Analysis
-
max time kernel
144s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
29-03-2022 21:34
Static task
static1
Behavioral task
behavioral1
Sample
0b71a53b75074c03a48bf23774b1c5f1.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
0b71a53b75074c03a48bf23774b1c5f1.exe
Resource
win10v2004-en-20220113
General
-
Target
0b71a53b75074c03a48bf23774b1c5f1.exe
-
Size
438KB
-
MD5
0b71a53b75074c03a48bf23774b1c5f1
-
SHA1
2779f6615e0ab9292a73bff2c6b9fafc34e7a7db
-
SHA256
a414ef0d5392718a4307dbb6a5d38ca3285d9aa002d93ee1ea5d45320d082769
-
SHA512
dea28d12aa12838d8e61e6492173a36e271cf0b915200dc6e94f68db5f61882b3019d77f1a7f41ffab5c43ef300625eaee0991b5f1308411274fcc49dbca0fc6
Malware Config
Extracted
oski
e4v5sa.xyz
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Executes dropped EXE 2 IoCs
pid Process 2036 twwdmyk.exe 2480 twwdmyk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4520 2480 WerFault.exe 80 -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1556 wrote to memory of 2036 1556 0b71a53b75074c03a48bf23774b1c5f1.exe 79 PID 1556 wrote to memory of 2036 1556 0b71a53b75074c03a48bf23774b1c5f1.exe 79 PID 1556 wrote to memory of 2036 1556 0b71a53b75074c03a48bf23774b1c5f1.exe 79 PID 2036 wrote to memory of 2480 2036 twwdmyk.exe 80 PID 2036 wrote to memory of 2480 2036 twwdmyk.exe 80 PID 2036 wrote to memory of 2480 2036 twwdmyk.exe 80 PID 2036 wrote to memory of 2480 2036 twwdmyk.exe 80 PID 2036 wrote to memory of 2480 2036 twwdmyk.exe 80 PID 2036 wrote to memory of 2480 2036 twwdmyk.exe 80 PID 2036 wrote to memory of 2480 2036 twwdmyk.exe 80 PID 2036 wrote to memory of 2480 2036 twwdmyk.exe 80 PID 2036 wrote to memory of 2480 2036 twwdmyk.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b71a53b75074c03a48bf23774b1c5f1.exe"C:\Users\Admin\AppData\Local\Temp\0b71a53b75074c03a48bf23774b1c5f1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\twwdmyk.exeC:\Users\Admin\AppData\Local\Temp\twwdmyk.exe C:\Users\Admin\AppData\Local\Temp\gglolqmqe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\twwdmyk.exeC:\Users\Admin\AppData\Local\Temp\twwdmyk.exe C:\Users\Admin\AppData\Local\Temp\gglolqmqe3⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 13364⤵
- Program crash
PID:4520
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2480 -ip 24801⤵PID:1008
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5c9496c87c65e12886f38ae1563ff6a8a
SHA1701c9c76e2bbe35b61a10e7c3116757926b992a2
SHA2562d665dddb4c64b4583a44ef17424b9ee005d0c5a10d2592e9be01103dcf9419b
SHA512810c9d85e16e3943c7ea9aa4b51e617d59ce5f195c6fa6e035dd8c7d610e49c146337845f068feb26c737250eecebf0b8b54051131e329ea98312b62380a4226
-
Filesize
214KB
MD5893df1edbeeefa21c08c9cefa3e81900
SHA17c770bfed8cfb43e074b57d80d8c1b8803f870c3
SHA2568f96ce5fd1aedeff943fba09bfebfad2fde0afbef0f160f08abeb0f3c6b3d50c
SHA5125160c986f559c41a18ce8d66de7765ca9174ffd2211ead84a2053973604d3c43818f803bf34ad34ae45cd0ab4f2f805e2338bfcbace6f91e1a4ebf88e2b8ece3
-
Filesize
109KB
MD53887b870c42d2c374bf2fde10cbdac8b
SHA120a9a29ad109aa75b2e86e87d93ff133f9c1fbf2
SHA256b9e8c74bcfb2e67647f5111d50194ed0431c5171b7af4d8ae29cc43a2a1cafae
SHA5125cbdaf860fb7a1033988a14be3c4404c57df726d51ca61aa4b68e059679df8e891824b2438801dcbff55f4e37d6c52b0e5a875e108d9909626779fc1a08454e0
-
Filesize
109KB
MD53887b870c42d2c374bf2fde10cbdac8b
SHA120a9a29ad109aa75b2e86e87d93ff133f9c1fbf2
SHA256b9e8c74bcfb2e67647f5111d50194ed0431c5171b7af4d8ae29cc43a2a1cafae
SHA5125cbdaf860fb7a1033988a14be3c4404c57df726d51ca61aa4b68e059679df8e891824b2438801dcbff55f4e37d6c52b0e5a875e108d9909626779fc1a08454e0
-
Filesize
109KB
MD53887b870c42d2c374bf2fde10cbdac8b
SHA120a9a29ad109aa75b2e86e87d93ff133f9c1fbf2
SHA256b9e8c74bcfb2e67647f5111d50194ed0431c5171b7af4d8ae29cc43a2a1cafae
SHA5125cbdaf860fb7a1033988a14be3c4404c57df726d51ca61aa4b68e059679df8e891824b2438801dcbff55f4e37d6c52b0e5a875e108d9909626779fc1a08454e0