Analysis Overview
SHA256
a414ef0d5392718a4307dbb6a5d38ca3285d9aa002d93ee1ea5d45320d082769
Threat Level: Known bad
The file 0b71a53b75074c03a48bf23774b1c5f1.exe was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
Oski
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
Program crash
NSIS installer
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-29 21:34
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-29 21:34
Reported
2022-03-29 21:37
Platform
win7-20220311-en
Max time kernel
4294178s
Max time network
121s
Command Line
Signatures
Oski
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0b71a53b75074c03a48bf23774b1c5f1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0b71a53b75074c03a48bf23774b1c5f1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0b71a53b75074c03a48bf23774b1c5f1.exe
"C:\Users\Admin\AppData\Local\Temp\0b71a53b75074c03a48bf23774b1c5f1.exe"
C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe
C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe C:\Users\Admin\AppData\Local\Temp\gglolqmqe
C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe
C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe C:\Users\Admin\AppData\Local\Temp\gglolqmqe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 112
Network
Files
memory/1584-54-0x0000000075841000-0x0000000075843000-memory.dmp
\Users\Admin\AppData\Local\Temp\twwdmyk.exe
| MD5 | 3887b870c42d2c374bf2fde10cbdac8b |
| SHA1 | 20a9a29ad109aa75b2e86e87d93ff133f9c1fbf2 |
| SHA256 | b9e8c74bcfb2e67647f5111d50194ed0431c5171b7af4d8ae29cc43a2a1cafae |
| SHA512 | 5cbdaf860fb7a1033988a14be3c4404c57df726d51ca61aa4b68e059679df8e891824b2438801dcbff55f4e37d6c52b0e5a875e108d9909626779fc1a08454e0 |
memory/668-57-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\twwdmyk.exe
| MD5 | 3887b870c42d2c374bf2fde10cbdac8b |
| SHA1 | 20a9a29ad109aa75b2e86e87d93ff133f9c1fbf2 |
| SHA256 | b9e8c74bcfb2e67647f5111d50194ed0431c5171b7af4d8ae29cc43a2a1cafae |
| SHA512 | 5cbdaf860fb7a1033988a14be3c4404c57df726d51ca61aa4b68e059679df8e891824b2438801dcbff55f4e37d6c52b0e5a875e108d9909626779fc1a08454e0 |
C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe
| MD5 | 3887b870c42d2c374bf2fde10cbdac8b |
| SHA1 | 20a9a29ad109aa75b2e86e87d93ff133f9c1fbf2 |
| SHA256 | b9e8c74bcfb2e67647f5111d50194ed0431c5171b7af4d8ae29cc43a2a1cafae |
| SHA512 | 5cbdaf860fb7a1033988a14be3c4404c57df726d51ca61aa4b68e059679df8e891824b2438801dcbff55f4e37d6c52b0e5a875e108d9909626779fc1a08454e0 |
C:\Users\Admin\AppData\Local\Temp\gglolqmqe
| MD5 | c9496c87c65e12886f38ae1563ff6a8a |
| SHA1 | 701c9c76e2bbe35b61a10e7c3116757926b992a2 |
| SHA256 | 2d665dddb4c64b4583a44ef17424b9ee005d0c5a10d2592e9be01103dcf9419b |
| SHA512 | 810c9d85e16e3943c7ea9aa4b51e617d59ce5f195c6fa6e035dd8c7d610e49c146337845f068feb26c737250eecebf0b8b54051131e329ea98312b62380a4226 |
C:\Users\Admin\AppData\Local\Temp\jbnzs19nhn
| MD5 | 893df1edbeeefa21c08c9cefa3e81900 |
