Analysis
-
max time kernel
35s -
max time network
75s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
03/08/2021, 22:30
Static task
static1
Behavioral task
behavioral1
Sample
test (1).exe
Resource
win7v20210410
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
test (1).exe
Resource
win10v20210408
0 signatures
0 seconds
General
-
Target
test (1).exe
-
Size
4KB
-
MD5
7aca9cb8c2156bd761493dc584c7d9fa
-
SHA1
04bc0b6916388f0cd9ef33b4c52dcebd79b2a473
-
SHA256
731510ac6a3fd904623344634cb32e9b58bf10b870a4755e255586880f3a0474
-
SHA512
42f56a3ce562a77d81331b8c54d21ac936ddb20a6ad62b6dd670a2d8c835e40c9a4fcddde5718b1aba9378aa9f17fb1ffe82ccac011f4ad28f038331fbae94a2
Score
10/10
Malware Config
Extracted
Family
oski
C2
notedemo.axfree.com
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Downloads MZ/PE file
-
Loads dropped DLL 5 IoCs
pid Process 288 vbc.exe 288 vbc.exe 288 vbc.exe 288 vbc.exe 288 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1084 set thread context of 288 1084 test (1).exe 29 -
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vbc.exe -
Kills process with taskkill 1 IoCs
pid Process 1068 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1084 test (1).exe Token: SeDebugPrivilege 1068 taskkill.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1084 wrote to memory of 288 1084 test (1).exe 29 PID 1084 wrote to memory of 288 1084 test (1).exe 29 PID 1084 wrote to memory of 288 1084 test (1).exe 29 PID 1084 wrote to memory of 288 1084 test (1).exe 29 PID 1084 wrote to memory of 288 1084 test (1).exe 29 PID 1084 wrote to memory of 288 1084 test (1).exe 29 PID 1084 wrote to memory of 288 1084 test (1).exe 29 PID 1084 wrote to memory of 288 1084 test (1).exe 29 PID 1084 wrote to memory of 288 1084 test (1).exe 29 PID 1084 wrote to memory of 288 1084 test (1).exe 29 PID 288 wrote to memory of 284 288 vbc.exe 32 PID 288 wrote to memory of 284 288 vbc.exe 32 PID 288 wrote to memory of 284 288 vbc.exe 32 PID 288 wrote to memory of 284 288 vbc.exe 32 PID 284 wrote to memory of 1068 284 cmd.exe 34 PID 284 wrote to memory of 1068 284 cmd.exe 34 PID 284 wrote to memory of 1068 284 cmd.exe 34 PID 284 wrote to memory of 1068 284 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\test (1).exe"C:\Users\Admin\AppData\Local\Temp\test (1).exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 288 & erase C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe & RD /S /Q C:\\ProgramData\\622501050453076\\* & exit3⤵
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 2884⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
-
-