Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
18-04-2022 10:15
Static task
static1
Behavioral task
behavioral1
Sample
2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe
Resource
win7-20220414-en
General
-
Target
2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe
-
Size
357KB
-
MD5
6adff82e37aadb238d58699f857e5f8b
-
SHA1
f779cdc5c8d6a8595a0850cb8fb7097e4f74f66d
-
SHA256
2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec
-
SHA512
e9edae21aa6708690ed8a7df2555e48121677d43f3994f2407ca4ead9ac775a02cb73e367830c9cd8f49587e43a7c5a546cc400c5a46ce00e9fef81f3fb4eb96
Malware Config
Extracted
systembc
sdadvert197.com:4044
mexstat128.com:4044
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ossfh.exepid process 1720 ossfh.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 7 ip4.seeip.org 8 ip4.seeip.org 5 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exedescription ioc process File created C:\Windows\Tasks\ossfh.job 2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe File opened for modification C:\Windows\Tasks\ossfh.job 2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exepid process 1080 2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 908 wrote to memory of 1720 908 taskeng.exe ossfh.exe PID 908 wrote to memory of 1720 908 taskeng.exe ossfh.exe PID 908 wrote to memory of 1720 908 taskeng.exe ossfh.exe PID 908 wrote to memory of 1720 908 taskeng.exe ossfh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe"C:\Users\Admin\AppData\Local\Temp\2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1080
-
C:\Windows\system32\taskeng.exetaskeng.exe {9485770A-3197-4F0E-B539-D7DFDF79E1D5} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:908 -
C:\ProgramData\odacnpl\ossfh.exeC:\ProgramData\odacnpl\ossfh.exe start2⤵
- Executes dropped EXE
PID:1720
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\odacnpl\ossfh.exeFilesize
357KB
MD56adff82e37aadb238d58699f857e5f8b
SHA1f779cdc5c8d6a8595a0850cb8fb7097e4f74f66d
SHA2562acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec
SHA512e9edae21aa6708690ed8a7df2555e48121677d43f3994f2407ca4ead9ac775a02cb73e367830c9cd8f49587e43a7c5a546cc400c5a46ce00e9fef81f3fb4eb96
-
C:\ProgramData\odacnpl\ossfh.exeFilesize
357KB
MD56adff82e37aadb238d58699f857e5f8b
SHA1f779cdc5c8d6a8595a0850cb8fb7097e4f74f66d
SHA2562acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec
SHA512e9edae21aa6708690ed8a7df2555e48121677d43f3994f2407ca4ead9ac775a02cb73e367830c9cd8f49587e43a7c5a546cc400c5a46ce00e9fef81f3fb4eb96
-
memory/1080-54-0x0000000000E37000-0x0000000000E3E000-memory.dmpFilesize
28KB
-
memory/1080-55-0x00000000755C1000-0x00000000755C3000-memory.dmpFilesize
8KB
-
memory/1080-56-0x0000000000E37000-0x0000000000E3E000-memory.dmpFilesize
28KB
-
memory/1080-57-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/1080-58-0x0000000000400000-0x0000000000C33000-memory.dmpFilesize
8.2MB
-
memory/1720-60-0x0000000000000000-mapping.dmp
-
memory/1720-62-0x0000000000277000-0x000000000027D000-memory.dmpFilesize
24KB
-
memory/1720-64-0x0000000000277000-0x000000000027D000-memory.dmpFilesize
24KB
-
memory/1720-65-0x0000000000400000-0x0000000000C33000-memory.dmpFilesize
8.2MB