Analysis
-
max time kernel
34s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
03/08/2021, 22:30
Static task
static1
Behavioral task
behavioral1
Sample
test (1).exe
Resource
win7v20210410
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
test (1).exe
Resource
win10v20210408
0 signatures
0 seconds
General
-
Target
test (1).exe
-
Size
4KB
-
MD5
7aca9cb8c2156bd761493dc584c7d9fa
-
SHA1
04bc0b6916388f0cd9ef33b4c52dcebd79b2a473
-
SHA256
731510ac6a3fd904623344634cb32e9b58bf10b870a4755e255586880f3a0474
-
SHA512
42f56a3ce562a77d81331b8c54d21ac936ddb20a6ad62b6dd670a2d8c835e40c9a4fcddde5718b1aba9378aa9f17fb1ffe82ccac011f4ad28f038331fbae94a2
Score
10/10
Malware Config
Extracted
Family
oski
C2
notedemo.axfree.com
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Downloads MZ/PE file
-
Loads dropped DLL 3 IoCs
pid Process 2604 vbc.exe 2604 vbc.exe 2604 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 632 set thread context of 2604 632 test (1).exe 78 -
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vbc.exe -
Kills process with taskkill 1 IoCs
pid Process 3880 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 632 test (1).exe Token: SeDebugPrivilege 3880 taskkill.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 632 wrote to memory of 2604 632 test (1).exe 78 PID 632 wrote to memory of 2604 632 test (1).exe 78 PID 632 wrote to memory of 2604 632 test (1).exe 78 PID 632 wrote to memory of 2604 632 test (1).exe 78 PID 632 wrote to memory of 2604 632 test (1).exe 78 PID 632 wrote to memory of 2604 632 test (1).exe 78 PID 632 wrote to memory of 2604 632 test (1).exe 78 PID 632 wrote to memory of 2604 632 test (1).exe 78 PID 632 wrote to memory of 2604 632 test (1).exe 78 PID 2604 wrote to memory of 4028 2604 vbc.exe 79 PID 2604 wrote to memory of 4028 2604 vbc.exe 79 PID 2604 wrote to memory of 4028 2604 vbc.exe 79 PID 4028 wrote to memory of 3880 4028 cmd.exe 81 PID 4028 wrote to memory of 3880 4028 cmd.exe 81 PID 4028 wrote to memory of 3880 4028 cmd.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\test (1).exe"C:\Users\Admin\AppData\Local\Temp\test (1).exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 2604 & erase C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe & RD /S /Q C:\\ProgramData\\035833058780218\\* & exit3⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 26044⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3880
-
-
-