f019596f88bf76713b21eb5d71d10c0298dfcb59b94ea65409ea1404fb6657d0

General

Target

710605a130a5d1e19e12e8ba091d1a2b.exe
Size

489KB
MD5

710605a130a5d1e19e12e8ba091d1a2b
SHA1

f77df77f0037981e37d7def1db128a6d86f0493d
SHA256

f019596f88bf76713b21eb5d71d10c0298dfcb59b94ea65409ea1404fb6657d0
SHA512

719c7d0fbf5d53932f90f5abb495beedaa8cff43fc873af1bdb7b58e6720db061403655c07382e8082d3f1187a49bc717ee5d825eeb512171911c3bb5e69ed9d
SSDEEP

12288:56TPW1Fm3lj0emIe1wcwqkcIJm7czh2N8nUlZPWU+Dz:cD4FEQemIwwcwq3IJ9N2ynQ1Qz

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1948	ossproxy.exe
2324	counter.exe

Loads dropped DLL 20 IoCs

pid	Process
2260	710605a130a5d1e19e12e8ba091d1a2b.exe
2260	710605a130a5d1e19e12e8ba091d1a2b.exe
2260	710605a130a5d1e19e12e8ba091d1a2b.exe
2260	710605a130a5d1e19e12e8ba091d1a2b.exe
2260	710605a130a5d1e19e12e8ba091d1a2b.exe
2260	710605a130a5d1e19e12e8ba091d1a2b.exe
2260	710605a130a5d1e19e12e8ba091d1a2b.exe
1948	ossproxy.exe
1948	ossproxy.exe
1948	ossproxy.exe
2260	710605a130a5d1e19e12e8ba091d1a2b.exe
2260	710605a130a5d1e19e12e8ba091d1a2b.exe
2260	710605a130a5d1e19e12e8ba091d1a2b.exe
2260	710605a130a5d1e19e12e8ba091d1a2b.exe
2324	counter.exe
2324	counter.exe
2324	counter.exe
2324	counter.exe
2324	counter.exe
2324	counter.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\~GLH0000.TMP	710605a130a5d1e19e12e8ba091d1a2b.exe
File opened for modification	C:\Windows\SysWOW64\ossproxy.exe	710605a130a5d1e19e12e8ba091d1a2b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 1948	2260	710605a130a5d1e19e12e8ba091d1a2b.exe	28
PID 2260 wrote to memory of 1948	2260	710605a130a5d1e19e12e8ba091d1a2b.exe	28
PID 2260 wrote to memory of 1948	2260	710605a130a5d1e19e12e8ba091d1a2b.exe	28
PID 2260 wrote to memory of 1948	2260	710605a130a5d1e19e12e8ba091d1a2b.exe	28
PID 2260 wrote to memory of 1948	2260	710605a130a5d1e19e12e8ba091d1a2b.exe	28
PID 2260 wrote to memory of 1948	2260	710605a130a5d1e19e12e8ba091d1a2b.exe	28
PID 2260 wrote to memory of 1948	2260	710605a130a5d1e19e12e8ba091d1a2b.exe	28
PID 2260 wrote to memory of 2324	2260	710605a130a5d1e19e12e8ba091d1a2b.exe	29
PID 2260 wrote to memory of 2324	2260	710605a130a5d1e19e12e8ba091d1a2b.exe	29
PID 2260 wrote to memory of 2324	2260	710605a130a5d1e19e12e8ba091d1a2b.exe	29
PID 2260 wrote to memory of 2324	2260	710605a130a5d1e19e12e8ba091d1a2b.exe	29
PID 2260 wrote to memory of 2324	2260	710605a130a5d1e19e12e8ba091d1a2b.exe	29
PID 2260 wrote to memory of 2324	2260	710605a130a5d1e19e12e8ba091d1a2b.exe	29
PID 2260 wrote to memory of 2324	2260	710605a130a5d1e19e12e8ba091d1a2b.exe	29

C:\Users\Admin\AppData\Local\Temp\710605a130a5d1e19e12e8ba091d1a2b.exe
"C:\Users\Admin\AppData\Local\Temp\710605a130a5d1e19e12e8ba091d1a2b.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\ossproxy.exe
  "C:\Windows\System32\ossproxy.exe" -install -o:256 -start -uninst:RelevantKnowledge -c:108
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1948
- C:\Users\Admin\AppData\Local\Temp\counter.exe
  "C:\Users\Admin\AppData\Local\Temp\counter.exe" "&ast-comscore"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\GLC4818.tmp

Filesize
161KB

MD5
263e81631fb67194dc968dc3f4bdb4e7

SHA1
2998697c503a542d5cf1e25a0d0df18fcd38d66c

SHA256
9200949ab6f777df957fc524d4733e2cb47b89a209c07d2be57b4c63cecbf766

SHA512
2eb6fd28ba87f193a35f1c4bd4c6ff29495a3c10fea8bfa0506df97fcae5ca16f2617703137ecb32cf6b7dbd3048507dd4d0c7418845cfdce5c43896aec45dbb

Download Submit
\Users\Admin\AppData\Local\Temp\GLK4847.tmp

Filesize
33KB

MD5
517419cae37f6c78c80f9b7d0fbb8661

SHA1
a9e419f3d9ef589522556e0920c84fe37a548873

SHA256
bfe7e013cfb85e78b994d3ad34eca08286494a835cb85f1d7bced3df6fe93a11

SHA512
5046565443cf463b6fa4d2d5868879efc6a9db969bf05e3c80725b99bd091ce062cfe66c5551eb1cc5f00a38f2cfcda1f36fb4d60d9ff816c4ec3107b5a0df40

Download Submit
\Users\Admin\AppData\Local\Temp\GLM517C.tmp

Filesize
12KB

MD5
a8108d3e40849b61fddfacf36e520395

SHA1
a03b5ae5bc22e3ce89a7205c7aea8c3339cf8dcd

SHA256
84c6507fe457d6a882f643908423a3e42ee1170218d18c53366ae6fbd627ff36

SHA512
50b4ede09a34860571fac72f2bdf0877f26f4ce276ebade5c3406fa5ede2dd6b5dd3fae4b74acae022e161d6a59142d0976064f993593ccac5988e1926816062

Download Submit
\Users\Admin\AppData\Local\Temp\counter.exe

Filesize
124KB

MD5
66daeb2cb7168803f57dc5a1cc55410b

SHA1
3fe6e0af8bac1c0dcdaf90459756332927d94eda

SHA256
fa4b812deadb71f86ba1ae513a4f841c39cece3a3df1b3c3bc74a5ac07ecfaac

SHA512
ba9dc4eb4abe522d6c4ab6d03c0f110094e4b4148730a63dce7be049d6a09f26d8a6353083f5f4c388a33c3971961b5e2fa326146580047d8648f693578acb91

Download Submit
\Windows\SysWOW64\ossproxy.exe

Filesize
436KB

MD5
2b0553988ade900ff234234461b67426

SHA1
55534d027348d602beac43b73204d2e86f2be058

SHA256
075c0d8846eff7bf11b6f7b8dcaa423b36a6530be5e042e73c7c46e2e9105f39

SHA512
d2abc14fc676c60f07eb804cc92fb363b15c4f18e2ac2de972b3bd4a029137977c03b897f51c4ed8d43b185d386612b48682b2d155a401f671482893f8d4de6f

Download Submit

Analysis

Sharing