Analysis
-
max time kernel
20s -
max time network
77s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
03/08/2021, 11:17
Static task
static1
Behavioral task
behavioral1
Sample
da484abefb23789c13add9ecd7ea7eeb.exe
Resource
win7v20210410
General
-
Target
da484abefb23789c13add9ecd7ea7eeb.exe
-
Size
693KB
-
MD5
da484abefb23789c13add9ecd7ea7eeb
-
SHA1
cf0098c51761c3c9b860cdfd290734f0d1657bba
-
SHA256
223dfd54929007ac23d6a20dbcf81a519a14f1c4061d23afcb761b75796042d2
-
SHA512
380d3227555739a95ae2514fbe1f24882cbf91db508339837aee2fc6d1ac1c5a7feabcef9bf87ebc8b4efe6fa1f142f2ad9efd595899875fd1e416aa1965d368
Malware Config
Extracted
oski
http://2.56.59.226/www/
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Downloads MZ/PE file
-
Loads dropped DLL 3 IoCs
pid Process 200 da484abefb23789c13add9ecd7ea7eeb.exe 200 da484abefb23789c13add9ecd7ea7eeb.exe 200 da484abefb23789c13add9ecd7ea7eeb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 808 set thread context of 200 808 da484abefb23789c13add9ecd7ea7eeb.exe 76 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString da484abefb23789c13add9ecd7ea7eeb.exe -
Kills process with taskkill 1 IoCs
pid Process 2112 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 808 da484abefb23789c13add9ecd7ea7eeb.exe Token: SeDebugPrivilege 2112 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 808 da484abefb23789c13add9ecd7ea7eeb.exe 808 da484abefb23789c13add9ecd7ea7eeb.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 808 wrote to memory of 200 808 da484abefb23789c13add9ecd7ea7eeb.exe 76 PID 808 wrote to memory of 200 808 da484abefb23789c13add9ecd7ea7eeb.exe 76 PID 808 wrote to memory of 200 808 da484abefb23789c13add9ecd7ea7eeb.exe 76 PID 808 wrote to memory of 200 808 da484abefb23789c13add9ecd7ea7eeb.exe 76 PID 808 wrote to memory of 200 808 da484abefb23789c13add9ecd7ea7eeb.exe 76 PID 808 wrote to memory of 200 808 da484abefb23789c13add9ecd7ea7eeb.exe 76 PID 808 wrote to memory of 200 808 da484abefb23789c13add9ecd7ea7eeb.exe 76 PID 808 wrote to memory of 200 808 da484abefb23789c13add9ecd7ea7eeb.exe 76 PID 808 wrote to memory of 200 808 da484abefb23789c13add9ecd7ea7eeb.exe 76 PID 808 wrote to memory of 200 808 da484abefb23789c13add9ecd7ea7eeb.exe 76 PID 200 wrote to memory of 1736 200 da484abefb23789c13add9ecd7ea7eeb.exe 78 PID 200 wrote to memory of 1736 200 da484abefb23789c13add9ecd7ea7eeb.exe 78 PID 200 wrote to memory of 1736 200 da484abefb23789c13add9ecd7ea7eeb.exe 78 PID 1736 wrote to memory of 2112 1736 cmd.exe 80 PID 1736 wrote to memory of 2112 1736 cmd.exe 80 PID 1736 wrote to memory of 2112 1736 cmd.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe"C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe"C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:200 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 200 & erase C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe & RD /S /Q C:\\ProgramData\\854858652776891\\* & exit3⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 2004⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
-