bb5c9f022d78b816edd66ee25baf4445e7a5421bb75eb.exe

  • Size

    943KB

  • MD5

    1062b0544beb5457fb6fe2b42a5d279d

  • SHA1

    e0802b7dc9034902afbbe8ce4a2f8a107278b32b

  • SHA256

    0a365240a36f0958331bb5c9f022d78b816edd66ee25baf4445e7a5421bb75eb

  • SHA512

    2910ecf620c20672c440a647045f91512f17b16a11a701a667f29f17d24b0bf8f8aa56ebcda39111fd72ed9e8dec159622f205da18e31a06bbd84bed654b5b5d

Malware Config

Signatures

  • ostap

    Ostap is a JS downloader, used to deliver other families.

  • Blocklisted process makes network request 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a365240a36f0958331bb5c9f022d78b816edd66ee25baf4445e7a5421bb75eb.exe
    "C:\Users\Admin\AppData\Local\Temp\0a365240a36f0958331bb5c9f022d78b816edd66ee25baf4445e7a5421bb75eb.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:476
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TENTWO~1.CMD
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Windows\SysWOW64\wscript.exe
        wscript /e:JScript "C:\Users\Admin\box"
        3⤵
        • Blocklisted process makes network request
        PID:1964

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TENTWO~1.CMD
    MD5

    5628a0d0d3349fbfb0cd6de7086a176f

    SHA1

    fd57d82062c6d5136012e63725f106ed6e7b9dc5

    SHA256

    5f69cb0df18e323ae4c6aa3a680940c4d66333fcf7d2e03e21086a7920dc17b5

    SHA512

    52a05440a1370e6e8fd0a2fe3db4baf692210e1b1f0c34b5b1511e0970e0477bfc9982056ef38b368457d6b7953fd8e1c7bdc0b92df3337c356411ab978d5919

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\norm.box
    MD5

    98fa8c67dd30a197e67fe8c93a61705b

    SHA1

    f7a184942ab4e92d9b65efb7e12c138728f0a081

    SHA256

    8ec6a5c38cfa2620c8cc85e4c5fbcc3fbe0406ef4e91686468bd8bbd3495b4f3

    SHA512

    f8d6f1d366fa8c3db72ddbe243f2e26e734ac99529e12d3d237ab619dbe3a1ac3cbd697d4d4d4a8392d1a24006b2a50e63add4840389de768376959c0dece126

  • C:\Users\Admin\box
    MD5

    98fa8c67dd30a197e67fe8c93a61705b

    SHA1

    f7a184942ab4e92d9b65efb7e12c138728f0a081

    SHA256

    8ec6a5c38cfa2620c8cc85e4c5fbcc3fbe0406ef4e91686468bd8bbd3495b4f3

    SHA512

    f8d6f1d366fa8c3db72ddbe243f2e26e734ac99529e12d3d237ab619dbe3a1ac3cbd697d4d4d4a8392d1a24006b2a50e63add4840389de768376959c0dece126

  • memory/1964-5-0x0000000000000000-mapping.dmp
  • memory/2024-2-0x0000000000000000-mapping.dmp