ostap | 0a365240a36f0958331bb5c9f022d78b816edd66ee25baf4445e7a5421bb75eb

General

Target

0a365240a36f0958331bb5c9f022d78b816edd66ee25baf4445e7a5421bb75eb.exe
Size

943KB
MD5

1062b0544beb5457fb6fe2b42a5d279d
SHA1

e0802b7dc9034902afbbe8ce4a2f8a107278b32b
SHA256

0a365240a36f0958331bb5c9f022d78b816edd66ee25baf4445e7a5421bb75eb
SHA512

2910ecf620c20672c440a647045f91512f17b16a11a701a667f29f17d24b0bf8f8aa56ebcda39111fd72ed9e8dec159622f205da18e31a06bbd84bed654b5b5d

Score

10^/10

ostap downloader persistence

Malware Config

Signatures

ostap
Ostap is a JS downloader, used to deliver other families.
downloader ostap

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	1964	wscript.exe
4	1964	wscript.exe
5	1964	wscript.exe
6	1964	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0a365240a36f0958331bb5c9f022d78b816edd66ee25baf4445e7a5421bb75eb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0a365240a36f0958331bb5c9f022d78b816edd66ee25baf4445e7a5421bb75eb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 476 wrote to memory of 2024	476	0a365240a36f0958331bb5c9f022d78b816edd66ee25baf4445e7a5421bb75eb.exe	26
PID 476 wrote to memory of 2024	476	0a365240a36f0958331bb5c9f022d78b816edd66ee25baf4445e7a5421bb75eb.exe	26
PID 476 wrote to memory of 2024	476	0a365240a36f0958331bb5c9f022d78b816edd66ee25baf4445e7a5421bb75eb.exe	26
PID 476 wrote to memory of 2024	476	0a365240a36f0958331bb5c9f022d78b816edd66ee25baf4445e7a5421bb75eb.exe	26
PID 476 wrote to memory of 2024	476	0a365240a36f0958331bb5c9f022d78b816edd66ee25baf4445e7a5421bb75eb.exe	26
PID 476 wrote to memory of 2024	476	0a365240a36f0958331bb5c9f022d78b816edd66ee25baf4445e7a5421bb75eb.exe	26
PID 476 wrote to memory of 2024	476	0a365240a36f0958331bb5c9f022d78b816edd66ee25baf4445e7a5421bb75eb.exe	26
PID 2024 wrote to memory of 1964	2024	cmd.exe	28
PID 2024 wrote to memory of 1964	2024	cmd.exe	28
PID 2024 wrote to memory of 1964	2024	cmd.exe	28
PID 2024 wrote to memory of 1964	2024	cmd.exe	28
PID 2024 wrote to memory of 1964	2024	cmd.exe	28
PID 2024 wrote to memory of 1964	2024	cmd.exe	28
PID 2024 wrote to memory of 1964	2024	cmd.exe	28

C:\Users\Admin\AppData\Local\Temp\0a365240a36f0958331bb5c9f022d78b816edd66ee25baf4445e7a5421bb75eb.exe
"C:\Users\Admin\AppData\Local\Temp\0a365240a36f0958331bb5c9f022d78b816edd66ee25baf4445e7a5421bb75eb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:476
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\TENTWO~1.CMD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\wscript.exe
    wscript /e:JScript "C:\Users\Admin\box"
    3⤵
    - Blocklisted process makes network request
    PID:1964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads