Analysis

  • max time kernel
    152s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    01-02-2022 10:29

General

  • Target

    4616c3a50e0393ababc925b496f04f3687664e9d1c4b7966485a7a9124047214.docm

  • Size

    387KB

  • MD5

    565717192a35dacce33823a8a7f5f897

  • SHA1

    542a54656018b6417320a84deb8e92ffec8d58c6

  • SHA256

    4616c3a50e0393ababc925b496f04f3687664e9d1c4b7966485a7a9124047214

  • SHA512

    e16272d638f4cf43aad99072311adacc812c794c82f7b2adaa8a511959eb51d9b9ce534d0927c90d88e17b599732ac8c217e09673889d14eb34b888494d07177

Malware Config

Signatures

  • Ostap JavaScript Downloader 1 IoCs

    Ostap is a JavaScript downloader that's been active since 2016. It's used to deliver several families, inluding TrickBot

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ostap

    Ostap is a JS downloader, used to deliver other families.

  • Sets service image path in registry 2 TTPs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies registry class 14 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\4616c3a50e0393ababc925b496f04f3687664e9d1c4b7966485a7a9124047214.docm" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\MyImages\presskey.cmd
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1960
      • C:\Windows\system32\cscript.exe
        cscript //nologo C:\MyImages\presskey.jse
        3⤵
          PID:3720
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
      1⤵
        PID:3616
      • C:\Windows\System32\WaaSMedicAgent.exe
        C:\Windows\System32\WaaSMedicAgent.exe 2e602fac97e55028ac597d1829cc7812 mXXzQROENkiGuBKPD0WKJg.0.1.0.0.0
        1⤵
        • Modifies data under HKEY_USERS
        PID:3788

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\MyImages\presskey.cmd

        MD5

        b3773363d0c84d5d28d1445c06e6a8d4

        SHA1

        d978266c9f392b1587751835ea45f61f2cf274a5

        SHA256

        efe3bb5a0b69ad0d1864ecf93a25ab6eaaa5e59d0a89e60556653ee953d58b2a

        SHA512

        4477a8920fc50587e6e73cd5a272ed3d6febd649f997c0e37eecdf85e03443df8579a7e45345fce9712af553b55c5068d3334be6d247d832fe9a68efa8378945

      • C:\MyImages\presskey.jse

        MD5

        e556ea8266efc719db93a63d99901b61

        SHA1

        7e13624f2d2b52551108c7cda2aefe3595543402

        SHA256

        f494689529254eda41903657d1ed48a8715d568fd7cf9469c48ef2f79aa5630d

        SHA512

        1acaa944a16402df1308c70a3f21b8427347dbd0293f8fee3186e13c04a0163ba0654253a0613513cd1be70638f9b9e75bddd66bcc6ff44789fe5a504f2ed3d3

      • memory/2664-131-0x00007FFBA13D0000-0x00007FFBA13E0000-memory.dmp

        Filesize

        64KB

      • memory/2664-132-0x00007FFBA13D0000-0x00007FFBA13E0000-memory.dmp

        Filesize

        64KB

      • memory/2664-133-0x00007FFBA13D0000-0x00007FFBA13E0000-memory.dmp

        Filesize

        64KB

      • memory/2664-134-0x00007FFBA13D0000-0x00007FFBA13E0000-memory.dmp

        Filesize

        64KB

      • memory/2664-135-0x00007FFBA13D0000-0x00007FFBA13E0000-memory.dmp

        Filesize

        64KB

      • memory/2664-138-0x00007FFB9ED60000-0x00007FFB9ED70000-memory.dmp

        Filesize

        64KB

      • memory/2664-139-0x00007FFB9ED60000-0x00007FFB9ED70000-memory.dmp

        Filesize

        64KB

      • memory/2664-141-0x0000017AD9680000-0x0000017AD9684000-memory.dmp

        Filesize

        16KB