oski | 9b3da318b86a4bf8b36aca1ea75841e5fc03a57eb500d3379847573e7546a4c4

Analysis

max time kernel
81s
max time network
145s
platform
windows10_x64
resource
win10v20201028
submitted
06-11-2020 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b3da318b86a4bf8b36aca1ea75841e5fc03a57eb500d3379847573e7546a4c4.exe
Size

449KB
MD5

f20f5ad4b8d13a4fb00275480075d145
SHA1

0d97a9ec2707a86144836765a64a91e9a04f08ae
SHA256

9b3da318b86a4bf8b36aca1ea75841e5fc03a57eb500d3379847573e7546a4c4
SHA512

cac8ac52eb088448db62b4880917e14214f52d6e8492618145cf87cb3a2771352e554107a6ed184eb5e9fcfd9fe730d5ac92a37c7f4801dd37f7ed76cccc367b

Score

10^/10

oski stormkitty discovery infostealer spyware stealer vmprotect

Malware Config

Extracted

Family

oski

web24host.com/a/a/www/

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Chromuim.exe	family_stormkitty
C:\Users\Admin\AppData\Local\Temp\Chromuim.exe	family_stormkitty
behavioral2/memory/2036-9-0x0000000001740000-0x00000000017B0000-memory.dmp	family_stormkitty

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Chromuim.exeCmd.com

pid process

2036 Chromuim.exe
2156 Cmd.com

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/2036-29-0x000000001CC40000-0x000000001CC41000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll	vmprotect

Loads dropped DLL 3 IoCs

Processes:

Cmd.com

pid process

2156 Cmd.com
2156 Cmd.com
2156 Cmd.com
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 ip-api.com
23 icanhazip.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2156	Cmd.com
2156	Cmd.com
2156	Cmd.com

flow	ioc
17	ip-api.com
23	icanhazip.com

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Chromuim.exeCmd.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Chromuim.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Chromuim.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Cmd.com

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

988 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2072 taskkill.exe
2508 taskkill.exe

pid	process
988	timeout.exe

pid	process
2072	taskkill.exe
2508	taskkill.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

Chromuim.exe

pid	process
2036	Chromuim.exe
2036	Chromuim.exe
2036	Chromuim.exe
2036	Chromuim.exe
2036	Chromuim.exe
2036	Chromuim.exe
2036	Chromuim.exe
2036	Chromuim.exe
2036	Chromuim.exe
2036	Chromuim.exe
2036	Chromuim.exe
2036	Chromuim.exe
2036	Chromuim.exe
2036	Chromuim.exe
2036	Chromuim.exe
2036	Chromuim.exe
2036	Chromuim.exe
2036	Chromuim.exe
2036	Chromuim.exe
2036	Chromuim.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

taskkill.exeChromuim.exemsiexec.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2072	taskkill.exe
Token: SeDebugPrivilege	2036	Chromuim.exe
Token: SeSecurityPrivilege	1776	msiexec.exe
Token: SeDebugPrivilege	2508	taskkill.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

