Analysis
-
max time kernel
46s -
max time network
127s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
03/08/2021, 10:42
Static task
static1
Behavioral task
behavioral1
Sample
7536b74c17754363799df14fe70d3a92.exe
Resource
win7v20210410
General
-
Target
7536b74c17754363799df14fe70d3a92.exe
-
Size
995KB
-
MD5
7536b74c17754363799df14fe70d3a92
-
SHA1
790969675e8cec28cf19c18625dd764884459b01
-
SHA256
60d1297adb502d942493a794945336aea891d2c321476ef3349ac07726fca7c3
-
SHA512
8f706b646a4a9c3549ffda3e14bfe5724c3287e0f4dfbe853888c7e529dedaccd00af2ed933fe1e7d21de26b88b96f2ffe08319570751215975f0a3524a4e8fd
Malware Config
Extracted
oski
http://2.56.59.226/www/
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Downloads MZ/PE file
-
Loads dropped DLL 3 IoCs
pid Process 3300 7536b74c17754363799df14fe70d3a92.exe 3300 7536b74c17754363799df14fe70d3a92.exe 3300 7536b74c17754363799df14fe70d3a92.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3872 set thread context of 3300 3872 7536b74c17754363799df14fe70d3a92.exe 80 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 7536b74c17754363799df14fe70d3a92.exe -
Kills process with taskkill 1 IoCs
pid Process 3864 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3872 7536b74c17754363799df14fe70d3a92.exe 3872 7536b74c17754363799df14fe70d3a92.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3872 7536b74c17754363799df14fe70d3a92.exe Token: SeDebugPrivilege 3864 taskkill.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3872 wrote to memory of 3504 3872 7536b74c17754363799df14fe70d3a92.exe 79 PID 3872 wrote to memory of 3504 3872 7536b74c17754363799df14fe70d3a92.exe 79 PID 3872 wrote to memory of 3504 3872 7536b74c17754363799df14fe70d3a92.exe 79 PID 3872 wrote to memory of 3300 3872 7536b74c17754363799df14fe70d3a92.exe 80 PID 3872 wrote to memory of 3300 3872 7536b74c17754363799df14fe70d3a92.exe 80 PID 3872 wrote to memory of 3300 3872 7536b74c17754363799df14fe70d3a92.exe 80 PID 3872 wrote to memory of 3300 3872 7536b74c17754363799df14fe70d3a92.exe 80 PID 3872 wrote to memory of 3300 3872 7536b74c17754363799df14fe70d3a92.exe 80 PID 3872 wrote to memory of 3300 3872 7536b74c17754363799df14fe70d3a92.exe 80 PID 3872 wrote to memory of 3300 3872 7536b74c17754363799df14fe70d3a92.exe 80 PID 3872 wrote to memory of 3300 3872 7536b74c17754363799df14fe70d3a92.exe 80 PID 3872 wrote to memory of 3300 3872 7536b74c17754363799df14fe70d3a92.exe 80 PID 3300 wrote to memory of 3768 3300 7536b74c17754363799df14fe70d3a92.exe 81 PID 3300 wrote to memory of 3768 3300 7536b74c17754363799df14fe70d3a92.exe 81 PID 3300 wrote to memory of 3768 3300 7536b74c17754363799df14fe70d3a92.exe 81 PID 3768 wrote to memory of 3864 3768 cmd.exe 83 PID 3768 wrote to memory of 3864 3768 cmd.exe 83 PID 3768 wrote to memory of 3864 3768 cmd.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe"C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe"C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe"2⤵PID:3504
-
-
C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe"C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 3300 & erase C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe & RD /S /Q C:\\ProgramData\\105205853394384\\* & exit3⤵
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 33004⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3864
-
-
-