General

  • Target

    Attachedoc.xlsm

  • Size

    12KB

  • Sample

    210811-mf9gsckv5j

  • MD5

    6ccb838e604105af2b82aa4ac9de8124

  • SHA1

    3fb66d6953ded7f871eac0cc6aaef152c26b15c4

  • SHA256

    d0f3ca8216dcf21d271fbc8f37104a8677d3d58f6f4178e60ded7b17a9ce180e

  • SHA512

    3100c139d74ee6c7f5aed47d3956d76d5945be17ad8d8b5275ff18e1005787348172603ed299aefe910617f5f74506a1114789c4b83e66863f3dc691a15ba195

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://iurl.vip/x03qc

Extracted

Family

oski

C2

accdemo.axwebsite.com

Targets

    • Target

      Attachedoc.xlsm

    • Size

      12KB

    • MD5

      6ccb838e604105af2b82aa4ac9de8124

    • SHA1

      3fb66d6953ded7f871eac0cc6aaef152c26b15c4

    • SHA256

      d0f3ca8216dcf21d271fbc8f37104a8677d3d58f6f4178e60ded7b17a9ce180e

    • SHA512

      3100c139d74ee6c7f5aed47d3956d76d5945be17ad8d8b5275ff18e1005787348172603ed299aefe910617f5f74506a1114789c4b83e66863f3dc691a15ba195

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • An obfuscated cmd.exe command-line is typically used to evade detection.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks