Analysis
-
max time kernel
60s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 18:48
Static task
static1
Behavioral task
behavioral1
Sample
SCAN_Wells Fargo bank payment.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
SCAN_Wells Fargo bank payment.exe
Resource
win10v20210410
General
-
Target
SCAN_Wells Fargo bank payment.exe
-
Size
912KB
-
MD5
e2e01c7a8e323e117cfc9c4cdf0ad1c2
-
SHA1
ea718bc482d968f9db9577b8d9edb08e4f24abbd
-
SHA256
e8b4e90cb7a9233231088d027c2c090aafc143c77e1f46d34d6b206c2c797419
-
SHA512
53a677c7e4f2968319c5d464446e7c777c9b7f61fed01cf5225c121fea661b65c24dc358d52fece233b24db18b1fd1d95d4bc580860c93bb803c77a87c260215
Malware Config
Extracted
oski
mmcjo.com/crown/
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
SCAN_Wells Fargo bank payment.exedescription pid process target process PID 3956 set thread context of 2044 3956 SCAN_Wells Fargo bank payment.exe SCAN_Wells Fargo bank payment.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2580 2044 WerFault.exe SCAN_Wells Fargo bank payment.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
SCAN_Wells Fargo bank payment.exeWerFault.exepid process 3956 SCAN_Wells Fargo bank payment.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
SCAN_Wells Fargo bank payment.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3956 SCAN_Wells Fargo bank payment.exe Token: SeRestorePrivilege 2580 WerFault.exe Token: SeBackupPrivilege 2580 WerFault.exe Token: SeDebugPrivilege 2580 WerFault.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
SCAN_Wells Fargo bank payment.exedescription pid process target process PID 3956 wrote to memory of 3848 3956 SCAN_Wells Fargo bank payment.exe schtasks.exe PID 3956 wrote to memory of 3848 3956 SCAN_Wells Fargo bank payment.exe schtasks.exe PID 3956 wrote to memory of 3848 3956 SCAN_Wells Fargo bank payment.exe schtasks.exe PID 3956 wrote to memory of 2044 3956 SCAN_Wells Fargo bank payment.exe SCAN_Wells Fargo bank payment.exe PID 3956 wrote to memory of 2044 3956 SCAN_Wells Fargo bank payment.exe SCAN_Wells Fargo bank payment.exe PID 3956 wrote to memory of 2044 3956 SCAN_Wells Fargo bank payment.exe SCAN_Wells Fargo bank payment.exe PID 3956 wrote to memory of 2044 3956 SCAN_Wells Fargo bank payment.exe SCAN_Wells Fargo bank payment.exe PID 3956 wrote to memory of 2044 3956 SCAN_Wells Fargo bank payment.exe SCAN_Wells Fargo bank payment.exe PID 3956 wrote to memory of 2044 3956 SCAN_Wells Fargo bank payment.exe SCAN_Wells Fargo bank payment.exe PID 3956 wrote to memory of 2044 3956 SCAN_Wells Fargo bank payment.exe SCAN_Wells Fargo bank payment.exe PID 3956 wrote to memory of 2044 3956 SCAN_Wells Fargo bank payment.exe SCAN_Wells Fargo bank payment.exe PID 3956 wrote to memory of 2044 3956 SCAN_Wells Fargo bank payment.exe SCAN_Wells Fargo bank payment.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SCAN_Wells Fargo bank payment.exe"C:\Users\Admin\AppData\Local\Temp\SCAN_Wells Fargo bank payment.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DudhvdcY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE600.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SCAN_Wells Fargo bank payment.exe"C:\Users\Admin\AppData\Local\Temp\SCAN_Wells Fargo bank payment.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 11723⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE600.tmpMD5
db533f27d1a8b9202022f747a571b4fd
SHA17b3a0e459759703879b94222c14379d1fb5a2abe
SHA256a46aae2ae8e5254102bfc8153a02cfd75f48cd2c4ed64d1338f20d3edfae2406
SHA512eb9c056dc8647878a8dbabc9a59c9e5d96805315b0aa661c99b0c4603b9e5e8ac75fbf17bd2454be28ad51f520cc9088f9e5aaac1e7ea89e5189307be3bd6c80
-
memory/2044-128-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2044-126-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2044-127-0x000000000040717B-mapping.dmp
-
memory/3848-124-0x0000000000000000-mapping.dmp
-
memory/3956-118-0x0000000005880000-0x0000000005881000-memory.dmpFilesize
4KB
-
memory/3956-121-0x0000000005B40000-0x0000000005B5B000-memory.dmpFilesize
108KB
-
memory/3956-122-0x0000000008FA0000-0x0000000009013000-memory.dmpFilesize
460KB
-
memory/3956-123-0x0000000009020000-0x0000000009058000-memory.dmpFilesize
224KB
-
memory/3956-120-0x0000000005990000-0x0000000005E8E000-memory.dmpFilesize
5.0MB
-
memory/3956-119-0x0000000005B90000-0x0000000005B91000-memory.dmpFilesize
4KB
-
memory/3956-114-0x0000000000F70000-0x0000000000F71000-memory.dmpFilesize
4KB
-
memory/3956-117-0x0000000005890000-0x0000000005891000-memory.dmpFilesize
4KB
-
memory/3956-116-0x0000000005E90000-0x0000000005E91000-memory.dmpFilesize
4KB