Overview

overview

8

Static

static

osno-crypted.bin.exe

windows7_x64

8

osno-crypted.bin.exe

windows10_x64

8

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    09-10-2020 11:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    osno-crypted.bin.exe

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\osno-crypted.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\osno-crypted.bin.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1588
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1228
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:1020
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profile
            4⤵
              PID:240
            • C:\Windows\SysWOW64\findstr.exe
              findstr All
              4⤵
                PID:1472
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C tasklist /FO TABLE > "C:\Users\Admin\AppData\Local\Temp\3873d8888a3836bc92341667cb978e5e\9965f44e6f4047c4479d448e0c207069\processes.txt"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:748
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist /FO TABLE
                4⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:784
            • C:\Users\Admin\Desktop\Osno Decryptor.exe
              "C:\Users\Admin\Desktop\Osno Decryptor.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:1684
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 656
                4⤵
                • Loads dropped DLL
                • Program crash
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:852

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Process Discovery

        1
        T1057

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\3873d8888a3836bc92341667cb978e5e\9965f44e6f4047c4479d448e0c207069\processes.txt
          MD5

          131a60a8a9f41e89d31e2d29a9db63fe

          SHA1

          9fd4759ca90e74d0c512af6ee7df2e03278330bc

          SHA256

          eb6f1266d2416c527960a8ed0536c3b5f0baf73ecf7b6c7d188474a802d30068

          SHA512

          07a5f584c179734c941aa4f15a5700bcd7b3c0f1982162524ca4a860ba6479dad41acfee3ca4620337151e6132742c4b81232d2b5f0e6f4c2eef2e9b96a1f9bc

          Download Submit
        • C:\Users\Admin\Desktop\Osno Decryptor.exe
          MD5

          31b725e640371603fc9b006bc4178972

          SHA1

          49bfaff98c662dbbc9696f8e43a140480f36207f

          SHA256

          40e4fffa431378e9f09310bba5ff4b8bcec1e11e2b9a606d15f123b696bdb697

          SHA512

          7c2a1a5035fbdfd82353276557a507716095fa81051c9d5daf68f315c4dfa5e1b9ed47eeeb8a52d5d30257b5d14b8b50e83f6fbe64f0e7a4b585012cb032954d

          Download Submit
        • C:\Users\Admin\Desktop\Osno Decryptor.exe
          MD5

          31b725e640371603fc9b006bc4178972

          SHA1

          49bfaff98c662dbbc9696f8e43a140480f36207f

          SHA256

          40e4fffa431378e9f09310bba5ff4b8bcec1e11e2b9a606d15f123b696bdb697

          SHA512

          7c2a1a5035fbdfd82353276557a507716095fa81051c9d5daf68f315c4dfa5e1b9ed47eeeb8a52d5d30257b5d14b8b50e83f6fbe64f0e7a4b585012cb032954d

          Download Submit
        • \Users\Admin\Desktop\Osno Decryptor.exe
          MD5

          31b725e640371603fc9b006bc4178972

          SHA1

          49bfaff98c662dbbc9696f8e43a140480f36207f

          SHA256

          40e4fffa431378e9f09310bba5ff4b8bcec1e11e2b9a606d15f123b696bdb697

          SHA512

          7c2a1a5035fbdfd82353276557a507716095fa81051c9d5daf68f315c4dfa5e1b9ed47eeeb8a52d5d30257b5d14b8b50e83f6fbe64f0e7a4b585012cb032954d

          Download Submit
        • \Users\Admin\Desktop\Osno Decryptor.exe
          MD5

          31b725e640371603fc9b006bc4178972

          SHA1

          49bfaff98c662dbbc9696f8e43a140480f36207f

          SHA256

          40e4fffa431378e9f09310bba5ff4b8bcec1e11e2b9a606d15f123b696bdb697

          SHA512

          7c2a1a5035fbdfd82353276557a507716095fa81051c9d5daf68f315c4dfa5e1b9ed47eeeb8a52d5d30257b5d14b8b50e83f6fbe64f0e7a4b585012cb032954d

          Download Submit
        • \Users\Admin\Desktop\Osno Decryptor.exe
          MD5

          31b725e640371603fc9b006bc4178972

          SHA1

          49bfaff98c662dbbc9696f8e43a140480f36207f

          SHA256

          40e4fffa431378e9f09310bba5ff4b8bcec1e11e2b9a606d15f123b696bdb697

          SHA512

          7c2a1a5035fbdfd82353276557a507716095fa81051c9d5daf68f315c4dfa5e1b9ed47eeeb8a52d5d30257b5d14b8b50e83f6fbe64f0e7a4b585012cb032954d

          Download Submit
        • \Users\Admin\Desktop\Osno Decryptor.exe
          MD5

          31b725e640371603fc9b006bc4178972

          SHA1

          49bfaff98c662dbbc9696f8e43a140480f36207f

          SHA256

          40e4fffa431378e9f09310bba5ff4b8bcec1e11e2b9a606d15f123b696bdb697

          SHA512

          7c2a1a5035fbdfd82353276557a507716095fa81051c9d5daf68f315c4dfa5e1b9ed47eeeb8a52d5d30257b5d14b8b50e83f6fbe64f0e7a4b585012cb032954d

          Download Submit
        • \Users\Admin\Desktop\Osno Decryptor.exe
          MD5

          31b725e640371603fc9b006bc4178972

          SHA1

          49bfaff98c662dbbc9696f8e43a140480f36207f

          SHA256

          40e4fffa431378e9f09310bba5ff4b8bcec1e11e2b9a606d15f123b696bdb697

          SHA512

          7c2a1a5035fbdfd82353276557a507716095fa81051c9d5daf68f315c4dfa5e1b9ed47eeeb8a52d5d30257b5d14b8b50e83f6fbe64f0e7a4b585012cb032954d

          Download Submit
        • \Users\Admin\Desktop\Osno Decryptor.exe
          MD5

          31b725e640371603fc9b006bc4178972

          SHA1

          49bfaff98c662dbbc9696f8e43a140480f36207f

          SHA256

          40e4fffa431378e9f09310bba5ff4b8bcec1e11e2b9a606d15f123b696bdb697

          SHA512

          7c2a1a5035fbdfd82353276557a507716095fa81051c9d5daf68f315c4dfa5e1b9ed47eeeb8a52d5d30257b5d14b8b50e83f6fbe64f0e7a4b585012cb032954d

          Download Submit
        • memory/240-14-0x0000000000000000-mapping.dmp
          Download
        • memory/748-16-0x0000000000000000-mapping.dmp
          Download
        • memory/784-17-0x0000000000000000-mapping.dmp
          Download
        • memory/852-26-0x0000000000000000-mapping.dmp
          Download
        • memory/852-37-0x00000000025A0000-0x00000000025B1000-memory.dmp
          Filesize

          68KB

          Download
        • memory/852-27-0x0000000001F30000-0x0000000001F41000-memory.dmp
          Filesize

          68KB

          Download
        • memory/1020-13-0x0000000000000000-mapping.dmp
          Download
        • memory/1228-12-0x0000000000000000-mapping.dmp
          Download
        • memory/1472-15-0x0000000000000000-mapping.dmp
          Download
        • memory/1588-8-0x0000000000400000-0x00000000004D6000-memory.dmp
          Filesize

          856KB

          Download
        • memory/1588-6-0x00000000004D1C3E-mapping.dmp
          Download
        • memory/1588-9-0x00000000734B0000-0x0000000073B9E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1588-7-0x0000000000400000-0x00000000004D6000-memory.dmp
          Filesize

          856KB

          Download
        • memory/1588-5-0x0000000000400000-0x00000000004D6000-memory.dmp
          Filesize

          856KB

          Download
        • memory/1668-4-0x00000000046E0000-0x0000000004821000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1668-0-0x0000000074020000-0x000000007470E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1668-3-0x0000000000610000-0x000000000061C000-memory.dmp
          Filesize

          48KB

          Download
        • memory/1668-1-0x00000000001D0000-0x00000000001D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1684-34-0x0000000000000000-mapping.dmp
          Download
        • memory/1684-33-0x0000000000000000-mapping.dmp
          Download
        • memory/1684-32-0x0000000000000000-mapping.dmp
          Download
        • memory/1684-20-0x0000000000000000-mapping.dmp
          Download
        • memory/1684-35-0x0000000000000000-mapping.dmp
          Download
        • memory/1684-36-0x0000000000000000-mapping.dmp
          Download
        • memory/1684-24-0x0000000000D80000-0x0000000000D81000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1684-23-0x00000000734B0000-0x0000000073B9E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1684-39-0x0000000000000000-mapping.dmp
          Download
        • memory/1684-40-0x0000000000000000-mapping.dmp
          Download
        • memory/1684-41-0x0000000000000000-mapping.dmp
          Download
        • memory/1684-42-0x0000000000000000-mapping.dmp
          Download