Overview

overview

10

Static

static

8

7014059534...e.docm

windows7_x64

10

7014059534...e.docm

windows10-2004_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    01-02-2022 05:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7014059534b7e5e784f3c1aea032c40e5f9852f37aabd638faf0d3166f66033e.docm

  • Size

    351KB

  • MD5

    4126c1f9921b4fa7bcc74106e4458487

  • SHA1

    7da2f7ea90b73d3456516e048cb2c9cdb5b6aace

  • SHA256

    7014059534b7e5e784f3c1aea032c40e5f9852f37aabd638faf0d3166f66033e

  • SHA512

    713b3ceb59db57b2431bf7187d4ece3478a731a6728b2f5dd555a4f77b3c3dba4b30dae8fb4af40323204d4ad876cd96bd933285d6a49a39560c372e11ab8ef1

Score
10/10
ostapdownloader

Malware Config

Signatures

  • Ostap JavaScript Downloader 1 IoCs

    Ostap is a JavaScript downloader that's been active since 2016. It's used to deliver several families, inluding TrickBot

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ostap

    Ostap is a JS downloader, used to deliver other families.

    downloaderostap
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7014059534b7e5e784f3c1aea032c40e5f9852f37aabd638faf0d3166f66033e.docm"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1508
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\1803Logs\Billing.cmd
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1516
      • C:\Windows\SysWOW64\cscript.exe
        cscript //nologo c:\1803Logs\1803Fonts.jse
        3⤵
          PID:1784
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:1960

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \??\c:\1803Logs\1803Fonts.jse
        MD5

        7ff4d88d389ba78b84d1c1793443dccc

        SHA1

        ad7e4d6eb989fe85fb4a9052e65db2fd6598bbbb

        SHA256

        51511ac5ae47c21e2199e9b8e72d3d7283bdf04199dc3156dc98f39693eb1a43

        SHA512

        bbd2f58beb37cafd0b0153eb4f304887592689e3486ac79248e77bc8ca5bcac110128154d451fb551e691c2fc6503d7ce00bb44918907a8fdc2a3b0e2c6da661

        Download Submit

      • \??\c:\1803Logs\Billing.cmd
        MD5

        e2010b1060a68ed0b41cc74dca779b0c

        SHA1

        ffc04b2953429851e16be215d366a0b8982e962d

        SHA256

        f92393a3a4e40b278c2203dc272033c1c3aa973222e75d500b0b37a207cf1ae4

        SHA512

        f5003852b896deae424032748e65f04915328d8e83f56b786b7c4b94ef67353f8982643f3f2d0650c98dd0dd322b325ee4efb7cea1a76d5244419a6e0445a27b

        Download Submit

      • memory/1508-55-0x0000000072A51000-0x0000000072A54000-memory.dmp

        Filesize

        12KB

        Download

      • memory/1508-56-0x00000000704D1000-0x00000000704D3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1508-57-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1508-58-0x00000000758A1000-0x00000000758A3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1508-59-0x0000000006490000-0x00000000070DA000-memory.dmp

        Filesize

        12.3MB

        Download

      • memory/1508-60-0x0000000000680000-0x0000000000734000-memory.dmp

        Filesize

        720KB

        Download

      • memory/1508-61-0x0000000000680000-0x0000000000734000-memory.dmp

        Filesize

        720KB

        Download

      • memory/1508-66-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1960-65-0x000007FEFBF31000-0x000007FEFBF33000-memory.dmp

        Filesize

        8KB

        Download