Analysis
-
max time kernel
18s -
max time network
19s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
03/08/2021, 12:06
Static task
static1
Behavioral task
behavioral1
Sample
da484abefb23789c13add9ecd7ea7eeb.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
da484abefb23789c13add9ecd7ea7eeb.exe
Resource
win10v20210410
General
-
Target
da484abefb23789c13add9ecd7ea7eeb.exe
-
Size
693KB
-
MD5
da484abefb23789c13add9ecd7ea7eeb
-
SHA1
cf0098c51761c3c9b860cdfd290734f0d1657bba
-
SHA256
223dfd54929007ac23d6a20dbcf81a519a14f1c4061d23afcb761b75796042d2
-
SHA512
380d3227555739a95ae2514fbe1f24882cbf91db508339837aee2fc6d1ac1c5a7feabcef9bf87ebc8b4efe6fa1f142f2ad9efd595899875fd1e416aa1965d368
Malware Config
Extracted
oski
http://2.56.59.226/www/
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 1568 cmd.exe -
Loads dropped DLL 5 IoCs
pid Process 1936 da484abefb23789c13add9ecd7ea7eeb.exe 1936 da484abefb23789c13add9ecd7ea7eeb.exe 1936 da484abefb23789c13add9ecd7ea7eeb.exe 1936 da484abefb23789c13add9ecd7ea7eeb.exe 1936 da484abefb23789c13add9ecd7ea7eeb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 772 set thread context of 1936 772 da484abefb23789c13add9ecd7ea7eeb.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString da484abefb23789c13add9ecd7ea7eeb.exe -
Kills process with taskkill 1 IoCs
pid Process 956 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main da484abefb23789c13add9ecd7ea7eeb.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 772 da484abefb23789c13add9ecd7ea7eeb.exe Token: SeDebugPrivilege 956 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 772 da484abefb23789c13add9ecd7ea7eeb.exe 772 da484abefb23789c13add9ecd7ea7eeb.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 772 wrote to memory of 1936 772 da484abefb23789c13add9ecd7ea7eeb.exe 30 PID 772 wrote to memory of 1936 772 da484abefb23789c13add9ecd7ea7eeb.exe 30 PID 772 wrote to memory of 1936 772 da484abefb23789c13add9ecd7ea7eeb.exe 30 PID 772 wrote to memory of 1936 772 da484abefb23789c13add9ecd7ea7eeb.exe 30 PID 772 wrote to memory of 1936 772 da484abefb23789c13add9ecd7ea7eeb.exe 30 PID 772 wrote to memory of 1936 772 da484abefb23789c13add9ecd7ea7eeb.exe 30 PID 772 wrote to memory of 1936 772 da484abefb23789c13add9ecd7ea7eeb.exe 30 PID 772 wrote to memory of 1936 772 da484abefb23789c13add9ecd7ea7eeb.exe 30 PID 772 wrote to memory of 1936 772 da484abefb23789c13add9ecd7ea7eeb.exe 30 PID 772 wrote to memory of 1936 772 da484abefb23789c13add9ecd7ea7eeb.exe 30 PID 772 wrote to memory of 1936 772 da484abefb23789c13add9ecd7ea7eeb.exe 30 PID 1936 wrote to memory of 1568 1936 da484abefb23789c13add9ecd7ea7eeb.exe 32 PID 1936 wrote to memory of 1568 1936 da484abefb23789c13add9ecd7ea7eeb.exe 32 PID 1936 wrote to memory of 1568 1936 da484abefb23789c13add9ecd7ea7eeb.exe 32 PID 1936 wrote to memory of 1568 1936 da484abefb23789c13add9ecd7ea7eeb.exe 32 PID 1568 wrote to memory of 956 1568 cmd.exe 34 PID 1568 wrote to memory of 956 1568 cmd.exe 34 PID 1568 wrote to memory of 956 1568 cmd.exe 34 PID 1568 wrote to memory of 956 1568 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe"C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe"C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 1936 & erase C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe & RD /S /Q C:\\ProgramData\\533050351781612\\* & exit3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 19364⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:956
-
-
-