Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
28-03-2022 18:17
Static task
static1
Behavioral task
behavioral1
Sample
39e312a1f6f2cf09306053aa615e35c8ebd0069ad68184f4a58a3171ec9baea8.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
39e312a1f6f2cf09306053aa615e35c8ebd0069ad68184f4a58a3171ec9baea8.exe
Resource
win10v2004-en-20220113
General
-
Target
39e312a1f6f2cf09306053aa615e35c8ebd0069ad68184f4a58a3171ec9baea8.exe
-
Size
479KB
-
MD5
0033775eeaddc98cdb766102431dd418
-
SHA1
02a6b365eb89b1430999d9ef1c275ad4ff5b7068
-
SHA256
39e312a1f6f2cf09306053aa615e35c8ebd0069ad68184f4a58a3171ec9baea8
-
SHA512
f223d0dca23c9cec72d2f479c8212981268379e95f3bcce42db8b346441428016997d1ceeaa66eafc65b9db3fa4c9ccd068049526af99372ed1f8664d72735cf
Malware Config
Signatures
-
ostap
Ostap is a JS downloader, used to deliver other families.
-
Blocklisted process makes network request 4 IoCs
Processes:
wscript.exeflow pid process 32 3216 wscript.exe 33 3216 wscript.exe 35 3216 wscript.exe 39 3216 wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
39e312a1f6f2cf09306053aa615e35c8ebd0069ad68184f4a58a3171ec9baea8.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 39e312a1f6f2cf09306053aa615e35c8ebd0069ad68184f4a58a3171ec9baea8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 39e312a1f6f2cf09306053aa615e35c8ebd0069ad68184f4a58a3171ec9baea8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
39e312a1f6f2cf09306053aa615e35c8ebd0069ad68184f4a58a3171ec9baea8.execmd.exedescription pid process target process PID 1816 wrote to memory of 2424 1816 39e312a1f6f2cf09306053aa615e35c8ebd0069ad68184f4a58a3171ec9baea8.exe cmd.exe PID 1816 wrote to memory of 2424 1816 39e312a1f6f2cf09306053aa615e35c8ebd0069ad68184f4a58a3171ec9baea8.exe cmd.exe PID 1816 wrote to memory of 2424 1816 39e312a1f6f2cf09306053aa615e35c8ebd0069ad68184f4a58a3171ec9baea8.exe cmd.exe PID 2424 wrote to memory of 3216 2424 cmd.exe wscript.exe PID 2424 wrote to memory of 3216 2424 cmd.exe wscript.exe PID 2424 wrote to memory of 3216 2424 cmd.exe wscript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\39e312a1f6f2cf09306053aa615e35c8ebd0069ad68184f4a58a3171ec9baea8.exe"C:\Users\Admin\AppData\Local\Temp\39e312a1f6f2cf09306053aa615e35c8ebd0069ad68184f4a58a3171ec9baea8.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\head.title.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\wscript.exewscript /e:JScript "C:\Users\Admin\body"3⤵
- Blocklisted process makes network request
PID:3216
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
841KB
MD582f6bcbc72ab8520c6242798133d8c44
SHA110982f158d472b872ecfcdb666f123c084246a4a
SHA2561ca593cd87e3a717627bc45c64f1598465bbb345f87b5e55f5b42353f2d54dbe
SHA512ef2bace5ea92eb90fe10cecd274856a1d6db2417a20f98d1fa7273919a5c2b571f76b85fe2b0b358ebf8ee07832b78616cab6037a9c9638f4214cf3943123b68
-
Filesize
336B
MD52dd6e037448138b092b6553e24806495
SHA14d48fc73183e2499ad8631c3eb2b99f2867581c2
SHA25647ab47ff91a978ae2c69d7b10d0cf3ac5024c0a6f0748b83ed7fcb775b5866b6
SHA512dc6224f155d0e232f7abb76ab67943729ddc23a9aa661a9c38e678956ce8b57e5ed1b6fed752ebd7e5dc7d971169a0626c502220bd297f30826ff3b264f40d76
-
Filesize
841KB
MD582f6bcbc72ab8520c6242798133d8c44
SHA110982f158d472b872ecfcdb666f123c084246a4a
SHA2561ca593cd87e3a717627bc45c64f1598465bbb345f87b5e55f5b42353f2d54dbe
SHA512ef2bace5ea92eb90fe10cecd274856a1d6db2417a20f98d1fa7273919a5c2b571f76b85fe2b0b358ebf8ee07832b78616cab6037a9c9638f4214cf3943123b68