Analysis Overview
SHA256
913a7c8a88dc0720ff7fe2005243939f2fdadc129f69a46cc8fcfe54a16f0e75
Threat Level: Known bad
The file 8577d33d01e9b4d70ba0abef53c03277.exe was found to be: Known bad.
Malicious Activity Summary
Oski
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Enumerates physical storage devices
Program crash
NSIS installer
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-30 02:07
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-30 02:07
Reported
2022-03-30 02:10
Platform
win7-20220311-en
Max time kernel
4294177s
Max time network
120s
Command Line
Signatures
Oski
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8577d33d01e9b4d70ba0abef53c03277.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8577d33d01e9b4d70ba0abef53c03277.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8577d33d01e9b4d70ba0abef53c03277.exe
"C:\Users\Admin\AppData\Local\Temp\8577d33d01e9b4d70ba0abef53c03277.exe"
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe C:\Users\Admin\AppData\Local\Temp\gqrgzrmb
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe C:\Users\Admin\AppData\Local\Temp\gqrgzrmb
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 112
Network
Files
memory/1684-54-0x0000000075841000-0x0000000075843000-memory.dmp
\Users\Admin\AppData\Local\Temp\bbjjgn.exe
| MD5 | 55c5d5f188d7d14b75e90d81bbedb15b |
| SHA1 | 698e0272fe1dc6368a6d50e3ae9d12184098639e |
| SHA256 | 74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770 |
| SHA512 | 5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08 |
\Users\Admin\AppData\Local\Temp\bbjjgn.exe
| MD5 | 55c5d5f188d7d14b75e90d81bbedb15b |
| SHA1 | 698e0272fe1dc6368a6d50e3ae9d12184098639e |
| SHA256 | 74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770 |
| SHA512 | 5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08 |
memory/560-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe
| MD5 | 55c5d5f188d7d14b75e90d81bbedb15b |
| SHA1 | 698e0272fe1dc6368a6d50e3ae9d12184098639e |
| SHA256 | 74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770 |
| SHA512 | 5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08 |
C:\Users\Admin\AppData\Local\Temp\gqrgzrmb
| MD5 | ec86abe57beb8a315221634c1163d772 |
| SHA1 | 3c1f4ae6ba50b2a900147659669318f65df8b4d8 |
| SHA256 | 6241a6b459412efd44fe4bca18f57d802dff4682211c15bf970ddb34cfc95e4b |
| SHA512 | 444227f8b3db866d057be1c583f8c043a44a2899457ce2c3843a7f69bb318ec0961cb0bc2dfac384bc5631b38422eda5514167fd83b00820d052babff0aa1f85 |
C:\Users\Admin\AppData\Local\Temp\yqjkc03awp
| MD5 | d5c7c2dc6891be5104aa4c826890772a |
| SHA1 | 21b86d278094e84fce3f455524160f4e81c673fc |
| SHA256 | 00b831f5cccded55477fd0fe55d554a7375daae88c815b8cc3ef793f7a4e3ae5 |
| SHA512 | afa170c230f718edbd53a9ec9e570c73c28ca4d2f8ded477584262e49fcef3389d1e76bb79fc6bec70fb1f68aa9194c09d35f42dae4e2b2969203fbb251d9f0d |
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe
| MD5 | 55c5d5f188d7d14b75e90d81bbedb15b |
| SHA1 | 698e0272fe1dc6368a6d50e3ae9d12184098639e |
| SHA256 | 74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770 |
| SHA512 | 5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08 |
\Users\Admin\AppData\Local\Temp\bbjjgn.exe
| MD5 | 55c5d5f188d7d14b75e90d81bbedb15b |
| SHA1 | 698e0272fe1dc6368a6d50e3ae9d12184098639e |
| SHA256 | 74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770 |
| SHA512 | 5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08 |
memory/1112-66-0x0000000000090000-0x00000000000C8000-memory.dmp
memory/1112-69-0x0000000000090000-0x00000000000C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe
| MD5 | 55c5d5f188d7d14b75e90d81bbedb15b |
| SHA1 | 698e0272fe1dc6368a6d50e3ae9d12184098639e |