9b3da318b86a4bf8b36aca1ea75841e5fc03a57eb500d3379847573e7546a4c4.exeCmd.comcmd.exeChromuim.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4084 wrote to memory of 2036	4084	9b3da318b86a4bf8b36aca1ea75841e5fc03a57eb500d3379847573e7546a4c4.exe	Chromuim.exe
PID 4084 wrote to memory of 2036	4084	9b3da318b86a4bf8b36aca1ea75841e5fc03a57eb500d3379847573e7546a4c4.exe	Chromuim.exe
PID 4084 wrote to memory of 2156	4084	9b3da318b86a4bf8b36aca1ea75841e5fc03a57eb500d3379847573e7546a4c4.exe	Cmd.com
PID 4084 wrote to memory of 2156	4084	9b3da318b86a4bf8b36aca1ea75841e5fc03a57eb500d3379847573e7546a4c4.exe	Cmd.com
PID 4084 wrote to memory of 2156	4084	9b3da318b86a4bf8b36aca1ea75841e5fc03a57eb500d3379847573e7546a4c4.exe	Cmd.com
PID 2156 wrote to memory of 3624	2156	Cmd.com	cmd.exe
PID 2156 wrote to memory of 3624	2156	Cmd.com	cmd.exe
PID 2156 wrote to memory of 3624	2156	Cmd.com	cmd.exe
PID 3624 wrote to memory of 2072	3624	cmd.exe	taskkill.exe
PID 3624 wrote to memory of 2072	3624	cmd.exe	taskkill.exe
PID 3624 wrote to memory of 2072	3624	cmd.exe	taskkill.exe
PID 2036 wrote to memory of 2340	2036	Chromuim.exe	cmd.exe
PID 2036 wrote to memory of 2340	2036	Chromuim.exe	cmd.exe
PID 2340 wrote to memory of 3912	2340	cmd.exe	chcp.com
PID 2340 wrote to memory of 3912	2340	cmd.exe	chcp.com
PID 2340 wrote to memory of 3216	2340	cmd.exe	netsh.exe
PID 2340 wrote to memory of 3216	2340	cmd.exe	netsh.exe
PID 2340 wrote to memory of 2136	2340	cmd.exe	findstr.exe
PID 2340 wrote to memory of 2136	2340	cmd.exe	findstr.exe
PID 2036 wrote to memory of 1856	2036	Chromuim.exe	cmd.exe
PID 2036 wrote to memory of 1856	2036	Chromuim.exe	cmd.exe
PID 1856 wrote to memory of 496	1856	cmd.exe	chcp.com
PID 1856 wrote to memory of 496	1856	cmd.exe	chcp.com
PID 1856 wrote to memory of 420	1856	cmd.exe	netsh.exe
PID 1856 wrote to memory of 420	1856	cmd.exe	netsh.exe
PID 2036 wrote to memory of 1172	2036	Chromuim.exe	cmd.exe
PID 2036 wrote to memory of 1172	2036	Chromuim.exe	cmd.exe
PID 1172 wrote to memory of 2256	1172	cmd.exe	chcp.com
PID 1172 wrote to memory of 2256	1172	cmd.exe	chcp.com
PID 1172 wrote to memory of 2508	1172	cmd.exe	taskkill.exe
PID 1172 wrote to memory of 2508	1172	cmd.exe	taskkill.exe
PID 1172 wrote to memory of 988	1172	cmd.exe	timeout.exe
PID 1172 wrote to memory of 988	1172	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\9b3da318b86a4bf8b36aca1ea75841e5fc03a57eb500d3379847573e7546a4c4.exe
"C:\Users\Admin\AppData\Local\Temp\9b3da318b86a4bf8b36aca1ea75841e5fc03a57eb500d3379847573e7546a4c4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4084

C:\Users\Admin\AppData\Local\Temp\Chromuim.exe
"C:\Users\Admin\AppData\Local\Temp\Chromuim.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
3⤵
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:3912

C:\Windows\system32\netsh.exe
netsh wlan show profile
4⤵
PID:3216

C:\Windows\system32\findstr.exe
findstr All
4⤵
PID:2136

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
3⤵
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:496

C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
4⤵
PID:420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp207.tmp.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2256

C:\Windows\system32\taskkill.exe
TaskKill /F /IM 2036
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\system32\timeout.exe
Timeout /T 2 /Nobreak
4⤵
- Delays execution with timeout.exe
PID:988

C:\Users\Admin\AppData\Local\Temp\Cmd.com
"C:\Users\Admin\AppData\Local\Temp\Cmd.com"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 2156 & erase C:\Users\Admin\AppData\Local\Temp\Cmd.com & RD /S /Q C:\\ProgramData\\253672238915770\\* & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3624

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 2156
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll
MD5
7a2d5deab61f043394a510f4e2c0866f

SHA1
ca16110c9cf6522cd7bea32895fd0f697442849b

SHA256
75db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69

SHA512
b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chromuim.exe
MD5
d154acc5b5bd9966bb5baf6e7b8ffed7

SHA1
d89e203019c395aa42d12168341cc389235fdbee

SHA256
b771e39c8fb6bacc01a0b8762cf8ed65dde6a077abe4da4492d94d9baa3469f8

SHA512
1aa5d73e0f05c8827e2a3bfb9143d28b13b0ceea3d161972a7a513191c11e04c802d2b66d902712595a3a493494df77ea599a2ecab5259e51cd29cb9abc16bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chromuim.exe
MD5
d154acc5b5bd9966bb5baf6e7b8ffed7

