Analysis
-
max time kernel
132s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
30-03-2022 02:07
Static task
static1
Behavioral task
behavioral1
Sample
8577d33d01e9b4d70ba0abef53c03277.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
8577d33d01e9b4d70ba0abef53c03277.exe
Resource
win10v2004-en-20220113
General
-
Target
8577d33d01e9b4d70ba0abef53c03277.exe
-
Size
355KB
-
MD5
8577d33d01e9b4d70ba0abef53c03277
-
SHA1
1f84eecb02e4179c554f8cfe27fad4b17d26025d
-
SHA256
913a7c8a88dc0720ff7fe2005243939f2fdadc129f69a46cc8fcfe54a16f0e75
-
SHA512
4848150c8810ec4c0fb58e3f7b8d823cc7959107f696cd446b0514a0b1aaaf4fac66d83c8a95acdb02b8a8724316f12a6fff8972589b463bca05c2ca40dc3c46
Malware Config
Extracted
oski
e4v5sa.xyz
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Executes dropped EXE 2 IoCs
pid Process 1756 bbjjgn.exe 988 bbjjgn.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4412 988 WerFault.exe 80 -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1264 wrote to memory of 1756 1264 8577d33d01e9b4d70ba0abef53c03277.exe 79 PID 1264 wrote to memory of 1756 1264 8577d33d01e9b4d70ba0abef53c03277.exe 79 PID 1264 wrote to memory of 1756 1264 8577d33d01e9b4d70ba0abef53c03277.exe 79 PID 1756 wrote to memory of 988 1756 bbjjgn.exe 80 PID 1756 wrote to memory of 988 1756 bbjjgn.exe 80 PID 1756 wrote to memory of 988 1756 bbjjgn.exe 80 PID 1756 wrote to memory of 988 1756 bbjjgn.exe 80 PID 1756 wrote to memory of 988 1756 bbjjgn.exe 80 PID 1756 wrote to memory of 988 1756 bbjjgn.exe 80 PID 1756 wrote to memory of 988 1756 bbjjgn.exe 80 PID 1756 wrote to memory of 988 1756 bbjjgn.exe 80 PID 1756 wrote to memory of 988 1756 bbjjgn.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\8577d33d01e9b4d70ba0abef53c03277.exe"C:\Users\Admin\AppData\Local\Temp\8577d33d01e9b4d70ba0abef53c03277.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exeC:\Users\Admin\AppData\Local\Temp\bbjjgn.exe C:\Users\Admin\AppData\Local\Temp\gqrgzrmb2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exeC:\Users\Admin\AppData\Local\Temp\bbjjgn.exe C:\Users\Admin\AppData\Local\Temp\gqrgzrmb3⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 13524⤵
- Program crash
PID:4412
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 988 -ip 9881⤵PID:4944
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
109KB
MD555c5d5f188d7d14b75e90d81bbedb15b
SHA1698e0272fe1dc6368a6d50e3ae9d12184098639e
SHA25674bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770
SHA5125f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08
-
Filesize
109KB
MD555c5d5f188d7d14b75e90d81bbedb15b
SHA1698e0272fe1dc6368a6d50e3ae9d12184098639e
SHA25674bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770
SHA5125f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08
-
Filesize
109KB
MD555c5d5f188d7d14b75e90d81bbedb15b
SHA1698e0272fe1dc6368a6d50e3ae9d12184098639e
SHA25674bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770
SHA5125f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08
-
Filesize
4KB
MD5ec86abe57beb8a315221634c1163d772
SHA13c1f4ae6ba50b2a900147659669318f65df8b4d8
SHA2566241a6b459412efd44fe4bca18f57d802dff4682211c15bf970ddb34cfc95e4b
SHA512444227f8b3db866d057be1c583f8c043a44a2899457ce2c3843a7f69bb318ec0961cb0bc2dfac384bc5631b38422eda5514167fd83b00820d052babff0aa1f85
-
Filesize
214KB
MD5d5c7c2dc6891be5104aa4c826890772a
SHA121b86d278094e84fce3f455524160f4e81c673fc
SHA25600b831f5cccded55477fd0fe55d554a7375daae88c815b8cc3ef793f7a4e3ae5
SHA512afa170c230f718edbd53a9ec9e570c73c28ca4d2f8ded477584262e49fcef3389d1e76bb79fc6bec70fb1f68aa9194c09d35f42dae4e2b2969203fbb251d9f0d