Analysis
-
max time kernel
85s -
max time network
114s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
02/08/2021, 06:03
Static task
static1
Behavioral task
behavioral1
Sample
8663ed0caec9adcb980a4a7ea23e7984.exe
Resource
win7v20210410
General
-
Target
8663ed0caec9adcb980a4a7ea23e7984.exe
-
Size
1.3MB
-
MD5
8663ed0caec9adcb980a4a7ea23e7984
-
SHA1
e6dcb19362e88b50ab1990e7032437072f104e98
-
SHA256
bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750
-
SHA512
fd75e6bde035e103e84322411ca7b4107f1673d03170b940af3066f9f4eb58b063ec244302c8dccab87f5816e2b55a177dc1c1d7f498742fd8e0f24fb64317a9
Malware Config
Extracted
oski
fine.le-pearl.com
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2112 set thread context of 2416 2112 8663ed0caec9adcb980a4a7ea23e7984.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 8663ed0caec9adcb980a4a7ea23e7984.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2276 schtasks.exe -
Kills process with taskkill 1 IoCs
pid Process 3424 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2112 8663ed0caec9adcb980a4a7ea23e7984.exe 2072 powershell.exe 1768 powershell.exe 3968 powershell.exe 2072 powershell.exe 1768 powershell.exe 3968 powershell.exe 2072 powershell.exe 1768 powershell.exe 3968 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2112 8663ed0caec9adcb980a4a7ea23e7984.exe Token: SeDebugPrivilege 2072 powershell.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeDebugPrivilege 3968 powershell.exe Token: SeDebugPrivilege 3424 taskkill.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2112 wrote to memory of 1768 2112 8663ed0caec9adcb980a4a7ea23e7984.exe 79 PID 2112 wrote to memory of 1768 2112 8663ed0caec9adcb980a4a7ea23e7984.exe 79 PID 2112 wrote to memory of 1768 2112 8663ed0caec9adcb980a4a7ea23e7984.exe 79 PID 2112 wrote to memory of 2072 2112 8663ed0caec9adcb980a4a7ea23e7984.exe 81 PID 2112 wrote to memory of 2072 2112 8663ed0caec9adcb980a4a7ea23e7984.exe 81 PID 2112 wrote to memory of 2072 2112 8663ed0caec9adcb980a4a7ea23e7984.exe 81 PID 2112 wrote to memory of 2276 2112 8663ed0caec9adcb980a4a7ea23e7984.exe 83 PID 2112 wrote to memory of 2276 2112 8663ed0caec9adcb980a4a7ea23e7984.exe 83 PID 2112 wrote to memory of 2276 2112 8663ed0caec9adcb980a4a7ea23e7984.exe 83 PID 2112 wrote to memory of 3968 2112 8663ed0caec9adcb980a4a7ea23e7984.exe 85 PID 2112 wrote to memory of 3968 2112 8663ed0caec9adcb980a4a7ea23e7984.exe 85 PID 2112 wrote to memory of 3968 2112 8663ed0caec9adcb980a4a7ea23e7984.exe 85 PID 2112 wrote to memory of 2416 2112 8663ed0caec9adcb980a4a7ea23e7984.exe 87 PID 2112 wrote to memory of 2416 2112 8663ed0caec9adcb980a4a7ea23e7984.exe 87 PID 2112 wrote to memory of 2416 2112 8663ed0caec9adcb980a4a7ea23e7984.exe 87 PID 2112 wrote to memory of 2416 2112 8663ed0caec9adcb980a4a7ea23e7984.exe 87 PID 2112 wrote to memory of 2416 2112 8663ed0caec9adcb980a4a7ea23e7984.exe 87 PID 2112 wrote to memory of 2416 2112 8663ed0caec9adcb980a4a7ea23e7984.exe 87 PID 2112 wrote to memory of 2416 2112 8663ed0caec9adcb980a4a7ea23e7984.exe 87 PID 2112 wrote to memory of 2416 2112 8663ed0caec9adcb980a4a7ea23e7984.exe 87 PID 2112 wrote to memory of 2416 2112 8663ed0caec9adcb980a4a7ea23e7984.exe 87 PID 2416 wrote to memory of 4076 2416 8663ed0caec9adcb980a4a7ea23e7984.exe 88 PID 2416 wrote to memory of 4076 2416 8663ed0caec9adcb980a4a7ea23e7984.exe 88 PID 2416 wrote to memory of 4076 2416 8663ed0caec9adcb980a4a7ea23e7984.exe 88 PID 4076 wrote to memory of 3424 4076 cmd.exe 90 PID 4076 wrote to memory of 3424 4076 cmd.exe 90 PID 4076 wrote to memory of 3424 4076 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImauUieIe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD121.tmp"2⤵
- Creates scheduled task(s)
PID:2276
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968
-
-
C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe"2⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 2416 & erase C:\Users\Admin\AppData\Local\Temp\8663ed0caec9adcb980a4a7ea23e7984.exe & RD /S /Q C:\\ProgramData\\150367815699766\\* & exit3⤵
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 24164⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3424
-
-
-