Analysis

  • max time kernel
    144s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    29-03-2022 21:34

General

  • Target

    0b71a53b75074c03a48bf23774b1c5f1.exe

  • Size

    438KB

  • MD5

    0b71a53b75074c03a48bf23774b1c5f1

  • SHA1

    2779f6615e0ab9292a73bff2c6b9fafc34e7a7db

  • SHA256

    a414ef0d5392718a4307dbb6a5d38ca3285d9aa002d93ee1ea5d45320d082769

  • SHA512

    dea28d12aa12838d8e61e6492173a36e271cf0b915200dc6e94f68db5f61882b3019d77f1a7f41ffab5c43ef300625eaee0991b5f1308411274fcc49dbca0fc6

Malware Config

Extracted

Family

oski

C2

e4v5sa.xyz

Signatures

  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

  • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

    suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b71a53b75074c03a48bf23774b1c5f1.exe
    "C:\Users\Admin\AppData\Local\Temp\0b71a53b75074c03a48bf23774b1c5f1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe
      C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe C:\Users\Admin\AppData\Local\Temp\gglolqmqe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe
        C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe C:\Users\Admin\AppData\Local\Temp\gglolqmqe
        3⤵
        • Executes dropped EXE
        PID:2480
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 1336
          4⤵
          • Program crash
          PID:4520
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2480 -ip 2480
    1⤵
      PID:1008

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\gglolqmqe

      Filesize

      4KB

      MD5

      c9496c87c65e12886f38ae1563ff6a8a

      SHA1

      701c9c76e2bbe35b61a10e7c3116757926b992a2

      SHA256

      2d665dddb4c64b4583a44ef17424b9ee005d0c5a10d2592e9be01103dcf9419b

      SHA512

      810c9d85e16e3943c7ea9aa4b51e617d59ce5f195c6fa6e035dd8c7d610e49c146337845f068feb26c737250eecebf0b8b54051131e329ea98312b62380a4226

    • C:\Users\Admin\AppData\Local\Temp\jbnzs19nhn

      Filesize

      214KB

      MD5

      893df1edbeeefa21c08c9cefa3e81900

      SHA1

      7c770bfed8cfb43e074b57d80d8c1b8803f870c3

      SHA256

      8f96ce5fd1aedeff943fba09bfebfad2fde0afbef0f160f08abeb0f3c6b3d50c

      SHA512

      5160c986f559c41a18ce8d66de7765ca9174ffd2211ead84a2053973604d3c43818f803bf34ad34ae45cd0ab4f2f805e2338bfcbace6f91e1a4ebf88e2b8ece3

    • C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe

      Filesize

      109KB

      MD5

      3887b870c42d2c374bf2fde10cbdac8b

      SHA1

      20a9a29ad109aa75b2e86e87d93ff133f9c1fbf2

      SHA256

      b9e8c74bcfb2e67647f5111d50194ed0431c5171b7af4d8ae29cc43a2a1cafae

      SHA512

      5cbdaf860fb7a1033988a14be3c4404c57df726d51ca61aa4b68e059679df8e891824b2438801dcbff55f4e37d6c52b0e5a875e108d9909626779fc1a08454e0

    • C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe

      Filesize

      109KB

      MD5

      3887b870c42d2c374bf2fde10cbdac8b

      SHA1

      20a9a29ad109aa75b2e86e87d93ff133f9c1fbf2

      SHA256

      b9e8c74bcfb2e67647f5111d50194ed0431c5171b7af4d8ae29cc43a2a1cafae

      SHA512

      5cbdaf860fb7a1033988a14be3c4404c57df726d51ca61aa4b68e059679df8e891824b2438801dcbff55f4e37d6c52b0e5a875e108d9909626779fc1a08454e0

    • C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe

      Filesize

      109KB

      MD5

      3887b870c42d2c374bf2fde10cbdac8b

      SHA1

      20a9a29ad109aa75b2e86e87d93ff133f9c1fbf2

      SHA256

      b9e8c74bcfb2e67647f5111d50194ed0431c5171b7af4d8ae29cc43a2a1cafae

      SHA512

      5cbdaf860fb7a1033988a14be3c4404c57df726d51ca61aa4b68e059679df8e891824b2438801dcbff55f4e37d6c52b0e5a875e108d9909626779fc1a08454e0

    • memory/2036-135-0x0000000000590000-0x0000000000592000-memory.dmp

      Filesize

      8KB

    • memory/2480-138-0x0000000001110000-0x0000000001148000-memory.dmp

      Filesize

      224KB

    • memory/2480-141-0x0000000001110000-0x0000000001148000-memory.dmp

      Filesize

      224KB

    • memory/2480-144-0x0000000001110000-0x0000000001148000-memory.dmp

      Filesize

      224KB