Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    28-03-2022 18:17

General

  • Target

    39e312a1f6f2cf09306053aa615e35c8ebd0069ad68184f4a58a3171ec9baea8.exe

  • Size

    479KB

  • MD5

    0033775eeaddc98cdb766102431dd418

  • SHA1

    02a6b365eb89b1430999d9ef1c275ad4ff5b7068

  • SHA256

    39e312a1f6f2cf09306053aa615e35c8ebd0069ad68184f4a58a3171ec9baea8

  • SHA512

    f223d0dca23c9cec72d2f479c8212981268379e95f3bcce42db8b346441428016997d1ceeaa66eafc65b9db3fa4c9ccd068049526af99372ed1f8664d72735cf

Malware Config

Signatures

  • ostap

    Ostap is a JS downloader, used to deliver other families.

  • Blocklisted process makes network request 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39e312a1f6f2cf09306053aa615e35c8ebd0069ad68184f4a58a3171ec9baea8.exe
    "C:\Users\Admin\AppData\Local\Temp\39e312a1f6f2cf09306053aa615e35c8ebd0069ad68184f4a58a3171ec9baea8.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1816
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\head.title.cmd
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2424
      • C:\Windows\SysWOW64\wscript.exe
        wscript /e:JScript "C:\Users\Admin\body"
        3⤵
        • Blocklisted process makes network request
        PID:3216

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\body.css

    Filesize

    841KB

    MD5

    82f6bcbc72ab8520c6242798133d8c44

    SHA1

    10982f158d472b872ecfcdb666f123c084246a4a

    SHA256

    1ca593cd87e3a717627bc45c64f1598465bbb345f87b5e55f5b42353f2d54dbe

    SHA512

    ef2bace5ea92eb90fe10cecd274856a1d6db2417a20f98d1fa7273919a5c2b571f76b85fe2b0b358ebf8ee07832b78616cab6037a9c9638f4214cf3943123b68

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\head.title.cmd

    Filesize

    336B

    MD5

    2dd6e037448138b092b6553e24806495

    SHA1

    4d48fc73183e2499ad8631c3eb2b99f2867581c2

    SHA256

    47ab47ff91a978ae2c69d7b10d0cf3ac5024c0a6f0748b83ed7fcb775b5866b6

    SHA512

    dc6224f155d0e232f7abb76ab67943729ddc23a9aa661a9c38e678956ce8b57e5ed1b6fed752ebd7e5dc7d971169a0626c502220bd297f30826ff3b264f40d76

  • C:\Users\Admin\body

    Filesize

    841KB

    MD5

    82f6bcbc72ab8520c6242798133d8c44

    SHA1

    10982f158d472b872ecfcdb666f123c084246a4a

    SHA256

    1ca593cd87e3a717627bc45c64f1598465bbb345f87b5e55f5b42353f2d54dbe

    SHA512

    ef2bace5ea92eb90fe10cecd274856a1d6db2417a20f98d1fa7273919a5c2b571f76b85fe2b0b358ebf8ee07832b78616cab6037a9c9638f4214cf3943123b68

  • memory/2424-130-0x0000000000000000-mapping.dmp

  • memory/3216-133-0x0000000000000000-mapping.dmp