b8d6705ee853b6f830e6487419e13f4a1d95537dbb360534b744b2fca738726e

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7
submitted
09/10/2020, 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

osno-crypted.bin.exe

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1684	Osno Decryptor.exe

Loads dropped DLL 6 IoCs

pid	Process
1588	MSBuild.exe
852	WerFault.exe
852	WerFault.exe
852	WerFault.exe
852	WerFault.exe
852	WerFault.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1668 set thread context of 1588	1668	osno-crypted.bin.exe	28

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\7-zip\lang\sv.txt	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\ink\alphabet.xml	MSBuild.exe
File opened for modification	\??\c:\program files\7-zip\readme.txt	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\themes14\slate\preview.gif	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\jre\lib\images\cursors\win32_movedrop32x32.gif	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\office14\office setup controller\outlook.en-us\outlookmui.xml	MSBuild.exe
File opened for modification	\??\c:\program files\dvd maker\shared\dvdstyles\stacking\1047x576black.png	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\bin\javap.exe	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\jre\bin\rmid.exe	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\themes14\axis\thmbnail.png	MSBuild.exe
File opened for modification	\??\c:\program files\dvd maker\shared\dvdstyles\16to9squareframe_buttongraphic.png	MSBuild.exe
File opened for modification	\??\c:\program files\7-zip\7zg.exe	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\office14\office setup controller\office.en-us\officemui.xml	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\jre\welcome.html	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\themes14\pixel\thmbnail.png	MSBuild.exe
File created	\??\c:\program files\dvd maker\shared\dvdstyles\oldage\1047x576black.png	MSBuild.exe
File created	\??\c:\program files\dvd maker\shared\dvdstyles\vignette\1047x576black.png	MSBuild.exe
File opened for modification	\??\c:\program files\7-zip\lang\pt.txt	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	MSBuild.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\ink\fsdefinitions\web\webbase.xml	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\themes14\blueprnt\thmbnail.png	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\bin\javah.exe	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\bin\jmc.exe	MSBuild.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fsdefinitions\keypad\ea.xml	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\office14\fltldr.exe	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\office14\office setup controller\infopath.en-us\infopathmui.xml	MSBuild.exe
File created	\??\c:\program files\common files\microsoft shared\ink\fsdefinitions\auxpad.xml	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\office14\office setup controller\access.en-us\accessmui.xml	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\themes14\boldstri\thmbnail.png	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\themes14\watermar\thmbnail.png	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\office14\office setup controller\onenote.en-us\setup.xml	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\smart tag\lists\1033\time.xml	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\themes14\canyon\thmbnail.png	MSBuild.exe
File created	\??\c:\program files\dvd maker\shared\dvdstyles\performance\720x480blacksquare.png	MSBuild.exe
File opened for modification	\??\c:\program files\7-zip\lang\hu.txt	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\grphflt\ms.png	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\office14\office setup controller\office32.en-us\setup.xml	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\bin\schemagen.exe	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\office14\office setup controller\proplus\proplusww.xml	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\themes14\cascade\preview.gif	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\jre\bin\unpack200.exe	MSBuild.exe
File created	\??\c:\program files\common files\microsoft shared\msinfo\msinfo32.exe	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\office14\liclua.exe	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\bin\jar.exe	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\office14\office setup controller\proof.fr\proof.xml	MSBuild.exe
File opened for modification	\??\c:\program files\7-zip\lang\th.txt	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\smart tag\smarttaginstall.exe	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\themes14\arctic\thmbnail.png	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\themes14\papyrus\thmbnail.png	MSBuild.exe
File opened for modification	\??\c:\program files\7-zip\lang\fur.txt	MSBuild.exe
File opened for modification	\??\c:\program files\7-zip\lang\io.txt	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\themes14\sumipntg\thmbnail.png	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\themes14\layers\preview.gif	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\bin\klist.exe	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\include\win32\jni_md.h	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\themes14\capsules\preview.gif	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\bin\idlj.exe	MSBuild.exe
File opened for modification	\??\c:\program files\7-zip\lang\is.txt	MSBuild.exe
File opened for modification	\??\c:\program files\7-zip\lang\ast.txt	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\dw\dwtrig20.exe	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\office14\office setup controller\powerpoint.en-us\setup.xml	MSBuild.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\ink\en-us\boxed-correct.avi	MSBuild.exe
File opened for modification	\??\c:\program files\java\jdk1.7.0_80\include\win32\bridge\accessbridgepackages.h	MSBuild.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
852	1684	WerFault.exe	38

