Analysis
-
max time kernel
8s -
max time network
49s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
02/08/2021, 19:58
Static task
static1
Behavioral task
behavioral1
Sample
service.bin.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
service.bin.exe
Resource
win10v20210410
General
-
Target
service.bin.exe
-
Size
680KB
-
MD5
d3e88703aaa4fe2bfdb0f663744724cc
-
SHA1
a1cc305fefde48e889325437a33a6572e3899654
-
SHA256
992ddc778bc3af49b9b7c424071cfe0db67dbcee83994debfee421ef4190d473
-
SHA512
bdfa11eebd000973b83be71a813ae4ecd6aae00cd1f7e6a738f7fcdb07784fe1386c50185bfda697d9c96f1cdb7dd0f45f02e55a319d6ce302179c04980fd8f7
Malware Config
Extracted
oski
chikkark.xyz
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 1624 cmd.exe -
Loads dropped DLL 5 IoCs
pid Process 1780 service.bin.exe 1780 service.bin.exe 1780 service.bin.exe 1780 service.bin.exe 1780 service.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 676 set thread context of 1780 676 service.bin.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString service.bin.exe -
Kills process with taskkill 1 IoCs
pid Process 1632 taskkill.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 676 service.bin.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1632 taskkill.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 676 wrote to memory of 1780 676 service.bin.exe 28 PID 676 wrote to memory of 1780 676 service.bin.exe 28 PID 676 wrote to memory of 1780 676 service.bin.exe 28 PID 676 wrote to memory of 1780 676 service.bin.exe 28 PID 676 wrote to memory of 1780 676 service.bin.exe 28 PID 1780 wrote to memory of 1624 1780 service.bin.exe 32 PID 1780 wrote to memory of 1624 1780 service.bin.exe 32 PID 1780 wrote to memory of 1624 1780 service.bin.exe 32 PID 1780 wrote to memory of 1624 1780 service.bin.exe 32 PID 1624 wrote to memory of 1632 1624 cmd.exe 34 PID 1624 wrote to memory of 1632 1624 cmd.exe 34 PID 1624 wrote to memory of 1632 1624 cmd.exe 34 PID 1624 wrote to memory of 1632 1624 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\service.bin.exe"C:\Users\Admin\AppData\Local\Temp\service.bin.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Users\Admin\AppData\Local\Temp\service.bin.exe"C:\Users\Admin\AppData\Local\Temp\service.bin.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 1780 & erase C:\Users\Admin\AppData\Local\Temp\service.bin.exe & RD /S /Q C:\\ProgramData\\889775212846765\\* & exit3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 17804⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
-