| SHA1 | 7c770bfed8cfb43e074b57d80d8c1b8803f870c3 |
| SHA256 | 8f96ce5fd1aedeff943fba09bfebfad2fde0afbef0f160f08abeb0f3c6b3d50c |
| SHA512 | 5160c986f559c41a18ce8d66de7765ca9174ffd2211ead84a2053973604d3c43818f803bf34ad34ae45cd0ab4f2f805e2338bfcbace6f91e1a4ebf88e2b8ece3 |
\Users\Admin\AppData\Local\Temp\twwdmyk.exe
| MD5 | 3887b870c42d2c374bf2fde10cbdac8b |
| SHA1 | 20a9a29ad109aa75b2e86e87d93ff133f9c1fbf2 |
| SHA256 | b9e8c74bcfb2e67647f5111d50194ed0431c5171b7af4d8ae29cc43a2a1cafae |
| SHA512 | 5cbdaf860fb7a1033988a14be3c4404c57df726d51ca61aa4b68e059679df8e891824b2438801dcbff55f4e37d6c52b0e5a875e108d9909626779fc1a08454e0 |
C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe
| MD5 | 3887b870c42d2c374bf2fde10cbdac8b |
| SHA1 | 20a9a29ad109aa75b2e86e87d93ff133f9c1fbf2 |
| SHA256 | b9e8c74bcfb2e67647f5111d50194ed0431c5171b7af4d8ae29cc43a2a1cafae |
| SHA512 | 5cbdaf860fb7a1033988a14be3c4404c57df726d51ca61aa4b68e059679df8e891824b2438801dcbff55f4e37d6c52b0e5a875e108d9909626779fc1a08454e0 |
memory/1656-66-0x0000000000070000-0x00000000000A8000-memory.dmp
memory/1656-69-0x0000000000070000-0x00000000000A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe
| MD5 | 3887b870c42d2c374bf2fde10cbdac8b |
| SHA1 | 20a9a29ad109aa75b2e86e87d93ff133f9c1fbf2 |
| SHA256 | b9e8c74bcfb2e67647f5111d50194ed0431c5171b7af4d8ae29cc43a2a1cafae |
| SHA512 | 5cbdaf860fb7a1033988a14be3c4404c57df726d51ca61aa4b68e059679df8e891824b2438801dcbff55f4e37d6c52b0e5a875e108d9909626779fc1a08454e0 |
memory/1656-64-0x0000000000000000-mapping.dmp
memory/1656-72-0x0000000000070000-0x00000000000A8000-memory.dmp
memory/1688-73-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\twwdmyk.exe
| MD5 | 3887b870c42d2c374bf2fde10cbdac8b |
| SHA1 | 20a9a29ad109aa75b2e86e87d93ff133f9c1fbf2 |
| SHA256 | b9e8c74bcfb2e67647f5111d50194ed0431c5171b7af4d8ae29cc43a2a1cafae |
| SHA512 | 5cbdaf860fb7a1033988a14be3c4404c57df726d51ca61aa4b68e059679df8e891824b2438801dcbff55f4e37d6c52b0e5a875e108d9909626779fc1a08454e0 |
\Users\Admin\AppData\Local\Temp\twwdmyk.exe
| MD5 | 3887b870c42d2c374bf2fde10cbdac8b |
| SHA1 | 20a9a29ad109aa75b2e86e87d93ff133f9c1fbf2 |
| SHA256 | b9e8c74bcfb2e67647f5111d50194ed0431c5171b7af4d8ae29cc43a2a1cafae |
| SHA512 | 5cbdaf860fb7a1033988a14be3c4404c57df726d51ca61aa4b68e059679df8e891824b2438801dcbff55f4e37d6c52b0e5a875e108d9909626779fc1a08454e0 |
\Users\Admin\AppData\Local\Temp\twwdmyk.exe
| MD5 | 3887b870c42d2c374bf2fde10cbdac8b |
| SHA1 | 20a9a29ad109aa75b2e86e87d93ff133f9c1fbf2 |
| SHA256 | b9e8c74bcfb2e67647f5111d50194ed0431c5171b7af4d8ae29cc43a2a1cafae |
| SHA512 | 5cbdaf860fb7a1033988a14be3c4404c57df726d51ca61aa4b68e059679df8e891824b2438801dcbff55f4e37d6c52b0e5a875e108d9909626779fc1a08454e0 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-29 21:34
Reported
2022-03-29 21:37
Platform
win10v2004-en-20220113
Max time kernel
144s
Max time network
155s
Command Line
Signatures
Oski
