Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    08-10-2020 09:01

General

  • Target

    osi.exe

  • Size

    991KB

  • MD5

    918b4df1f8d7b1e18e3e8fccdef3f5de

  • SHA1

    9b8f84e2d239252c83d89c3179f53893574c97a1

  • SHA256

    62bd38c89d1a30b03bd89a788d9f2852659f77715c97e5c12445c33f43fa13e5

  • SHA512

    bd6f8633285547160039a0730f936944f47336af5eda702332de7c23c6eefc2b3a19160dd235d1b5e18ecaefd9949ee847a1875949beac921f5890b6d3f841b8

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1731 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 89 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\osi.exe
    "C:\Users\Admin\AppData\Local\Temp\osi.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1164
    • C:\Windows\SysWOW64\extrac32.exe
      "C:\Windows\system32\extrac32.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1100
      • C:\Users\Admin\AppData\Local\Temp\cmd.exe
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:300
        • C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
          "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
          4⤵
          • Executes dropped EXE
          PID:324
        • C:\Users\Admin\AppData\Local\Temp\{5F5DCE46-2D6F-4961-BA1A-11E00C1FF081}\907402218.exe
          "907402218.exe"
          4⤵
          • Executes dropped EXE
          PID:2024

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/300-12-0x00000000003C0000-0x00000000003DF000-memory.dmp

    Filesize

    124KB

  • memory/300-7-0x0000000000400000-0x000000000049F000-memory.dmp

    Filesize

    636KB

  • memory/300-13-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB

  • memory/1100-4-0x0000000004860000-0x00000000048FF000-memory.dmp

    Filesize

    636KB

  • memory/1100-2-0x0000000004440000-0x00000000044C2000-memory.dmp

    Filesize

    520KB

  • memory/1904-1-0x000007FEF6BB0000-0x000007FEF6E2A000-memory.dmp

    Filesize

    2.5MB