FLP_1037850047.exe

General
Target

FLP_1037850047.exe

Filesize

379KB

Completed

06-05-2021 14:15

Score
10 /10
MD5

d32bc982566fbb8d81d3012779d3c320

SHA1

74e5c60af59a50757abc29942c888fa43e854204

SHA256

a59fbc4f9903ed18c989e87bc83073b463310ffe6c90a43c53400739719d0aae

Malware Config

Extracted

Family oski
C2

duiy.xyz

Signatures 12

Filter: none

Collection
Credential Access
Discovery
  • Oski

    Description

    Oski is an infostealer targeting browser data, crypto wallets.

  • Deletes itself
    cmd.exe

    Reported IOCs

    pidprocess
    1820cmd.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Suspicious use of SetThreadContext
    FLP_1037850047.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 980 set thread context of 1276980FLP_1037850047.exeFLP_1037850047.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Checks processor information in registry
    FLP_1037850047.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringFLP_1037850047.exe
  • Kills process with taskkill
    taskkill.exe

    Tags

    Reported IOCs

    pidprocess
    1848taskkill.exe
  • Suspicious behavior: EnumeratesProcesses
    FLP_1037850047.exe

    Reported IOCs

    pidprocess
    980FLP_1037850047.exe
    980FLP_1037850047.exe
  • Suspicious use of AdjustPrivilegeToken
    FLP_1037850047.exetaskkill.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege980FLP_1037850047.exe
    Token: SeDebugPrivilege1848taskkill.exe
  • Suspicious use of WriteProcessMemory
    FLP_1037850047.exeFLP_1037850047.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 980 wrote to memory of 1276980FLP_1037850047.exeFLP_1037850047.exe
    PID 980 wrote to memory of 1276980FLP_1037850047.exeFLP_1037850047.exe
    PID 980 wrote to memory of 1276980FLP_1037850047.exeFLP_1037850047.exe
    PID 980 wrote to memory of 1276980FLP_1037850047.exeFLP_1037850047.exe
    PID 980 wrote to memory of 1276980FLP_1037850047.exeFLP_1037850047.exe
    PID 980 wrote to memory of 1276980FLP_1037850047.exeFLP_1037850047.exe
    PID 980 wrote to memory of 1276980FLP_1037850047.exeFLP_1037850047.exe
    PID 980 wrote to memory of 1276980FLP_1037850047.exeFLP_1037850047.exe
    PID 980 wrote to memory of 1276980FLP_1037850047.exeFLP_1037850047.exe
    PID 980 wrote to memory of 1276980FLP_1037850047.exeFLP_1037850047.exe
    PID 1276 wrote to memory of 18201276FLP_1037850047.execmd.exe
    PID 1276 wrote to memory of 18201276FLP_1037850047.execmd.exe
    PID 1276 wrote to memory of 18201276FLP_1037850047.execmd.exe
    PID 1276 wrote to memory of 18201276FLP_1037850047.execmd.exe
    PID 1820 wrote to memory of 18481820cmd.exetaskkill.exe
    PID 1820 wrote to memory of 18481820cmd.exetaskkill.exe
    PID 1820 wrote to memory of 18481820cmd.exetaskkill.exe
    PID 1820 wrote to memory of 18481820cmd.exetaskkill.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\FLP_1037850047.exe
    "C:\Users\Admin\AppData\Local\Temp\FLP_1037850047.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:980
    • C:\Users\Admin\AppData\Local\Temp\FLP_1037850047.exe
      C:\Users\Admin\AppData\Local\Temp\FLP_1037850047.exe
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:1276
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c taskkill /pid 1276 & erase C:\Users\Admin\AppData\Local\Temp\FLP_1037850047.exe & RD /S /Q C:\\ProgramData\\693626471404372\\* & exit
        Deletes itself
        Suspicious use of WriteProcessMemory
        PID:1820
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /pid 1276
          Kills process with taskkill
          Suspicious use of AdjustPrivilegeToken
          PID:1848
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • memory/980-60-0x0000000001150000-0x0000000001151000-memory.dmp

                    • memory/980-62-0x0000000004A30000-0x0000000004A31000-memory.dmp

                    • memory/980-63-0x00000000003D0000-0x00000000003D5000-memory.dmp

                    • memory/980-64-0x00000000004C0000-0x00000000004DD000-memory.dmp

                    • memory/1276-65-0x0000000000400000-0x0000000000438000-memory.dmp

                    • memory/1276-66-0x000000000040717B-mapping.dmp

                    • memory/1276-67-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

                    • memory/1276-68-0x0000000000400000-0x0000000000438000-memory.dmp

                    • memory/1820-69-0x0000000000000000-mapping.dmp

                    • memory/1848-70-0x0000000000000000-mapping.dmp