| SHA256 | 74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770 |
| SHA512 | 5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08 |
memory/1112-64-0x0000000000000000-mapping.dmp
memory/1112-72-0x0000000000090000-0x00000000000C8000-memory.dmp
memory/1696-73-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\bbjjgn.exe
| MD5 | 55c5d5f188d7d14b75e90d81bbedb15b |
| SHA1 | 698e0272fe1dc6368a6d50e3ae9d12184098639e |
| SHA256 | 74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770 |
| SHA512 | 5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08 |
\Users\Admin\AppData\Local\Temp\bbjjgn.exe
| MD5 | 55c5d5f188d7d14b75e90d81bbedb15b |
| SHA1 | 698e0272fe1dc6368a6d50e3ae9d12184098639e |
| SHA256 | 74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770 |
| SHA512 | 5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08 |
\Users\Admin\AppData\Local\Temp\bbjjgn.exe
| MD5 | 55c5d5f188d7d14b75e90d81bbedb15b |
| SHA1 | 698e0272fe1dc6368a6d50e3ae9d12184098639e |
| SHA256 | 74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770 |
| SHA512 | 5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-30 02:07
Reported
2022-03-30 02:10
Platform
win10v2004-en-20220113
Max time kernel
132s
Max time network
136s
Command Line
Signatures
Oski
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8577d33d01e9b4d70ba0abef53c03277.exe
"C:\Users\Admin\AppData\Local\Temp\8577d33d01e9b4d70ba0abef53c03277.exe"
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe C:\Users\Admin\AppData\Local\Temp\gqrgzrmb
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe C:\Users\Admin\AppData\Local\Temp\gqrgzrmb
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 988 -ip 988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1352
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | e4v5sa.xyz | udp |
| US | 104.21.20.176:80 | e4v5sa.xyz | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe
| MD5 | 55c5d5f188d7d14b75e90d81bbedb15b |
| SHA1 | 698e0272fe1dc6368a6d50e3ae9d12184098639e |
| SHA256 | 74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770 |
| SHA512 | 5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08 |
memory/1756-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe
| MD5 | 55c5d5f188d7d14b75e90d81bbedb15b |
| SHA1 | 698e0272fe1dc6368a6d50e3ae9d12184098639e |
| SHA256 | 74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770 |
| SHA512 | 5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08 |
C:\Users\Admin\AppData\Local\Temp\gqrgzrmb
| MD5 | ec86abe57beb8a315221634c1163d772 |
| SHA1 | 3c1f4ae6ba50b2a900147659669318f65df8b4d8 |
| SHA256 | 6241a6b459412efd44fe4bca18f57d802dff4682211c15bf970ddb34cfc95e4b |
| SHA512 | 444227f8b3db866d057be1c583f8c043a44a2899457ce2c3843a7f69bb318ec0961cb0bc2dfac384bc5631b38422eda5514167fd83b00820d052babff0aa1f85 |
C:\Users\Admin\AppData\Local\Temp\yqjkc03awp
| MD5 | d5c7c2dc6891be5104aa4c826890772a |
| SHA1 | 21b86d278094e84fce3f455524160f4e81c673fc |
| SHA256 | 00b831f5cccded55477fd0fe55d554a7375daae88c815b8cc3ef793f7a4e3ae5 |
| SHA512 | afa170c230f718edbd53a9ec9e570c73c28ca4d2f8ded477584262e49fcef3389d1e76bb79fc6bec70fb1f68aa9194c09d35f42dae4e2b2969203fbb251d9f0d |
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe
| MD5 | 55c5d5f188d7d14b75e90d81bbedb15b |
| SHA1 | 698e0272fe1dc6368a6d50e3ae9d12184098639e |
| SHA256 | 74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770 |
| SHA512 | 5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08 |
memory/988-135-0x0000000000000000-mapping.dmp
memory/988-137-0x00000000009B0000-0x00000000009E8000-memory.dmp
memory/988-140-0x00000000009B0000-0x00000000009E8000-memory.dmp
memory/988-143-0x00000000009B0000-0x00000000009E8000-memory.dmp