Analysis Overview
SHA256
60d1297adb502d942493a794945336aea891d2c321476ef3349ac07726fca7c3
Threat Level: Known bad
The file 7536b74c17754363799df14fe70d3a92.exe was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
Oski
Downloads MZ/PE file
Loads dropped DLL
Reads user/profile data of web browsers
Deletes itself
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-08-03 10:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-08-03 10:42
Reported
2021-08-03 10:45
Platform
win7v20210410
Max time kernel
49s
Max time network
81s
Command Line
Signatures
Oski
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1260 set thread context of 268 | N/A | C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe | C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe
"C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe"
C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe
"C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 268 & erase C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe & RD /S /Q C:\\ProgramData\\343623951618197\\* & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 268
Network
| Country | Destination | Domain | Proto |
| N/A | 2.56.59.226:80 | 2.56.59.226 | tcp |
Files
memory/1260-59-0x0000000000E20000-0x0000000000E21000-memory.dmp
memory/1260-61-0x0000000000AA0000-0x0000000000AA1000-memory.dmp
memory/1260-62-0x0000000000410000-0x000000000041D000-memory.dmp
memory/1260-63-0x0000000005610000-0x00000000056AD000-memory.dmp
memory/1260-64-0x0000000000590000-0x00000000005C6000-memory.dmp
memory/268-66-0x000000000040717B-mapping.dmp
memory/268-65-0x0000000000400000-0x0000000000438000-memory.dmp
memory/268-67-0x0000000076281000-0x0000000076283000-memory.dmp
memory/268-68-0x0000000000400000-0x0000000000438000-memory.dmp
\ProgramData\sqlite3.dll
| MD5 | e477a96c8f2b18d6b5c27bde49c990bf |
| SHA1 | e980c9bf41330d1e5bd04556db4646a0210f7409 |
| SHA256 | 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660 |
| SHA512 | 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c |
\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
\ProgramData\msvcp140.dll
| MD5 | 109f0f02fd37c84bfc7508d4227d7ed5 |
| SHA1 | ef7420141bb15ac334d3964082361a460bfdb975 |
| SHA256 | 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4 |
| SHA512 | 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39 |
\ProgramData\vcruntime140.dll
| MD5 | 7587bf9cb4147022cd5681b015183046 |
| SHA1 | f2106306a8f6f0da5afb7fc765cfa0757ad5a628 |
| SHA256 | c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d |
| SHA512 | 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f |
memory/1528-74-0x0000000000000000-mapping.dmp
memory/664-75-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-08-03 10:42
Reported
2021-08-03 10:44
Platform
win10v20210410
Max time kernel
46s
Max time network
127s
Command Line
Signatures
Oski
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Downloads MZ/PE file
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3872 set thread context of 3300 | N/A | C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe | C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe
"C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe"
C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe
"C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe"
C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe
"C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 3300 & erase C:\Users\Admin\AppData\Local\Temp\7536b74c17754363799df14fe70d3a92.exe & RD /S /Q C:\\ProgramData\\105205853394384\\* & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 3300
Network
| Country | Destination | Domain | Proto |
| N/A | 2.56.59.226:80 | 2.56.59.226 | tcp |
Files
memory/3872-114-0x0000000000F60000-0x0000000000F61000-memory.dmp
memory/3872-116-0x0000000005840000-0x0000000005841000-memory.dmp
memory/3872-117-0x0000000005DE0000-0x0000000005DE1000-memory.dmp
memory/3872-118-0x0000000005980000-0x0000000005981000-memory.dmp
memory/3872-119-0x0000000005920000-0x0000000005921000-memory.dmp
memory/3872-120-0x0000000005B90000-0x0000000005B91000-memory.dmp
memory/3872-121-0x00000000057A0000-0x000000000583C000-memory.dmp
memory/3872-122-0x0000000005DC0000-0x0000000005DCD000-memory.dmp
memory/3872-123-0x00000000080A0000-0x000000000813D000-memory.dmp
memory/3872-124-0x0000000003160000-0x0000000003196000-memory.dmp
memory/3300-125-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3300-126-0x000000000040717B-mapping.dmp
memory/3300-127-0x0000000000400000-0x0000000000438000-memory.dmp
\ProgramData\sqlite3.dll
| MD5 | e477a96c8f2b18d6b5c27bde49c990bf |
| SHA1 | e980c9bf41330d1e5bd04556db4646a0210f7409 |
| SHA256 | 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660 |
| SHA512 | 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c |
\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
memory/3768-131-0x0000000000000000-mapping.dmp
memory/3864-132-0x0000000000000000-mapping.dmp