ostap | ce0d54c9c867b136594887dc4963816b2cb3e682da8f3d792e0f3e5d2b646964

Analysis

max time kernel
138s
max time network
141s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-01-2023 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af988030zdi1714.exe
Size

118KB
MD5

65e8735827a1f46aa4c5c9eb5439fd52
SHA1

bf19bc3c9d142b0ea09dd3b57115808156c0200b
SHA256

ce0d54c9c867b136594887dc4963816b2cb3e682da8f3d792e0f3e5d2b646964
SHA512

417b71c00f359f9e340129b85254590e5cbf4f2c1fd3c8a6146225fd1abdfc0dd14870ee012b9861f129f69ed19617e436debfcaebfee436b5c682235ba41384
SSDEEP

3072:oGu9BlfzWIbXWm+w0J95i+yQ5ao7/tPlvXLrKzvABED:o/0uoEQ5a8PLr2b

Score

10^/10

ostap downloader persistence

Malware Config

Signatures

Ostap JavaScript downloader 1 IoCs

Ostap is a JavaScript downloader that's been active since 2016. It's used to deliver several families, inluding TrickBot

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\always.jse	family_ostap

ostap
Ostap is a JS downloader, used to deliver other families.
downloader ostap
Blocklisted process makes network request 4 IoCs

Processes:

WScript.exe

flow pid process

2 652 WScript.exe
4 652 WScript.exe
5 652 WScript.exe
6 652 WScript.exe

flow	pid	process
2	652	WScript.exe
4	652	WScript.exe
5	652	WScript.exe
6	652	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

af988030zdi1714.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	af988030zdi1714.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	af988030zdi1714.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

af988030zdi1714.execmd.exe

description	pid	process	target process
PID 1292 wrote to memory of 1236	1292	af988030zdi1714.exe	cmd.exe
PID 1292 wrote to memory of 1236	1292	af988030zdi1714.exe	cmd.exe
PID 1292 wrote to memory of 1236	1292	af988030zdi1714.exe	cmd.exe
PID 1292 wrote to memory of 1236	1292	af988030zdi1714.exe	cmd.exe
PID 1292 wrote to memory of 1236	1292	af988030zdi1714.exe	cmd.exe
PID 1292 wrote to memory of 1236	1292	af988030zdi1714.exe	cmd.exe
PID 1292 wrote to memory of 1236	1292	af988030zdi1714.exe	cmd.exe
PID 1236 wrote to memory of 652	1236	cmd.exe	WScript.exe
PID 1236 wrote to memory of 652	1236	cmd.exe	WScript.exe
PID 1236 wrote to memory of 652	1236	cmd.exe	WScript.exe
PID 1236 wrote to memory of 652	1236	cmd.exe	WScript.exe
PID 1236 wrote to memory of 652	1236	cmd.exe	WScript.exe
PID 1236 wrote to memory of 652	1236	cmd.exe	WScript.exe
PID 1236 wrote to memory of 652	1236	cmd.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\af988030zdi1714.exe
"C:\Users\Admin\AppData\Local\Temp\af988030zdi1714.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\cmd.exe
cmd /c type rd_data.doc & del /f rd_data.rtf & always.jse & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\always.jse"
3⤵
- Blocklisted process makes network request
PID:652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\always.jse

Filesize
704KB

MD5
e0250b597ad980246236426c3279810e

SHA1
013f2b926b3d4dfdf6abc2786ffa6d23a4211fee

SHA256
49e4cf809b2641e12884992facf7200a5250b0714a191a679e4bec2b0d007d85

SHA512
b4c7b792536e3a91bf664f402c5f1fb7d7d8ae269e85210f0c3b3815d67cf17ce0d934bacc730845b425d3713cd62e869e522089fca12f2de4e96529492efca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rd_data.rtf

Filesize
205B

MD5
0d72aee515af202f70da3933876a4fa3

SHA1
ad862ce0c8987ae09b3686eb8938bd4998d2d1ec

SHA256
d70667f2e532de5a0e45d35c899c6af2235a3583f5ae78a452d9ccf5c21bbbd6

SHA512
47549d15e277c15cbd955c4141f4bea1d61248d2bc15bbca8d24aa65aab66e2d230f72a4cda16ef6f1d6a26c0fcab1affc3dec29b3c47151209cfee51a490f33

Download Submit
memory/652-59-0x0000000000000000-mapping.dmp

Download
memory/1236-55-0x0000000000000000-mapping.dmp

Download
memory/1292-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download