Analysis

  • max time kernel
    138s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    04-01-2023 14:40

General

  • Target

    af988030zdi1714.exe

  • Size

    118KB

  • MD5

    65e8735827a1f46aa4c5c9eb5439fd52

  • SHA1

    bf19bc3c9d142b0ea09dd3b57115808156c0200b

  • SHA256

    ce0d54c9c867b136594887dc4963816b2cb3e682da8f3d792e0f3e5d2b646964

  • SHA512

    417b71c00f359f9e340129b85254590e5cbf4f2c1fd3c8a6146225fd1abdfc0dd14870ee012b9861f129f69ed19617e436debfcaebfee436b5c682235ba41384

  • SSDEEP

    3072:oGu9BlfzWIbXWm+w0J95i+yQ5ao7/tPlvXLrKzvABED:o/0uoEQ5a8PLr2b

Malware Config

Signatures

  • Ostap JavaScript downloader 1 IoCs

    Ostap is a JavaScript downloader that's been active since 2016. It's used to deliver several families, inluding TrickBot

  • ostap

    Ostap is a JS downloader, used to deliver other families.

  • Blocklisted process makes network request 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af988030zdi1714.exe
    "C:\Users\Admin\AppData\Local\Temp\af988030zdi1714.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1292
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c type rd_data.doc & del /f rd_data.rtf & always.jse & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1236
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\always.jse"
        3⤵
        • Blocklisted process makes network request
        PID:652

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\always.jse

    Filesize

    704KB

    MD5

    e0250b597ad980246236426c3279810e

    SHA1

    013f2b926b3d4dfdf6abc2786ffa6d23a4211fee

    SHA256

    49e4cf809b2641e12884992facf7200a5250b0714a191a679e4bec2b0d007d85

    SHA512

    b4c7b792536e3a91bf664f402c5f1fb7d7d8ae269e85210f0c3b3815d67cf17ce0d934bacc730845b425d3713cd62e869e522089fca12f2de4e96529492efca4

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rd_data.rtf

    Filesize

    205B

    MD5

    0d72aee515af202f70da3933876a4fa3

    SHA1

    ad862ce0c8987ae09b3686eb8938bd4998d2d1ec

    SHA256

    d70667f2e532de5a0e45d35c899c6af2235a3583f5ae78a452d9ccf5c21bbbd6

    SHA512

    47549d15e277c15cbd955c4141f4bea1d61248d2bc15bbca8d24aa65aab66e2d230f72a4cda16ef6f1d6a26c0fcab1affc3dec29b3c47151209cfee51a490f33

  • memory/652-59-0x0000000000000000-mapping.dmp

  • memory/1236-55-0x0000000000000000-mapping.dmp

  • memory/1292-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

    Filesize

    8KB