Analysis
-
max time kernel
36s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:55
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Mal.Generic-S.28463.8334.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Mal.Generic-S.28463.8334.exe
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.Mal.Generic-S.28463.8334.exe
-
Size
772KB
-
MD5
65e641e56046e02afa450a6b45becbf3
-
SHA1
4ff9cc7a7322fb54a9f45d6bab2c71992a729ea7
-
SHA256
dd22eb456a9a1b80eb044458c761643ba2a47acbe1f98e76b0efecc9a80f4488
-
SHA512
d8dab099d9ee4efb2df7ed21ad1c3d9290bc230cf8db75c95f7e8f3cd63b8c8b20184043012a7f08a6b90eb2b175413b23a1cb53c9de59dce0d23c3f3d2913d7
Malware Config
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.Mal.Generic-S.28463.8334.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SecuriteInfo.com.Mal.Generic-S.28463.8334.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SecuriteInfo.com.Mal.Generic-S.28463.8334.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2484 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 2484 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
SecuriteInfo.com.Mal.Generic-S.28463.8334.execmd.exedescription pid process target process PID 3980 wrote to memory of 3184 3980 SecuriteInfo.com.Mal.Generic-S.28463.8334.exe cmd.exe PID 3980 wrote to memory of 3184 3980 SecuriteInfo.com.Mal.Generic-S.28463.8334.exe cmd.exe PID 3980 wrote to memory of 3184 3980 SecuriteInfo.com.Mal.Generic-S.28463.8334.exe cmd.exe PID 3184 wrote to memory of 2484 3184 cmd.exe taskkill.exe PID 3184 wrote to memory of 2484 3184 cmd.exe taskkill.exe PID 3184 wrote to memory of 2484 3184 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Mal.Generic-S.28463.8334.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Mal.Generic-S.28463.8334.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 3980 & erase C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Mal.Generic-S.28463.8334.exe & RD /S /Q C:\ProgramData\781426682111244\* & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 39803⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken