Analysis
-
max time kernel
54s -
max time network
56s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
02/08/2021, 06:03
Static task
static1
Behavioral task
behavioral1
Sample
8663ed0caec9adcb980a4a7ea23e7984.exe
Resource
win7v20210410
General
-
Target
8663ed0caec9adcb980a4a7ea23e7984.exe
-
Size
1.3MB
-
MD5
8663ed0caec9adcb980a4a7ea23e7984
-
SHA1
e6dcb19362e88b50ab1990e7032437072f104e98
-
SHA256
bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750
-
SHA512
fd75e6bde035e103e84322411ca7b4107f1673d03170b940af3066f9f4eb58b063ec244302c8dccab87f5816e2b55a177dc1c1d7f498742fd8e0f24fb64317a9
Malware Config
Extracted
oski
fine.le-pearl.com
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Deletes itself 1 IoCs
pid Process 824 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2020 set thread context of 864 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 39 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 8663ed0caec9adcb980a4a7ea23e7984.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 992 schtasks.exe -
Kills process with taskkill 1 IoCs
pid Process 1148 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 764 powershell.exe 1904 powershell.exe 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 1176 powershell.exe 764 powershell.exe 1176 powershell.exe 1904 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 764 powershell.exe Token: SeDebugPrivilege 1904 powershell.exe Token: SeDebugPrivilege 2020 8663ed0caec9adcb980a4a7ea23e7984.exe Token: SeDebugPrivilege 1176 powershell.exe Token: SeDebugPrivilege 1148 taskkill.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 2020 wrote to memory of 1904 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 29 PID 2020 wrote to memory of 1904 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 29 PID 2020 wrote to memory of 1904 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 29 PID 2020 wrote to memory of 1904 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 29 PID 2020 wrote to memory of 764 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 31 PID 2020 wrote to memory of 764 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 31 PID 2020 wrote to memory of 764 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 31 PID 2020 wrote to memory of 764 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 31 PID 2020 wrote to memory of 992 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 33 PID 2020 wrote to memory of 992 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 33 PID 2020 wrote to memory of 992 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 33 PID 2020 wrote to memory of 992 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 33 PID 2020 wrote to memory of 1176 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 35 PID 2020 wrote to memory of 1176 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 35 PID 2020 wrote to memory of 1176 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 35 PID 2020 wrote to memory of 1176 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 35 PID 2020 wrote to memory of 680 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 40 PID 2020 wrote to memory of 680 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 40 PID 2020 wrote to memory of 680 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 40 PID 2020 wrote to memory of 680 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 40 PID 2020 wrote to memory of 1756 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 38 PID 2020 wrote to memory of 1756 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 38 PID 2020 wrote to memory of 1756 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 38 PID 2020 wrote to memory of 1756 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 38 PID 2020 wrote to memory of 1796 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 37 PID 2020 wrote to memory of 1796 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 37 PID 2020 wrote to memory of 1796 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 37 PID 2020 wrote to memory of 1796 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 37 PID 2020 wrote to memory of 864 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 39 PID 2020 wrote to memory of 864 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 39 PID 2020 wrote to memory of 864 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 39 PID 2020 wrote to memory of 864 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 39 PID 2020 wrote to memory of 864 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 39 PID 2020 wrote to memory of 864 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 39 PID 2020 wrote to memory of 864 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 39 PID 2020 wrote to memory of 864 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 39 PID 2020 wrote to memory of 864 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 39 PID 2020 wrote to memory of 864 2020 8663ed0caec9adcb980a4a7ea23e7984.exe 39 PID 864 wrote to memory of 824 864 8663ed0caec9adcb980a4a7ea23e7984.exe 43 PID 864 wrote to memory of 824 864 8663ed0caec9adcb980a4a7ea23e7984.exe 43 PID 864 wrote to memory of 824 864 8663ed0caec9adcb980a4a7ea23e7984.exe 43 PID 864 wrote to memory of 824 864 8663ed0caec9adcb980a4a7ea23e7984.exe 43 PID 824 wrote to memory of 1148 824 cmd.exe 45 PID 824 wrote to memory of 1148 824 cmd.exe 45 PID 824 wrote to memory of 1148 824 cmd.exe 45 PID 824 wrote to memory of 1148 824 cmd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImauUieIe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDCF7.tmp"2⤵
- Creates scheduled task(s)
PID:992
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176
-
-
C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"2⤵PID:1796
-
-
C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"2⤵PID:1756
-
-
C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"2⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 864 & erase C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe & RD /S /Q C:\\ProgramData\\234931577592226\\* & exit3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 8644⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"2⤵PID:680
-