Analysis
-
max time kernel
33s -
max time network
32s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 19:55
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Mal.Generic-S.28463.8334.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Mal.Generic-S.28463.8334.exe
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.Mal.Generic-S.28463.8334.exe
-
Size
772KB
-
MD5
65e641e56046e02afa450a6b45becbf3
-
SHA1
4ff9cc7a7322fb54a9f45d6bab2c71992a729ea7
-
SHA256
dd22eb456a9a1b80eb044458c761643ba2a47acbe1f98e76b0efecc9a80f4488
-
SHA512
d8dab099d9ee4efb2df7ed21ad1c3d9290bc230cf8db75c95f7e8f3cd63b8c8b20184043012a7f08a6b90eb2b175413b23a1cb53c9de59dce0d23c3f3d2913d7
Malware Config
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1284 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.Mal.Generic-S.28463.8334.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SecuriteInfo.com.Mal.Generic-S.28463.8334.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SecuriteInfo.com.Mal.Generic-S.28463.8334.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1232 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1232 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
SecuriteInfo.com.Mal.Generic-S.28463.8334.execmd.exedescription pid process target process PID 1668 wrote to memory of 1284 1668 SecuriteInfo.com.Mal.Generic-S.28463.8334.exe cmd.exe PID 1668 wrote to memory of 1284 1668 SecuriteInfo.com.Mal.Generic-S.28463.8334.exe cmd.exe PID 1668 wrote to memory of 1284 1668 SecuriteInfo.com.Mal.Generic-S.28463.8334.exe cmd.exe PID 1668 wrote to memory of 1284 1668 SecuriteInfo.com.Mal.Generic-S.28463.8334.exe cmd.exe PID 1284 wrote to memory of 1232 1284 cmd.exe taskkill.exe PID 1284 wrote to memory of 1232 1284 cmd.exe taskkill.exe PID 1284 wrote to memory of 1232 1284 cmd.exe taskkill.exe PID 1284 wrote to memory of 1232 1284 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Mal.Generic-S.28463.8334.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Mal.Generic-S.28463.8334.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 1668 & erase C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Mal.Generic-S.28463.8334.exe & RD /S /Q C:\ProgramData\444444194656633\* & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 16683⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken