oski | 18719d6856a09a622001f1c325067d56afa63bd21fbad25fd23c01b2c0c67472

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-en-20211208
submitted
14-01-2022 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
Size

867KB
MD5

39bfd2ce7cffeafc8f4d85d89fd6f072
SHA1

9d0df13ef8de579a2bbfba88e938a836ffab1069
SHA256

18719d6856a09a622001f1c325067d56afa63bd21fbad25fd23c01b2c0c67472
SHA512

d2e4b81133cb427a52ba10cbde23ea16ed33dc0c57affc55afa0ca5bbf68e03841e258ca153c5f217fe0f4f483f3705882eb556718f9c98f508db7144b7b51bb

Score

10^/10

oski stormkitty infostealer persistence spyware stealer vmprotect

Malware Config

Extracted

Family

oski

pplonline.org/Cgi/

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty Payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1716-73-0x0000000004920000-0x00000000049CA000-memory.dmp	family_stormkitty
behavioral1/memory/1716-74-0x0000000002280000-0x0000000002328000-memory.dmp	family_stormkitty
\Users\Admin\AppData\Local\Temp\chormuim.exe	family_stormkitty
C:\Users\Admin\AppData\Local\Temp\chormuim.exe	family_stormkitty
C:\Users\Admin\AppData\Local\Temp\chormuim.exe	family_stormkitty
behavioral1/memory/1532-84-0x0000000000F90000-0x0000000000FEE000-memory.dmp	family_stormkitty
behavioral1/memory/1532-82-0x0000000000F90000-0x0000000000FEE000-memory.dmp	family_stormkitty
behavioral1/memory/1532-85-0x0000000000680000-0x0000000000704000-memory.dmp	family_stormkitty

Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

svchoste.exedll.exechormuimii.exetaskshell.exechormuim.exe

pid process

520 svchoste.exe
588 dll.exe
1716 chormuimii.exe
1944 taskshell.exe
1532 chormuim.exe

pid	process
520	svchoste.exe
588	dll.exe
1716	chormuimii.exe
1944	taskshell.exe
1532	chormuim.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll	vmprotect

Loads dropped DLL 4 IoCs

Processes:

chormuimii.exeWerFault.exe

pid process

1716 chormuimii.exe
800 WerFault.exe
800 WerFault.exe
800 WerFault.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1716	chormuimii.exe
800	WerFault.exe
800	WerFault.exe
800	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dll.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMI Update Service = "C:\\ProgramData\\AMD Driver\\taskshell.exe"	dll.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

800 520 WerFault.exe svchoste.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1732 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1584 taskkill.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

dll.exeWerFault.exechormuim.exe

pid process

588 dll.exe
800 WerFault.exe
800 WerFault.exe
800 WerFault.exe
800 WerFault.exe
800 WerFault.exe
1532 chormuim.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

800 WerFault.exe

flow	ioc
6	ip-api.com

pid	pid_target	process	target process
800	520	WerFault.exe	svchoste.exe

pid	process
1732	timeout.exe

pid	process
1584	taskkill.exe

pid	process
588	dll.exe
800	WerFault.exe
800	WerFault.exe
800	WerFault.exe
800	WerFault.exe
800	WerFault.exe
1532	chormuim.exe

pid	process
800	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

dll.exechormuim.exeWerFault.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	588	dll.exe
Token: SeDebugPrivilege	1532	chormuim.exe
Token: SeDebugPrivilege	800	WerFault.exe
Token: SeDebugPrivilege	1584	taskkill.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exedll.exechormuimii.exesvchoste.exechormuim.execmd.exe

description	pid	process	target process
PID 1652 wrote to memory of 520	1652	18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	svchoste.exe
PID 1652 wrote to memory of 520	1652	18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	svchoste.exe
PID 1652 wrote to memory of 520	1652	18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	svchoste.exe
PID 1652 wrote to memory of 520	1652	18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	svchoste.exe
PID 1652 wrote to memory of 588	1652	18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	dll.exe
PID 1652 wrote to memory of 588	1652	18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	dll.exe
PID 1652 wrote to memory of 588	1652	18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	dll.exe
PID 1652 wrote to memory of 1716	1652	18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	chormuimii.exe
PID 1652 wrote to memory of 1716	1652	18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	chormuimii.exe
PID 1652 wrote to memory of 1716	1652	18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	chormuimii.exe
PID 1652 wrote to memory of 1716	1652	18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	chormuimii.exe
PID 588 wrote to memory of 1944	588	dll.exe	taskshell.exe
PID 588 wrote to memory of 1944	588	dll.exe	taskshell.exe
PID 588 wrote to memory of 1944	588	dll.exe	taskshell.exe
PID 588 wrote to memory of 1944	588	dll.exe	taskshell.exe
PID 1716 wrote to memory of 1532	1716	chormuimii.exe	chormuim.exe
PID 1716 wrote to memory of 1532	1716	chormuimii.exe	chormuim.exe
PID 1716 wrote to memory of 1532	1716	chormuimii.exe	chormuim.exe
PID 1716 wrote to memory of 1532	1716	chormuimii.exe	chormuim.exe
PID 520 wrote to memory of 800	520	svchoste.exe	WerFault.exe
PID 520 wrote to memory of 800	520	svchoste.exe	WerFault.exe
PID 520 wrote to memory of 800	520	svchoste.exe	WerFault.exe
PID 520 wrote to memory of 800	520	svchoste.exe	WerFault.exe
PID 1532 wrote to memory of 1408	1532	chormuim.exe	cmd.exe
PID 1532 wrote to memory of 1408	1532	chormuim.exe	cmd.exe
PID 1532 wrote to memory of 1408	1532	chormuim.exe	cmd.exe
PID 1408 wrote to memory of 1932	1408	cmd.exe	chcp.com
PID 1408 wrote to memory of 1932	1408	cmd.exe	chcp.com
PID 1408 wrote to memory of 1932	1408	cmd.exe	chcp.com
PID 1408 wrote to memory of 1584	1408	cmd.exe	taskkill.exe
PID 1408 wrote to memory of 1584	1408	cmd.exe	taskkill.exe
PID 1408 wrote to memory of 1584	1408	cmd.exe	taskkill.exe
PID 1408 wrote to memory of 1732	1408	cmd.exe	timeout.exe
PID 1408 wrote to memory of 1732	1408	cmd.exe	timeout.exe
PID 1408 wrote to memory of 1732	1408	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
"C:\Users\Admin\AppData\Local\Temp\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\svchoste.exe
"C:\Users\Admin\AppData\Local\Temp\svchoste.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 520 -s 780
3⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Users\Admin\AppData\Local\Temp\dll.exe
"C:\Users\Admin\AppData\Local\Temp\dll.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:588

C:\ProgramData\AMD Driver\taskshell.exe
"C:\ProgramData\AMD Driver\taskshell.exe"
3⤵
- Executes dropped EXE
PID:1944

C:\Users\Admin\AppData\Local\Temp\chormuimii.exe
"C:\Users\Admin\AppData\Local\Temp\chormuimii.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Local\Temp\chormuim.exe
"C:\Users\Admin\AppData\Local\Temp\chormuim.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp2219.tmp.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:1932

C:\Windows\system32\taskkill.exe
TaskKill /F /IM 1532
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\system32\timeout.exe
Timeout /T 2 /Nobreak
5⤵
- Delays execution with timeout.exe
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMD Driver\taskshell.exe
MD5
b335eeb40d0443dadcdefc578a23b5da

SHA1
67af99514e1230182e4dc463f1c6ba42047ad213

SHA256
5d67a694351d9bdb571ef7b9217e7e05ef88b0f650bbd539217d3a686c077586

SHA512
0e9e12f32f5011c4b8b09a59b9e58c2811142ff9541428b6ebde07b6e2f4adf41a0d65957d824712df27769e5ae9281d300f76439576100b362acd00fa09e114

Download Submit
C:\ProgramData\AMD Driver\taskshell.exe
MD5
b335eeb40d0443dadcdefc578a23b5da

SHA1
67af99514e1230182e4dc463f1c6ba42047ad213

SHA256
5d67a694351d9bdb571ef7b9217e7e05ef88b0f650bbd539217d3a686c077586

SHA512
0e9e12f32f5011c4b8b09a59b9e58c2811142ff9541428b6ebde07b6e2f4adf41a0d65957d824712df27769e5ae9281d300f76439576100b362acd00fa09e114

Download Submit
C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll
MD5
7a2d5deab61f043394a510f4e2c0866f

SHA1
ca16110c9cf6522cd7bea32895fd0f697442849b

SHA256
75db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69

SHA512
b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll
MD5
6d1c62ec1c2ef722f49b2d8dd4a4df16

SHA1
1bb08a979b7987bc7736a8cfa4779383cb0ecfa6

SHA256
00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c

SHA512
c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\chormuim.exe
MD5
69450ec78e3aa15178a8a90079551137

SHA1
c77904954955906c1792b956cb58be00a9ccb140

SHA256
6247f4af4cef102c5fd74f4544ff0d9805a9f3e3c1ece327c5cc4d674f06c7b1

SHA512
df108ea9a113476a4c891c6f52fb5f2e0c9c128660cc476f106333ddc81fb9cdc766971289d0ea7ceaad0dddecc531cc1fab7c3f6b35ad0bda546a4d450496f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\chormuim.exe
MD5
69450ec78e3aa15178a8a90079551137

SHA1
c77904954955906c1792b956cb58be00a9ccb140

SHA256
6247f4af4cef102c5fd74f4544ff0d9805a9f3e3c1ece327c5cc4d674f06c7b1

SHA512
df108ea9a113476a4c891c6f52fb5f2e0c9c128660cc476f106333ddc81fb9cdc766971289d0ea7ceaad0dddecc531cc1fab7c3f6b35ad0bda546a4d450496f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\chormuimii.exe
MD5
535bd46107780dbb3425e23c175e85f9

SHA1
f2ef993fabd5fb2172dccc6f20033b0565c04fa0

SHA256
37d460cea9227867807e21051990ed580d9bafc35746dd1f6ea48e424438ec2d

SHA512
82ba3c603c9d0bd3ae80db7575e978552d3073c33c2f4957238e4f8721b6d7fb5ee4ff36143d2e62a8e48eda7aeb4ee1a1afcfc2ed8ccf2ab3eaf18827382646

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe
MD5
461cbdd5b0d2801a736e21aef6c7ced3

SHA1
62ac275945407dc00402eeb2272fe1e47fb6d7e0

SHA256
9eb507b9bff383e0c96f4d535352978a801b02e4c00c8416882a3f4f7a625595

SHA512
85f6513d0fabb5d3bb9e045c8a3c0a11f833b33ff1be8adcdb76e61d44216c7cae14cef594747bbdb51fce755814ade02f4db60a2f2319b7e5921624bd7b0abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe
MD5
461cbdd5b0d2801a736e21aef6c7ced3

SHA1
62ac275945407dc00402eeb2272fe1e47fb6d7e0

SHA256
9eb507b9bff383e0c96f4d535352978a801b02e4c00c8416882a3f4f7a625595

SHA512
85f6513d0fabb5d3bb9e045c8a3c0a11f833b33ff1be8adcdb76e61d44216c7cae14cef594747bbdb51fce755814ade02f4db60a2f2319b7e5921624bd7b0abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchoste.exe
MD5
9f209b4720986407a79bd4c598087587

SHA1
ba52f693587ef169d590351639b4c810dccd8427

SHA256
76488918853ce10b808bd2fad4f8c37ff9ca59f321c03c7700e0771f922113d3

SHA512
fce9032027d61ec4026b2dc4f762d7d05e1ac820b1dc6ba6ad6b8631a040389fc8a838a9a1778992263430411d38ecb60085f87454bdefff7be3a2a0345c122e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchoste.exe
MD5
9f209b4720986407a79bd4c598087587

SHA1
ba52f693587ef169d590351639b4c810dccd8427

SHA256
76488918853ce10b808bd2fad4f8c37ff9ca59f321c03c7700e0771f922113d3

SHA512
fce9032027d61ec4026b2dc4f762d7d05e1ac820b1dc6ba6ad6b8631a040389fc8a838a9a1778992263430411d38ecb60085f87454bdefff7be3a2a0345c122e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2219.tmp.bat
MD5
f9dc08a2e156af153e97a312aab1b00a

SHA1
5738a9b656e31faff9c1acd18440310690cdc025

SHA256
bff3fe94ce3ad775a8d0cdf6c0b8f5be82dfd85a2529cb871ed1447cadbe2041

SHA512
544193f358d22c8d42d31e386e50bd8eceabee6ae4cb85c1d85288fc3ff1099fdc1d4e2a278d209327621276160335de9e86b615f85d3c74fb7acc4a9985818c

Download Submit
\Users\Admin\AppData\Local\Temp\chormuim.exe
MD5
69450ec78e3aa15178a8a90079551137

SHA1
c77904954955906c1792b956cb58be00a9ccb140

SHA256
6247f4af4cef102c5fd74f4544ff0d9805a9f3e3c1ece327c5cc4d674f06c7b1

SHA512
df108ea9a113476a4c891c6f52fb5f2e0c9c128660cc476f106333ddc81fb9cdc766971289d0ea7ceaad0dddecc531cc1fab7c3f6b35ad0bda546a4d450496f7

