FLP_1037850047.exe

General
Target

FLP_1037850047.exe

Filesize

379KB

Completed

06-05-2021 14:15

Score
10 /10
MD5

d32bc982566fbb8d81d3012779d3c320

SHA1

74e5c60af59a50757abc29942c888fa43e854204

SHA256

a59fbc4f9903ed18c989e87bc83073b463310ffe6c90a43c53400739719d0aae

Malware Config

Extracted

Family oski
C2

duiy.xyz

Signatures 11

Filter: none

Collection
Credential Access
Discovery
  • Oski

    Description

    Oski is an infostealer targeting browser data, crypto wallets.

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Suspicious use of SetThreadContext
    FLP_1037850047.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4656 set thread context of 39844656FLP_1037850047.exeFLP_1037850047.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Checks processor information in registry
    FLP_1037850047.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringFLP_1037850047.exe
  • Kills process with taskkill
    taskkill.exe

    Tags

    Reported IOCs

    pidprocess
    392taskkill.exe
  • Suspicious behavior: EnumeratesProcesses
    FLP_1037850047.exe

    Reported IOCs

    pidprocess
    4656FLP_1037850047.exe
    4656FLP_1037850047.exe
  • Suspicious use of AdjustPrivilegeToken
    FLP_1037850047.exetaskkill.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege4656FLP_1037850047.exe
    Token: SeDebugPrivilege392taskkill.exe
  • Suspicious use of WriteProcessMemory
    FLP_1037850047.exeFLP_1037850047.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4656 wrote to memory of 39844656FLP_1037850047.exeFLP_1037850047.exe
    PID 4656 wrote to memory of 39844656FLP_1037850047.exeFLP_1037850047.exe
    PID 4656 wrote to memory of 39844656FLP_1037850047.exeFLP_1037850047.exe
    PID 4656 wrote to memory of 39844656FLP_1037850047.exeFLP_1037850047.exe
    PID 4656 wrote to memory of 39844656FLP_1037850047.exeFLP_1037850047.exe
    PID 4656 wrote to memory of 39844656FLP_1037850047.exeFLP_1037850047.exe
    PID 4656 wrote to memory of 39844656FLP_1037850047.exeFLP_1037850047.exe
    PID 4656 wrote to memory of 39844656FLP_1037850047.exeFLP_1037850047.exe
    PID 4656 wrote to memory of 39844656FLP_1037850047.exeFLP_1037850047.exe
    PID 3984 wrote to memory of 42963984FLP_1037850047.execmd.exe
    PID 3984 wrote to memory of 42963984FLP_1037850047.execmd.exe
    PID 3984 wrote to memory of 42963984FLP_1037850047.execmd.exe
    PID 4296 wrote to memory of 3924296cmd.exetaskkill.exe
    PID 4296 wrote to memory of 3924296cmd.exetaskkill.exe
    PID 4296 wrote to memory of 3924296cmd.exetaskkill.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\FLP_1037850047.exe
    "C:\Users\Admin\AppData\Local\Temp\FLP_1037850047.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Users\Admin\AppData\Local\Temp\FLP_1037850047.exe
      C:\Users\Admin\AppData\Local\Temp\FLP_1037850047.exe
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:3984
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c taskkill /pid 3984 & erase C:\Users\Admin\AppData\Local\Temp\FLP_1037850047.exe & RD /S /Q C:\\ProgramData\\061884273803733\\* & exit
        Suspicious use of WriteProcessMemory
        PID:4296
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /pid 3984
          Kills process with taskkill
          Suspicious use of AdjustPrivilegeToken
          PID:392
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • memory/392-125-0x0000000000000000-mapping.dmp

                    • memory/3984-121-0x0000000000400000-0x0000000000438000-memory.dmp

                    • memory/3984-122-0x000000000040717B-mapping.dmp

                    • memory/3984-123-0x0000000000400000-0x0000000000438000-memory.dmp

                    • memory/4296-124-0x0000000000000000-mapping.dmp

                    • memory/4656-120-0x0000000005320000-0x000000000533D000-memory.dmp

                    • memory/4656-114-0x0000000000A30000-0x0000000000A31000-memory.dmp

                    • memory/4656-116-0x0000000001470000-0x0000000001475000-memory.dmp

                    • memory/4656-117-0x0000000005380000-0x0000000005381000-memory.dmp

                    • memory/4656-118-0x0000000002F00000-0x0000000002F01000-memory.dmp

                    • memory/4656-119-0x0000000002EE0000-0x0000000002EE1000-memory.dmp