Analysis
-
max time kernel
105s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
07/08/2021, 22:17
Static task
static1
Behavioral task
behavioral1
Sample
bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe
Resource
win10v20210408
General
-
Target
bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe
-
Size
1.3MB
-
MD5
8663ed0caec9adcb980a4a7ea23e7984
-
SHA1
e6dcb19362e88b50ab1990e7032437072f104e98
-
SHA256
bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750
-
SHA512
fd75e6bde035e103e84322411ca7b4107f1673d03170b940af3066f9f4eb58b063ec244302c8dccab87f5816e2b55a177dc1c1d7f498742fd8e0f24fb64317a9
Malware Config
Extracted
oski
fine.le-pearl.com
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3628 set thread context of 688 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3288 schtasks.exe -
Kills process with taskkill 1 IoCs
pid Process 3416 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1484 powershell.exe 3172 powershell.exe 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 1484 powershell.exe 1596 powershell.exe 3172 powershell.exe 1596 powershell.exe 1484 powershell.exe 3172 powershell.exe 1596 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1484 powershell.exe Token: SeDebugPrivilege 3172 powershell.exe Token: SeDebugPrivilege 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeDebugPrivilege 3416 taskkill.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 3628 wrote to memory of 1484 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 78 PID 3628 wrote to memory of 1484 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 78 PID 3628 wrote to memory of 1484 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 78 PID 3628 wrote to memory of 3172 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 80 PID 3628 wrote to memory of 3172 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 80 PID 3628 wrote to memory of 3172 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 80 PID 3628 wrote to memory of 3288 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 82 PID 3628 wrote to memory of 3288 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 82 PID 3628 wrote to memory of 3288 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 82 PID 3628 wrote to memory of 1596 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 84 PID 3628 wrote to memory of 1596 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 84 PID 3628 wrote to memory of 1596 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 84 PID 3628 wrote to memory of 1904 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 87 PID 3628 wrote to memory of 1904 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 87 PID 3628 wrote to memory of 1904 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 87 PID 3628 wrote to memory of 3792 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 86 PID 3628 wrote to memory of 3792 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 86 PID 3628 wrote to memory of 3792 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 86 PID 3628 wrote to memory of 3876 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 88 PID 3628 wrote to memory of 3876 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 88 PID 3628 wrote to memory of 3876 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 88 PID 3628 wrote to memory of 688 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 89 PID 3628 wrote to memory of 688 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 89 PID 3628 wrote to memory of 688 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 89 PID 3628 wrote to memory of 688 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 89 PID 3628 wrote to memory of 688 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 89 PID 3628 wrote to memory of 688 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 89 PID 3628 wrote to memory of 688 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 89 PID 3628 wrote to memory of 688 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 89 PID 3628 wrote to memory of 688 3628 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 89 PID 688 wrote to memory of 2792 688 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 90 PID 688 wrote to memory of 2792 688 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 90 PID 688 wrote to memory of 2792 688 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe 90 PID 2792 wrote to memory of 3416 2792 cmd.exe 93 PID 2792 wrote to memory of 3416 2792 cmd.exe 93 PID 2792 wrote to memory of 3416 2792 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe"C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImauUieIe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEDF0.tmp"2⤵
- Creates scheduled task(s)
PID:3288
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe"C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe"2⤵PID:3792
-
-
C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe"C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe"2⤵PID:1904
-
-
C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe"C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe"2⤵PID:3876
-
-
C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe"C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe"2⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 688 & erase C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410ab' & RD /S /Q C:\\ProgramData\\021390826612043\\* & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 6884⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3416
-
-
-