ostap | 2ab98ac09ef0db9eaef3b2ecc09a6ef42d6977cba89ac08781f0751572d5b16b

General

Target

2ab98ac09ef0db9eaef3b2ecc09a6ef42d6977cba89ac08781f0751572d5b16b.docm
Size

638KB
MD5

5b769ca4f7175d282c3f34135148bd80
SHA1

7c13ba85e98e46b5a17f77ea36ccf54946913633
SHA256

2ab98ac09ef0db9eaef3b2ecc09a6ef42d6977cba89ac08781f0751572d5b16b
SHA512

e9144c58cc1d10f0537f21d9515dfaa59e8a39e4f6ddc299fcd67f0062d8bfd27ee2fd61c2f6fb44c08ccbd39336a1072048507fc52a6306780e7c56738f333a

Score

10^/10

Malware Config

Signatures

Ostap JavaScript Downloader 1 IoCs

Ostap is a JavaScript downloader that's been active since 2016. It's used to deliver several families, inluding TrickBot

Processes:

resource	yara_rule
C:\DiskDrive\1\Volume\BackFiles\Ranlsojf.jse	family_ostap

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3472	1028	cmd.exe	WINWORD.EXE

ostap
Ostap is a JS downloader, used to deliver other families.
downloader ostap
Blocklisted process makes network request 1 IoCs

Processes:

cscript.exe

flow pid process

55 3688 cscript.exe

flow	pid	process
55	3688	cscript.exe

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

Processes:

DW20.EXE

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	1536	1028	DW20.EXE	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEdwwin.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dwwin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dwwin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dwwin.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEdwwin.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dwwin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwwin.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1028 WINWORD.EXE
1028 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WINWORD.EXE

pid process

1028 WINWORD.EXE
1028 WINWORD.EXE
1028 WINWORD.EXE
1028 WINWORD.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WINWORD.EXE

pid process

1028 WINWORD.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE

pid process

1028 WINWORD.EXE
1028 WINWORD.EXE
1028 WINWORD.EXE
1028 WINWORD.EXE

pid	process
1028	WINWORD.EXE
1028	WINWORD.EXE

pid	process
1028	WINWORD.EXE
1028	WINWORD.EXE
1028	WINWORD.EXE
1028	WINWORD.EXE

pid	process
1028	WINWORD.EXE

pid	process
1028	WINWORD.EXE
1028	WINWORD.EXE
1028	WINWORD.EXE
1028	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WINWORD.EXEcmd.exeDW20.EXE

description	pid	process	target process
PID 1028 wrote to memory of 3472	1028	WINWORD.EXE	cmd.exe
PID 1028 wrote to memory of 3472	1028	WINWORD.EXE	cmd.exe
PID 1028 wrote to memory of 1536	1028	WINWORD.EXE	DW20.EXE
PID 1028 wrote to memory of 1536	1028	WINWORD.EXE	DW20.EXE
PID 3472 wrote to memory of 3688	3472	cmd.exe	cscript.exe
PID 3472 wrote to memory of 3688	3472	cmd.exe	cscript.exe
PID 1536 wrote to memory of 4720	1536	DW20.EXE	dwwin.exe
PID 1536 wrote to memory of 4720	1536	DW20.EXE	dwwin.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2ab98ac09ef0db9eaef3b2ecc09a6ef42d6977cba89ac08781f0751572d5b16b.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 4468
2⤵
- Process spawned suspicious child process
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\DiskDrive\1\Volume\errorfix.bat
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\system32\dwwin.exe
C:\Windows\system32\dwwin.exe -x -s 4468
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4720

C:\Windows\system32\cscript.exe
cscript //nologo C:\DiskDrive\1\Volume\BackFiles\Ranlsojf.jse
1⤵
- Blocklisted process makes network request
PID:3688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DiskDrive\1\Volume\BackFiles\Ranlsojf.jse

Filesize
320KB

MD5
22cfe1295d1d8108e2b409de2e01d169

SHA1
acae75174b23ae88b15035410e75bad6e4060039

SHA256
dd7023dd82b641c9307566b87acf0951f16b27c34094a341fa1fe7671d269bf4

SHA512
56708d0013fe6e90d053c8caae41a41828c4272680e237bbbd72805b77805c4bb94b95dcdc33ceca2cab898a1cf8269365ecfd127516c8773c02ba568a4bb473

Download Submit
C:\DiskDrive\1\Volume\errorfix.bat

Filesize
63B

MD5
0d0732df59c6a24601ed265c3507415c

SHA1
9de42aced5d8c395d4f35924a5373e8434b1a681

SHA256
58e918466a61740abe42a2d1ca29bd8d56daf53912e6d65879cbe944466fb80c

SHA512
077baaf98fbfcca3d9b42644202960a7d571d5e6ef468c1a2f78f2fa49e4c7c3d129c1f93878a96b34eb706b6421aba385d90df363019d991d28cd280dfcf775

Download Submit
memory/1028-130-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmp

Filesize
64KB

Download
memory/1028-132-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmp

Filesize
64KB

Download
memory/1028-133-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmp

Filesize
64KB

Download
memory/1028-135-0x00007FF9BA220000-0x00007FF9BA230000-memory.dmp

Filesize
64KB

Download
memory/1028-136-0x00007FF9BA220000-0x00007FF9BA230000-memory.dmp

Filesize
64KB

Download
memory/1028-137-0x00000245EDC70000-0x00000245EDC74000-memory.dmp

Filesize
16KB

Download
memory/1028-134-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmp

Filesize
64KB

Download
memory/1028-131-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmp

Filesize
64KB

Download
memory/1536-140-0x0000000000000000-mapping.dmp

Download
memory/1536-149-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmp

Filesize
64KB

Download
memory/1536-152-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmp

Filesize
64KB

Download
memory/1536-151-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmp

Filesize
64KB

Download
memory/1536-150-0x00007FF9BC5B0000-0x00007FF9BC5C0000-memory.dmp

Filesize
64KB

Download
memory/3472-138-0x0000000000000000-mapping.dmp

Download
memory/3688-141-0x0000000000000000-mapping.dmp

Download
memory/4720-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads