Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
06-01-2022 06:57
Static task
static1
Behavioral task
behavioral1
Sample
gunzipped.exe
Resource
win7-en-20211208
General
-
Target
gunzipped.exe
-
Size
411KB
-
MD5
c2301b62539adcba29dcf6a3200bd017
-
SHA1
fd80f7e8e32661d5ec12e7a901f22a9ed82e17a7
-
SHA256
c30ce79d7b5b0708dc03f1532fa89afd4efd732531cb557dc31fe63acd5bc1ce
-
SHA512
80fef672e7f48640c585f12408025ea06c67344551bb4638e10120ceb30da7e888b18a52aabd209186315c1476da905afe15d5cb68a7d7e266954de16e813037
Malware Config
Extracted
oski
http://2.56.57.108/osk/
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Downloads MZ/PE file
-
Loads dropped DLL 4 IoCs
Processes:
gunzipped.exegunzipped.exepid process 3796 gunzipped.exe 380 gunzipped.exe 380 gunzipped.exe 380 gunzipped.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
gunzipped.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString gunzipped.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3648 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 3648 taskkill.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
gunzipped.exegunzipped.execmd.exedescription pid process target process PID 3796 wrote to memory of 380 3796 gunzipped.exe gunzipped.exe PID 3796 wrote to memory of 380 3796 gunzipped.exe gunzipped.exe PID 3796 wrote to memory of 380 3796 gunzipped.exe gunzipped.exe PID 3796 wrote to memory of 380 3796 gunzipped.exe gunzipped.exe PID 3796 wrote to memory of 380 3796 gunzipped.exe gunzipped.exe PID 3796 wrote to memory of 380 3796 gunzipped.exe gunzipped.exe PID 3796 wrote to memory of 380 3796 gunzipped.exe gunzipped.exe PID 3796 wrote to memory of 380 3796 gunzipped.exe gunzipped.exe PID 3796 wrote to memory of 380 3796 gunzipped.exe gunzipped.exe PID 380 wrote to memory of 1484 380 gunzipped.exe cmd.exe PID 380 wrote to memory of 1484 380 gunzipped.exe cmd.exe PID 380 wrote to memory of 1484 380 gunzipped.exe cmd.exe PID 1484 wrote to memory of 3648 1484 cmd.exe taskkill.exe PID 1484 wrote to memory of 3648 1484 cmd.exe taskkill.exe PID 1484 wrote to memory of 3648 1484 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 380 & erase C:\Users\Admin\AppData\Local\Temp\gunzipped.exe & RD /S /Q C:\\ProgramData\\531228198980345\\* & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 3804⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
\ProgramData\sqlite3.dllMD5
e477a96c8f2b18d6b5c27bde49c990bf
SHA1e980c9bf41330d1e5bd04556db4646a0210f7409
SHA25616574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c
-
\Users\Admin\AppData\Local\Temp\nsuFEB.tmp\qhvek.dllMD5
e1821b88ae16db674b9a0d7e3c1eabeb
SHA1966b2fd636a330b3812c8aae9ce7a12d98e105b7
SHA256b570a242266192cdb433f2af8e5fc2b54368dcf6f2f385dfd836032403ef4520
SHA512c514ca0d44c63c03b6ac34e66005cbf80e5f09cd511c7fbe11ff176720ad45bfe9d2809132f6ecd0251bb22e06e6d9e19361960913707dc958eae5f115ed22f6
-
memory/380-116-0x0000000000000000-mapping.dmp
-
memory/380-117-0x00000000007B0000-0x00000000007E8000-memory.dmpFilesize
224KB
-
memory/380-120-0x00000000007B0000-0x00000000007E8000-memory.dmpFilesize
224KB
-
memory/1484-124-0x0000000000000000-mapping.dmp
-
memory/3648-125-0x0000000000000000-mapping.dmp