SHA1
d89e203019c395aa42d12168341cc389235fdbee

SHA256
b771e39c8fb6bacc01a0b8762cf8ed65dde6a077abe4da4492d94d9baa3469f8

SHA512
1aa5d73e0f05c8827e2a3bfb9143d28b13b0ceea3d161972a7a513191c11e04c802d2b66d902712595a3a493494df77ea599a2ecab5259e51cd29cb9abc16bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cmd.com
MD5
94835b6d4af91fc977e840d64adaa485

SHA1
77635f373780022f21f74ade8ee80d0e652248ed

SHA256
9e2455642e046af82e21bdc6bc8659a5acc10796e383dcd7064227b0e8c6675b

SHA512
c1ff6e810d1f3476e635a206ef7b9e762230e29a0608cb961df6931d415315e1661277f2cebb2bdd15ef8291c5adae7311f97f0690aefea8fc4a3af1665d779a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cmd.com
MD5
94835b6d4af91fc977e840d64adaa485

SHA1
77635f373780022f21f74ade8ee80d0e652248ed

SHA256
9e2455642e046af82e21bdc6bc8659a5acc10796e383dcd7064227b0e8c6675b

SHA512
c1ff6e810d1f3476e635a206ef7b9e762230e29a0608cb961df6931d415315e1661277f2cebb2bdd15ef8291c5adae7311f97f0690aefea8fc4a3af1665d779a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll
MD5
6d1c62ec1c2ef722f49b2d8dd4a4df16

SHA1
1bb08a979b7987bc7736a8cfa4779383cb0ecfa6

SHA256
00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c

SHA512
c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp207.tmp.bat
MD5
cfb73d3d0bd10b358d1355c00560cf31

SHA1
9f450237283e045a2734d9e1503073eb11f563d5

SHA256
ed5227f1cd712f311a87adf207127f675524fe8ed14d488b463bc7c74c8c0d1b

SHA512
a93b44623e070c8ceb116e79bf8f0a2ac3fc3d367f798ebcbab79f92985c2a572e26ff308a2a2eb128ee906de35b7f40a2cce5d9c81f2f5eeab49cbe10e49ced

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
memory/420-27-0x0000000000000000-mapping.dmp

Download
memory/496-26-0x0000000000000000-mapping.dmp

Download
memory/988-36-0x0000000000000000-mapping.dmp

Download
memory/1172-32-0x0000000000000000-mapping.dmp

Download
memory/1856-25-0x0000000000000000-mapping.dmp

Download
memory/2036-31-0x0000000003900000-0x0000000003905000-memory.dmp

Filesize
20KB

Download
memory/2036-29-0x000000001CC40000-0x000000001CC41000-memory.dmp

Filesize
4KB

Download
memory/2036-4-0x00007FFFF39E0000-0x00007FFFF43CC000-memory.dmp

Filesize
9.9MB

Download
memory/2036-7-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/2036-9-0x0000000001740000-0x00000000017B0000-memory.dmp

Filesize
448KB

Download
memory/2036-10-0x00000000038D0000-0x00000000038D1000-memory.dmp

Filesize
4KB

Download
memory/2036-0-0x0000000000000000-mapping.dmp

Download
memory/2036-28-0x000000001CB30000-0x000000001CB31000-memory.dmp

Filesize
4KB

Download
memory/2072-20-0x0000000000000000-mapping.dmp

Download
memory/2136-24-0x0000000000000000-mapping.dmp

Download
memory/2156-3-0x0000000000000000-mapping.dmp

Download
memory/2256-34-0x0000000000000000-mapping.dmp

Download
memory/2340-21-0x0000000000000000-mapping.dmp

Download
memory/2508-35-0x0000000000000000-mapping.dmp

Download
memory/3216-23-0x0000000000000000-mapping.dmp

Download
memory/3624-19-0x0000000000000000-mapping.dmp

Download
memory/3912-22-0x0000000000000000-mapping.dmp

Download