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0b71a53b75074c03a48bf23774b1c5f1.exe
"C:\Users\Admin\AppData\Local\Temp\0b71a53b75074c03a48bf23774b1c5f1.exe"
C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe
C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe C:\Users\Admin\AppData\Local\Temp\gglolqmqe
C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe
C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe C:\Users\Admin\AppData\Local\Temp\gglolqmqe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2480 -ip 2480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 1336
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | e4v5sa.xyz | udp |
| US | 172.67.193.69:80 | e4v5sa.xyz | tcp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp |
Files
memory/2036-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe
| MD5 | 3887b870c42d2c374bf2fde10cbdac8b |
| SHA1 | 20a9a29ad109aa75b2e86e87d93ff133f9c1fbf2 |
| SHA256 | b9e8c74bcfb2e67647f5111d50194ed0431c5171b7af4d8ae29cc43a2a1cafae |
| SHA512 | 5cbdaf860fb7a1033988a14be3c4404c57df726d51ca61aa4b68e059679df8e891824b2438801dcbff55f4e37d6c52b0e5a875e108d9909626779fc1a08454e0 |
C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe
| MD5 | 3887b870c42d2c374bf2fde10cbdac8b |
| SHA1 | 20a9a29ad109aa75b2e86e87d93ff133f9c1fbf2 |
| SHA256 | b9e8c74bcfb2e67647f5111d50194ed0431c5171b7af4d8ae29cc43a2a1cafae |
| SHA512 | 5cbdaf860fb7a1033988a14be3c4404c57df726d51ca61aa4b68e059679df8e891824b2438801dcbff55f4e37d6c52b0e5a875e108d9909626779fc1a08454e0 |
C:\Users\Admin\AppData\Local\Temp\gglolqmqe
| MD5 | c9496c87c65e12886f38ae1563ff6a8a |
| SHA1 | 701c9c76e2bbe35b61a10e7c3116757926b992a2 |
| SHA256 | 2d665dddb4c64b4583a44ef17424b9ee005d0c5a10d2592e9be01103dcf9419b |
| SHA512 | 810c9d85e16e3943c7ea9aa4b51e617d59ce5f195c6fa6e035dd8c7d610e49c146337845f068feb26c737250eecebf0b8b54051131e329ea98312b62380a4226 |
C:\Users\Admin\AppData\Local\Temp\jbnzs19nhn
| MD5 | 893df1edbeeefa21c08c9cefa3e81900 |
| SHA1 | 7c770bfed8cfb43e074b57d80d8c1b8803f870c3 |
| SHA256 | 8f96ce5fd1aedeff943fba09bfebfad2fde0afbef0f160f08abeb0f3c6b3d50c |
| SHA512 | 5160c986f559c41a18ce8d66de7765ca9174ffd2211ead84a2053973604d3c43818f803bf34ad34ae45cd0ab4f2f805e2338bfcbace6f91e1a4ebf88e2b8ece3 |
memory/2480-136-0x0000000000000000-mapping.dmp
memory/2036-135-0x0000000000590000-0x0000000000592000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\twwdmyk.exe
| MD5 | 3887b870c42d2c374bf2fde10cbdac8b |
| SHA1 | 20a9a29ad109aa75b2e86e87d93ff133f9c1fbf2 |
| SHA256 | b9e8c74bcfb2e67647f5111d50194ed0431c5171b7af4d8ae29cc43a2a1cafae |
| SHA512 | 5cbdaf860fb7a1033988a14be3c4404c57df726d51ca61aa4b68e059679df8e891824b2438801dcbff55f4e37d6c52b0e5a875e108d9909626779fc1a08454e0 |
memory/2480-138-0x0000000001110000-0x0000000001148000-memory.dmp
memory/2480-141-0x0000000001110000-0x0000000001148000-memory.dmp
memory/2480-144-0x0000000001110000-0x0000000001148000-memory.dmp