Download Submit
\Users\Admin\AppData\Local\Temp\svchoste.exe
MD5
9f209b4720986407a79bd4c598087587

SHA1
ba52f693587ef169d590351639b4c810dccd8427

SHA256
76488918853ce10b808bd2fad4f8c37ff9ca59f321c03c7700e0771f922113d3

SHA512
fce9032027d61ec4026b2dc4f762d7d05e1ac820b1dc6ba6ad6b8631a040389fc8a838a9a1778992263430411d38ecb60085f87454bdefff7be3a2a0345c122e

Download Submit
\Users\Admin\AppData\Local\Temp\svchoste.exe
MD5
9f209b4720986407a79bd4c598087587

SHA1
ba52f693587ef169d590351639b4c810dccd8427

SHA256
76488918853ce10b808bd2fad4f8c37ff9ca59f321c03c7700e0771f922113d3

SHA512
fce9032027d61ec4026b2dc4f762d7d05e1ac820b1dc6ba6ad6b8631a040389fc8a838a9a1778992263430411d38ecb60085f87454bdefff7be3a2a0345c122e

Download Submit
\Users\Admin\AppData\Local\Temp\svchoste.exe
MD5
9f209b4720986407a79bd4c598087587

SHA1
ba52f693587ef169d590351639b4c810dccd8427

SHA256
76488918853ce10b808bd2fad4f8c37ff9ca59f321c03c7700e0771f922113d3

SHA512
fce9032027d61ec4026b2dc4f762d7d05e1ac820b1dc6ba6ad6b8631a040389fc8a838a9a1778992263430411d38ecb60085f87454bdefff7be3a2a0345c122e

Download Submit
memory/520-65-0x0000000074EC1000-0x0000000074EC3000-memory.dmp

Filesize
8KB

Download
memory/520-57-0x0000000000000000-mapping.dmp

Download
memory/588-59-0x0000000000000000-mapping.dmp

Download
memory/588-62-0x0000000000BF0000-0x0000000000BFE000-memory.dmp

Filesize
56KB

Download
memory/588-63-0x0000000000BF0000-0x0000000000BFE000-memory.dmp

Filesize
56KB

Download
memory/800-88-0x0000000000000000-mapping.dmp

Download
memory/800-93-0x0000000001CF0000-0x0000000001D28000-memory.dmp

Filesize
224KB

Download
memory/1408-94-0x0000000000000000-mapping.dmp

Download
memory/1532-79-0x0000000000000000-mapping.dmp

Download
memory/1532-84-0x0000000000F90000-0x0000000000FEE000-memory.dmp

Filesize
376KB

Download
memory/1532-82-0x0000000000F90000-0x0000000000FEE000-memory.dmp

Filesize
376KB

Download
memory/1532-85-0x0000000000680000-0x0000000000704000-memory.dmp

Filesize
528KB

Download
memory/1532-86-0x0000000000630000-0x0000000000636000-memory.dmp

Filesize
24KB

Download
memory/1532-87-0x0000000000150000-0x0000000000152000-memory.dmp

Filesize
8KB

Download
memory/1584-97-0x0000000000000000-mapping.dmp

Download
memory/1652-56-0x0000000000330000-0x000000000040E000-memory.dmp

Filesize
888KB

Download
memory/1652-67-0x000000001ADD0000-0x000000001ADD2000-memory.dmp

Filesize
8KB

Download
memory/1652-55-0x0000000000330000-0x000000000040E000-memory.dmp

Filesize
888KB

Download
memory/1716-73-0x0000000004920000-0x00000000049CA000-memory.dmp

Filesize
680KB

Download
memory/1716-77-0x0000000004A83000-0x0000000004A84000-memory.dmp

Filesize
4KB

Download
memory/1716-74-0x0000000002280000-0x0000000002328000-memory.dmp

Filesize
672KB

Download
memory/1716-76-0x0000000004A82000-0x0000000004A83000-memory.dmp

Filesize
4KB

Download
memory/1716-64-0x0000000000000000-mapping.dmp

Download
memory/1716-75-0x0000000004A81000-0x0000000004A82000-memory.dmp

Filesize
4KB

Download
memory/1732-98-0x0000000000000000-mapping.dmp

Download
memory/1932-96-0x0000000000000000-mapping.dmp

Download
memory/1944-72-0x0000000000C90000-0x0000000000C98000-memory.dmp

Filesize
32KB

Download
memory/1944-71-0x0000000000C90000-0x0000000000C98000-memory.dmp

Filesize
32KB

Download
memory/1944-68-0x0000000000000000-mapping.dmp

Download
memory/1944-83-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download