Analysis Overview
SHA256
bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750
Threat Level: Known bad
The file bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750 was found to be: Known bad.
Malicious Activity Summary
Oski
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Creates scheduled task(s)
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-08-07 22:17
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-08-07 22:17
Reported
2021-08-07 22:23
Platform
win10v20210408
Max time kernel
105s
Max time network
113s
Command Line
Signatures
Oski
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3628 set thread context of 688 | N/A | C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe | C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe
"C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImauUieIe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEDF0.tmp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"
C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe
"C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe"
C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe
"C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe"
C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe
"C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe"
C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe
"C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 688 & erase C:\Users\Admin\AppData\Local\Temp\bbe006688e5f74473a5e248bc83651cbb7e9efbe8410ab' & RD /S /Q C:\\ProgramData\\021390826612043\\* & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 688
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | fine.le-pearl.com | udp |
| N/A | 108.167.158.96:80 | fine.le-pearl.com | tcp |
| N/A | 82.146.56.118:80 | tcp |
Files
memory/3628-114-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/3628-116-0x00000000050F0000-0x00000000050F1000-memory.dmp
memory/3628-117-0x0000000004BF0000-0x0000000004BF1000-memory.dmp
memory/3628-118-0x0000000004BF0000-0x00000000050EE000-memory.dmp
memory/3628-119-0x0000000004CC0000-0x0000000004CC1000-memory.dmp
memory/3628-120-0x0000000004EA0000-0x0000000004EA1000-memory.dmp
memory/3628-121-0x0000000002550000-0x000000000255D000-memory.dmp
memory/3628-122-0x00000000098E0000-0x000000000997A000-memory.dmp
memory/3628-123-0x0000000007800000-0x0000000007833000-memory.dmp
memory/1484-124-0x0000000000000000-mapping.dmp
memory/3172-125-0x0000000000000000-mapping.dmp
memory/3288-127-0x0000000000000000-mapping.dmp
memory/1484-129-0x0000000006740000-0x0000000006741000-memory.dmp
memory/1484-130-0x0000000006E90000-0x0000000006E91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpEDF0.tmp
| MD5 | 8229b450d30b9d1b14c3febe972026ee |
| SHA1 | 5fb031ef7f2918ab3bb7d51f3d7dbfab50d22964 |
| SHA256 | 919eb7c6840a70e585157ad93d71b380a7a1c4061ec866369fcb4c3f0b957b24 |
| SHA512 | 23e9f915169808457005f7f6610c893245f223370edc4339893c5e3863bff015cec71617d905746ca15cfc7a23478e21f3bbf0448e8713f053126d7ff8b58153 |
memory/1484-136-0x0000000006E10000-0x0000000006E11000-memory.dmp
memory/1484-137-0x0000000007530000-0x0000000007531000-memory.dmp
memory/1484-139-0x00000000076B0000-0x00000000076B1000-memory.dmp
memory/1596-138-0x0000000000000000-mapping.dmp
memory/688-142-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1484-140-0x0000000007800000-0x0000000007801000-memory.dmp
memory/1484-143-0x0000000006850000-0x0000000006851000-memory.dmp
memory/1484-145-0x0000000006852000-0x0000000006853000-memory.dmp
memory/688-144-0x000000000040717B-mapping.dmp
memory/3172-148-0x0000000004630000-0x0000000004631000-memory.dmp
memory/688-150-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3172-151-0x0000000004632000-0x0000000004633000-memory.dmp
memory/3172-160-0x00000000078C0000-0x00000000078C1000-memory.dmp
memory/3172-162-0x0000000008190000-0x0000000008191000-memory.dmp
memory/1596-164-0x0000000006F70000-0x0000000006F71000-memory.dmp
memory/1596-165-0x0000000006F72000-0x0000000006F73000-memory.dmp
memory/1484-166-0x0000000007FB0000-0x0000000007FB1000-memory.dmp
memory/1484-187-0x0000000008E90000-0x0000000008EC3000-memory.dmp
memory/1484-203-0x000000007F610000-0x000000007F611000-memory.dmp
memory/1484-201-0x0000000008150000-0x0000000008151000-memory.dmp
memory/2792-205-0x0000000000000000-mapping.dmp
memory/3172-208-0x000000007FC50000-0x000000007FC51000-memory.dmp
memory/1484-216-0x0000000008FC0000-0x0000000008FC1000-memory.dmp
memory/3416-236-0x0000000000000000-mapping.dmp
memory/1596-238-0x000000007ED60000-0x000000007ED61000-memory.dmp
memory/1484-241-0x0000000006853000-0x0000000006854000-memory.dmp
memory/3172-244-0x0000000004633000-0x0000000004634000-memory.dmp
memory/1596-245-0x0000000006F73000-0x0000000006F74000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 7247129cd0644457905b7d6bf17fd078 |
| SHA1 | dbf9139b5a1b72141f170d2eae911bbbe7e128c8 |
| SHA256 | dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4 |
| SHA512 | 9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 6faff0ebd7c3554b8b1b66bdc7a8ed7f |
| SHA1 | cc38cfcd0b4265eb2200f105c9ae46b3809beb72 |
| SHA256 | b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a |
| SHA512 | ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7b84e070c8c59625bf3c34d2f4894951 |
| SHA1 | 72eca728ecd734b99f00222d47bcb6b9ab4fc84d |
| SHA256 | 0275f1f25b124bbc7dc39269eec82cb614c86e351ec48a0d2e6e65a0fee87501 |
| SHA512 | aeffa19d12df44b9bc33fd509c0ca583b2631c27130fab4fa06edbc2eabe3f6aa9b85557ca1d5b5daed333308119fa130617e1359bb78ee553949f1e1db212c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bef8b4e42653f0f62826fcbf9ffbca09 |
| SHA1 | bbf3e48d1a0e45da6c0d17c372f2312631d2b4dd |
| SHA256 | de554f4ddf2f07317e163feead5e45106b8988fae6ff00ef4ea0a6c424921052 |
| SHA512 | 8f5bfa246fa41b3e1153d32d491b8446e7c5d0ecdc5a437ceb0ae457a44317d02254efd4740491dfd12e1fe825fbf9f90f97b5d65aa2ab79208f0ee09a8099dc |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 1c19c16e21c97ed42d5beabc93391fc5 |
| SHA1 | 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68 |
| SHA256 | 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05 |
| SHA512 | 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 0b5d94d20be9eecbaed3dddd04143f07 |
| SHA1 | c677d0355f4cc7301075a554adc889bce502e15a |
| SHA256 | 3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c |
| SHA512 | 395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916 |