Analysis Overview
SHA256
223dfd54929007ac23d6a20dbcf81a519a14f1c4061d23afcb761b75796042d2
Threat Level: Known bad
The file da484abefb23789c13add9ecd7ea7eeb.exe was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Oski
Downloads MZ/PE file
Loads dropped DLL
Deletes itself
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Enumerates physical storage devices
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-08-03 11:17
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-08-03 11:17
Reported
2021-08-03 11:20
Platform
win7v20210410
Max time kernel
15s
Max time network
39s
Command Line
Signatures
Oski
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 916 set thread context of 756 | N/A | C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe | C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe
"C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe"
C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe
"C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 756 & erase C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe & RD /S /Q C:\\ProgramData\\420531560174735\\* & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 756
Network
| Country | Destination | Domain | Proto |
| N/A | 2.56.59.226:80 | 2.56.59.226 | tcp |
Files
memory/916-60-0x0000000000970000-0x0000000000971000-memory.dmp
memory/916-62-0x00000000043D0000-0x00000000043D1000-memory.dmp
memory/916-64-0x00000000043D2000-0x00000000043D3000-memory.dmp
memory/916-65-0x00000000043D7000-0x00000000043E8000-memory.dmp
memory/916-63-0x00000000043D1000-0x00000000043D2000-memory.dmp
memory/916-66-0x0000000008910000-0x000000000898E000-memory.dmp
memory/756-68-0x000000000040717B-mapping.dmp
memory/756-67-0x0000000000400000-0x000000000047F000-memory.dmp
memory/756-69-0x0000000075011000-0x0000000075013000-memory.dmp
memory/756-70-0x0000000000400000-0x000000000047F000-memory.dmp
\ProgramData\sqlite3.dll
| MD5 | e477a96c8f2b18d6b5c27bde49c990bf |
| SHA1 | e980c9bf41330d1e5bd04556db4646a0210f7409 |
| SHA256 | 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660 |
| SHA512 | 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c |
\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
\ProgramData\msvcp140.dll
| MD5 | 109f0f02fd37c84bfc7508d4227d7ed5 |
| SHA1 | ef7420141bb15ac334d3964082361a460bfdb975 |
| SHA256 | 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4 |
| SHA512 | 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39 |
\ProgramData\vcruntime140.dll
| MD5 | 7587bf9cb4147022cd5681b015183046 |
| SHA1 | f2106306a8f6f0da5afb7fc765cfa0757ad5a628 |
| SHA256 | c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d |
| SHA512 | 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f |
memory/1144-76-0x0000000000000000-mapping.dmp
memory/920-77-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-08-03 11:17
Reported
2021-08-03 11:19
Platform
win10v20210408
Max time kernel
20s
Max time network
77s
Command Line
Signatures
Oski
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Downloads MZ/PE file
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 808 set thread context of 200 | N/A | C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe | C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe
"C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe"
C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe
"C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 200 & erase C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe & RD /S /Q C:\\ProgramData\\854858652776891\\* & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 200
Network
| Country | Destination | Domain | Proto |
| N/A | 2.56.59.226:80 | 2.56.59.226 | tcp |
Files
memory/808-114-0x00000000006E0000-0x00000000006E1000-memory.dmp
memory/808-116-0x00000000055A0000-0x00000000055A1000-memory.dmp
memory/808-117-0x0000000005140000-0x0000000005141000-memory.dmp
memory/808-118-0x00000000050A0000-0x000000000559E000-memory.dmp
memory/808-119-0x0000000005120000-0x0000000005121000-memory.dmp
memory/808-120-0x00000000050A0000-0x000000000559E000-memory.dmp
memory/808-121-0x00000000050A0000-0x000000000559E000-memory.dmp
memory/808-122-0x00000000050A0000-0x000000000559E000-memory.dmp
memory/808-123-0x0000000006B40000-0x0000000006B41000-memory.dmp
memory/808-124-0x0000000006BE0000-0x0000000006C5E000-memory.dmp
memory/200-125-0x0000000000400000-0x000000000047F000-memory.dmp
memory/200-126-0x000000000040717B-mapping.dmp
memory/200-127-0x0000000000400000-0x000000000047F000-memory.dmp
\ProgramData\sqlite3.dll
| MD5 | e477a96c8f2b18d6b5c27bde49c990bf |
| SHA1 | e980c9bf41330d1e5bd04556db4646a0210f7409 |
| SHA256 | 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660 |
| SHA512 | 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c |
\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
memory/1736-131-0x0000000000000000-mapping.dmp
memory/2112-132-0x0000000000000000-mapping.dmp