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
784	tasklist.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1588	MSBuild.exe
1588	MSBuild.exe
1588	MSBuild.exe
852	WerFault.exe
852	WerFault.exe
852	WerFault.exe
852	WerFault.exe
852	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	784	tasklist.exe
Token: SeDebugPrivilege	1588	MSBuild.exe
Token: SeDebugPrivilege	852	WerFault.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 1588	1668	osno-crypted.bin.exe	28
PID 1668 wrote to memory of 1588	1668	osno-crypted.bin.exe	28
PID 1668 wrote to memory of 1588	1668	osno-crypted.bin.exe	28
PID 1668 wrote to memory of 1588	1668	osno-crypted.bin.exe	28
PID 1668 wrote to memory of 1588	1668	osno-crypted.bin.exe	28
PID 1668 wrote to memory of 1588	1668	osno-crypted.bin.exe	28
PID 1668 wrote to memory of 1588	1668	osno-crypted.bin.exe	28
PID 1668 wrote to memory of 1588	1668	osno-crypted.bin.exe	28
PID 1668 wrote to memory of 1588	1668	osno-crypted.bin.exe	28
PID 1588 wrote to memory of 1228	1588	MSBuild.exe	29
PID 1588 wrote to memory of 1228	1588	MSBuild.exe	29
PID 1588 wrote to memory of 1228	1588	MSBuild.exe	29
PID 1588 wrote to memory of 1228	1588	MSBuild.exe	29
PID 1228 wrote to memory of 1020	1228	cmd.exe	31
PID 1228 wrote to memory of 1020	1228	cmd.exe	31
PID 1228 wrote to memory of 1020	1228	cmd.exe	31
PID 1228 wrote to memory of 1020	1228	cmd.exe	31
PID 1228 wrote to memory of 240	1228	cmd.exe	32
PID 1228 wrote to memory of 240	1228	cmd.exe	32
PID 1228 wrote to memory of 240	1228	cmd.exe	32
PID 1228 wrote to memory of 240	1228	cmd.exe	32
PID 1228 wrote to memory of 1472	1228	cmd.exe	33
PID 1228 wrote to memory of 1472	1228	cmd.exe	33
PID 1228 wrote to memory of 1472	1228	cmd.exe	33
PID 1228 wrote to memory of 1472	1228	cmd.exe	33
PID 1588 wrote to memory of 748	1588	MSBuild.exe	34
PID 1588 wrote to memory of 748	1588	MSBuild.exe	34
PID 1588 wrote to memory of 748	1588	MSBuild.exe	34
PID 1588 wrote to memory of 748	1588	MSBuild.exe	34
PID 748 wrote to memory of 784	748	cmd.exe	37
PID 748 wrote to memory of 784	748	cmd.exe	37
PID 748 wrote to memory of 784	748	cmd.exe	37
PID 748 wrote to memory of 784	748	cmd.exe	37
PID 1588 wrote to memory of 1684	1588	MSBuild.exe	38
PID 1588 wrote to memory of 1684	1588	MSBuild.exe	38
PID 1588 wrote to memory of 1684	1588	MSBuild.exe	38
PID 1588 wrote to memory of 1684	1588	MSBuild.exe	38
PID 1684 wrote to memory of 852	1684	Osno Decryptor.exe	40
PID 1684 wrote to memory of 852	1684	Osno Decryptor.exe	40
PID 1684 wrote to memory of 852	1684	Osno Decryptor.exe	40
PID 1684 wrote to memory of 852	1684	Osno Decryptor.exe	40

C:\Users\Admin\AppData\Local\Temp\osno-crypted.bin.exe
"C:\Users\Admin\AppData\Local\Temp\osno-crypted.bin.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1228
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:1020
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      PID:240
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C tasklist /FO TABLE > "C:\Users\Admin\AppData\Local\Temp\3873d8888a3836bc92341667cb978e5e\9965f44e6f4047c4479d448e0c207069\processes.txt"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO TABLE
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:784
- - C:\Users\Admin\Desktop\Osno Decryptor.exe
    "C:\Users\Admin\Desktop\Osno Decryptor.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 656
      4⤵
      Loads dropped DLL
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/852-37-0x00000000025A0000-0x00000000025B1000-memory.dmp

Filesize
68KB

Download
memory/852-27-0x0000000001F30000-0x0000000001F41000-memory.dmp

Filesize
68KB

Download
memory/1588-8-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1588-9-0x00000000734B0000-0x0000000073B9E000-memory.dmp

Filesize
6.9MB

Download
memory/1588-7-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1588-5-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1668-4-0x00000000046E0000-0x0000000004821000-memory.dmp

Filesize
1.3MB

Download
memory/1668-0-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/1668-3-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/1668-1-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1684-24-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/1684-23-0x00000000734B0000-0x0000000073B9E000-memory.dmp

Filesize
6.9MB

Download