Overview

overview

10

Static

static

8

7014059534...e.docm

windows7_x64

10

7014059534...e.docm

windows10-2004_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    01-02-2022 05:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7014059534b7e5e784f3c1aea032c40e5f9852f37aabd638faf0d3166f66033e.docm

  • Size

    351KB

  • MD5

    4126c1f9921b4fa7bcc74106e4458487

  • SHA1

    7da2f7ea90b73d3456516e048cb2c9cdb5b6aace

  • SHA256

    7014059534b7e5e784f3c1aea032c40e5f9852f37aabd638faf0d3166f66033e

  • SHA512

    713b3ceb59db57b2431bf7187d4ece3478a731a6728b2f5dd555a4f77b3c3dba4b30dae8fb4af40323204d4ad876cd96bd933285d6a49a39560c372e11ab8ef1

Score
10/10
ostapdownloaderpersistence

Malware Config

Signatures

  • Ostap JavaScript Downloader 1 IoCs

    Ostap is a JavaScript downloader that's been active since 2016. It's used to deliver several families, inluding TrickBot

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ostap

    Ostap is a JS downloader, used to deliver other families.

    downloaderostap
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7014059534b7e5e784f3c1aea032c40e5f9852f37aabd638faf0d3166f66033e.docm" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\1803Logs\Billing.cmd
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Windows\system32\cscript.exe
        cscript //nologo c:\1803Logs\1803Fonts.jse
        3⤵
          PID:3572
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
      1⤵
        PID:1864
      • C:\Windows\System32\WaaSMedicAgent.exe
        C:\Windows\System32\WaaSMedicAgent.exe ab9f2815df4157c2d4af25eae3d99a41 ICnGkqs/gU+sTicfu9aFkA.0.1.0.0.0
        1⤵
        • Modifies data under HKEY_USERS
        PID:1904

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2428-136-0x00007FFB39FD0000-0x00007FFB39FE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2428-133-0x00007FFB39FD0000-0x00007FFB39FE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2428-137-0x00007FFB39FD0000-0x00007FFB39FE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2428-140-0x00007FFB37DB0000-0x00007FFB37DC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2428-141-0x00007FFB37DB0000-0x00007FFB37DC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2428-143-0x0000010F80000000-0x0000010F80004000-memory.dmp

        Filesize

        16KB

        Download

      • memory/2428-135-0x00007FFB39FD0000-0x00007FFB39FE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2428-134-0x00007FFB39FD0000-0x00007FFB39FE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2428-305-0x00007FFB39FD0000-0x00007FFB39FE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2428-304-0x00007FFB39FD0000-0x00007FFB39FE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2428-307-0x00007FFB39FD0000-0x00007FFB39FE0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2428-306-0x00007FFB39FD0000-0x00007FFB39FE0000-memory.dmp

        Filesize

        64KB

        Download