Analysis
-
max time kernel
138s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
04-01-2023 14:40
Static task
static1
Behavioral task
behavioral1
Sample
af988030zdi1714.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
af988030zdi1714.exe
Resource
win10v2004-20221111-en
General
-
Target
af988030zdi1714.exe
-
Size
118KB
-
MD5
65e8735827a1f46aa4c5c9eb5439fd52
-
SHA1
bf19bc3c9d142b0ea09dd3b57115808156c0200b
-
SHA256
ce0d54c9c867b136594887dc4963816b2cb3e682da8f3d792e0f3e5d2b646964
-
SHA512
417b71c00f359f9e340129b85254590e5cbf4f2c1fd3c8a6146225fd1abdfc0dd14870ee012b9861f129f69ed19617e436debfcaebfee436b5c682235ba41384
-
SSDEEP
3072:oGu9BlfzWIbXWm+w0J95i+yQ5ao7/tPlvXLrKzvABED:o/0uoEQ5a8PLr2b
Malware Config
Signatures
-
Ostap JavaScript downloader 1 IoCs
Ostap is a JavaScript downloader that's been active since 2016. It's used to deliver several families, inluding TrickBot
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\always.jse family_ostap -
ostap
Ostap is a JS downloader, used to deliver other families.
-
Blocklisted process makes network request 4 IoCs
Processes:
WScript.exeflow pid process 2 652 WScript.exe 4 652 WScript.exe 5 652 WScript.exe 6 652 WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
af988030zdi1714.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce af988030zdi1714.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" af988030zdi1714.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
af988030zdi1714.execmd.exedescription pid process target process PID 1292 wrote to memory of 1236 1292 af988030zdi1714.exe cmd.exe PID 1292 wrote to memory of 1236 1292 af988030zdi1714.exe cmd.exe PID 1292 wrote to memory of 1236 1292 af988030zdi1714.exe cmd.exe PID 1292 wrote to memory of 1236 1292 af988030zdi1714.exe cmd.exe PID 1292 wrote to memory of 1236 1292 af988030zdi1714.exe cmd.exe PID 1292 wrote to memory of 1236 1292 af988030zdi1714.exe cmd.exe PID 1292 wrote to memory of 1236 1292 af988030zdi1714.exe cmd.exe PID 1236 wrote to memory of 652 1236 cmd.exe WScript.exe PID 1236 wrote to memory of 652 1236 cmd.exe WScript.exe PID 1236 wrote to memory of 652 1236 cmd.exe WScript.exe PID 1236 wrote to memory of 652 1236 cmd.exe WScript.exe PID 1236 wrote to memory of 652 1236 cmd.exe WScript.exe PID 1236 wrote to memory of 652 1236 cmd.exe WScript.exe PID 1236 wrote to memory of 652 1236 cmd.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af988030zdi1714.exe"C:\Users\Admin\AppData\Local\Temp\af988030zdi1714.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\cmd.execmd /c type rd_data.doc & del /f rd_data.rtf & always.jse & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\always.jse"3⤵
- Blocklisted process makes network request
PID:652
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
704KB
MD5e0250b597ad980246236426c3279810e
SHA1013f2b926b3d4dfdf6abc2786ffa6d23a4211fee
SHA25649e4cf809b2641e12884992facf7200a5250b0714a191a679e4bec2b0d007d85
SHA512b4c7b792536e3a91bf664f402c5f1fb7d7d8ae269e85210f0c3b3815d67cf17ce0d934bacc730845b425d3713cd62e869e522089fca12f2de4e96529492efca4
-
Filesize
205B
MD50d72aee515af202f70da3933876a4fa3
SHA1ad862ce0c8987ae09b3686eb8938bd4998d2d1ec
SHA256d70667f2e532de5a0e45d35c899c6af2235a3583f5ae78a452d9ccf5c21bbbd6
SHA51247549d15e277c15cbd955c4141f4bea1d61248d2bc15bbca8d24aa65aab66e2d230f72a4cda16ef6f1d6a26c0fcab1affc3dec29b3c47151209cfee51a490f33