ostap | 8b51c81b1120f90f7a834757e8f471326f7c5468fd3404c24ecd047d16036782

General

Target

8b51c81b1120f90f7a834757e8f471326f7c5468fd3404c24ecd047d16036782.exe
Size

108KB
MD5

300b7aff514d9d72891455bbe545718c
SHA1

15a54c02c8787b9a7057a5542194dd1b4ad82644
SHA256

8b51c81b1120f90f7a834757e8f471326f7c5468fd3404c24ecd047d16036782
SHA512

ba451e21e2b26e101e87414252024acb8baa5e8f40c03e747636f0c0652a5df3d5aa86dff490d43149809af09d1d42286f1ac554e7bd35209827c2ec4fda2f2d

Score

10^/10

Malware Config

Signatures

Ostap JavaScript Downloader 1 IoCs

Ostap is a JavaScript downloader that's been active since 2016. It's used to deliver several families, inluding TrickBot

resource	yara_rule
behavioral1/files/0x0009000000012205-57.dat	family_ostap

ostap
Ostap is a JS downloader, used to deliver other families.
downloader ostap

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8b51c81b1120f90f7a834757e8f471326f7c5468fd3404c24ecd047d16036782.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8b51c81b1120f90f7a834757e8f471326f7c5468fd3404c24ecd047d16036782.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2028	2040	8b51c81b1120f90f7a834757e8f471326f7c5468fd3404c24ecd047d16036782.exe	27
PID 2040 wrote to memory of 2028	2040	8b51c81b1120f90f7a834757e8f471326f7c5468fd3404c24ecd047d16036782.exe	27
PID 2040 wrote to memory of 2028	2040	8b51c81b1120f90f7a834757e8f471326f7c5468fd3404c24ecd047d16036782.exe	27
PID 2040 wrote to memory of 2028	2040	8b51c81b1120f90f7a834757e8f471326f7c5468fd3404c24ecd047d16036782.exe	27
PID 2040 wrote to memory of 2028	2040	8b51c81b1120f90f7a834757e8f471326f7c5468fd3404c24ecd047d16036782.exe	27
PID 2040 wrote to memory of 2028	2040	8b51c81b1120f90f7a834757e8f471326f7c5468fd3404c24ecd047d16036782.exe	27
PID 2040 wrote to memory of 2028	2040	8b51c81b1120f90f7a834757e8f471326f7c5468fd3404c24ecd047d16036782.exe	27
PID 2028 wrote to memory of 604	2028	cmd.exe	29
PID 2028 wrote to memory of 604	2028	cmd.exe	29
PID 2028 wrote to memory of 604	2028	cmd.exe	29
PID 2028 wrote to memory of 604	2028	cmd.exe	29
PID 2028 wrote to memory of 604	2028	cmd.exe	29
PID 2028 wrote to memory of 604	2028	cmd.exe	29
PID 2028 wrote to memory of 604	2028	cmd.exe	29

C:\Users\Admin\AppData\Local\Temp\8b51c81b1120f90f7a834757e8f471326f7c5468fd3404c24ecd047d16036782.exe
"C:\Users\Admin\AppData\Local\Temp\8b51c81b1120f90f7a834757e8f471326f7c5468fd3404c24ecd047d16036782.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\cmd.exe
  cmd /c vol && 900.jse && type 700.txt && date
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\900.jse"
    3⤵
    PID:604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2040-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing