Analysis
-
max time kernel
49s -
max time network
81s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
03/08/2021, 10:42
Static task
static1
Behavioral task
behavioral1
Sample
7536b74c17754363799df14fe70d3a92.exe
Resource
win7v20210410
General
-
Target
7536b74c17754363799df14fe70d3a92.exe
-
Size
995KB
-
MD5
7536b74c17754363799df14fe70d3a92
-
SHA1
790969675e8cec28cf19c18625dd764884459b01
-
SHA256
60d1297adb502d942493a794945336aea891d2c321476ef3349ac07726fca7c3
-
SHA512
8f706b646a4a9c3549ffda3e14bfe5724c3287e0f4dfbe853888c7e529dedaccd00af2ed933fe1e7d21de26b88b96f2ffe08319570751215975f0a3524a4e8fd
Malware Config
Extracted
oski
http://2.56.59.226/www/
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 1528 cmd.exe -
Loads dropped DLL 5 IoCs
pid Process 268 7536b74c17754363799df14fe70d3a92.exe 268 7536b74c17754363799df14fe70d3a92.exe 268 7536b74c17754363799df14fe70d3a92.exe 268 7536b74c17754363799df14fe70d3a92.exe 268 7536b74c17754363799df14fe70d3a92.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1260 set thread context of 268 1260 7536b74c17754363799df14fe70d3a92.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 7536b74c17754363799df14fe70d3a92.exe -
Kills process with taskkill 1 IoCs
pid Process 664 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 664 taskkill.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1260 wrote to memory of 268 1260 7536b74c17754363799df14fe70d3a92.exe 29 PID 1260 wrote to memory of 268 1260 7536b74c17754363799df14fe70d3a92.exe 29 PID 1260 wrote to memory of 268 1260 7536b74c17754363799df14fe70d3a92.exe 29 PID 1260 wrote to memory of 268 1260 7536b74c17754363799df14fe70d3a92.exe 29 PID 1260 wrote to memory of 268 1260 7536b74c17754363799df14fe70d3a92.exe 29 PID 1260 wrote to memory of 268 1260 7536b74c17754363799df14fe70d3a92.exe 29 PID 1260 wrote to memory of 268 1260 7536b74c17754363799df14fe70d3a92.exe 29 PID 1260 wrote to memory of 268 1260 7536b74c17754363799df14fe70d3a92.exe 29 PID 1260 wrote to memory of 268 1260 7536b74c17754363799df14fe70d3a92.exe 29 PID 1260 wrote to memory of 268 1260 7536b74c17754363799df14fe70d3a92.exe 29 PID 268 wrote to memory of 1528 268 7536b74c17754363799df14fe70d3a92.exe 32 PID 268 wrote to memory of 1528 268 7536b74c17754363799df14fe70d3a92.exe 32 PID 268 wrote to memory of 1528 268 7536b74c17754363799df14fe70d3a92.exe 32 PID 268 wrote to memory of 1528 268 7536b74c17754363799df14fe70d3a92.exe 32 PID 1528 wrote to memory of 664 1528 cmd.exe 34 PID 1528 wrote to memory of 664 1528 cmd.exe 34 PID 1528 wrote to memory of 664 1528 cmd.exe 34 PID 1528 wrote to memory of 664 1528 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe"C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe"C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 268 & erase C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe & RD /S /Q C:\\ProgramData\\343623951618197\\* & exit3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 2684⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:664
-
-
-