Analysis

  • max time kernel
    4294183s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    30-03-2022 02:08

General

  • Target

    8577d33d01e9b4d70ba0abef53c03277.exe

  • Size

    355KB

  • MD5

    8577d33d01e9b4d70ba0abef53c03277

  • SHA1

    1f84eecb02e4179c554f8cfe27fad4b17d26025d

  • SHA256

    913a7c8a88dc0720ff7fe2005243939f2fdadc129f69a46cc8fcfe54a16f0e75

  • SHA512

    4848150c8810ec4c0fb58e3f7b8d823cc7959107f696cd446b0514a0b1aaaf4fac66d83c8a95acdb02b8a8724316f12a6fff8972589b463bca05c2ca40dc3c46

Score
10/10

Malware Config

Extracted

Family

oski

C2

e4v5sa.xyz

Signatures

  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8577d33d01e9b4d70ba0abef53c03277.exe
    "C:\Users\Admin\AppData\Local\Temp\8577d33d01e9b4d70ba0abef53c03277.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe
      C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe C:\Users\Admin\AppData\Local\Temp\gqrgzrmb
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe
        C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe C:\Users\Admin\AppData\Local\Temp\gqrgzrmb
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1068
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 112
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:1664

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe

    Filesize

    109KB

    MD5

    55c5d5f188d7d14b75e90d81bbedb15b

    SHA1

    698e0272fe1dc6368a6d50e3ae9d12184098639e

    SHA256

    74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770

    SHA512

    5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08

  • C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe

    Filesize

    109KB

    MD5

    55c5d5f188d7d14b75e90d81bbedb15b

    SHA1

    698e0272fe1dc6368a6d50e3ae9d12184098639e

    SHA256

    74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770

    SHA512

    5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08

  • C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe

    Filesize

    109KB

    MD5

    55c5d5f188d7d14b75e90d81bbedb15b

    SHA1

    698e0272fe1dc6368a6d50e3ae9d12184098639e

    SHA256

    74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770

    SHA512

    5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08

  • C:\Users\Admin\AppData\Local\Temp\gqrgzrmb

    Filesize

    4KB

    MD5

    ec86abe57beb8a315221634c1163d772

    SHA1

    3c1f4ae6ba50b2a900147659669318f65df8b4d8

    SHA256

    6241a6b459412efd44fe4bca18f57d802dff4682211c15bf970ddb34cfc95e4b

    SHA512

    444227f8b3db866d057be1c583f8c043a44a2899457ce2c3843a7f69bb318ec0961cb0bc2dfac384bc5631b38422eda5514167fd83b00820d052babff0aa1f85

  • C:\Users\Admin\AppData\Local\Temp\yqjkc03awp

    Filesize

    214KB

    MD5

    d5c7c2dc6891be5104aa4c826890772a

    SHA1

    21b86d278094e84fce3f455524160f4e81c673fc

    SHA256

    00b831f5cccded55477fd0fe55d554a7375daae88c815b8cc3ef793f7a4e3ae5

    SHA512

    afa170c230f718edbd53a9ec9e570c73c28ca4d2f8ded477584262e49fcef3389d1e76bb79fc6bec70fb1f68aa9194c09d35f42dae4e2b2969203fbb251d9f0d

  • \Users\Admin\AppData\Local\Temp\bbjjgn.exe

    Filesize

    109KB

    MD5

    55c5d5f188d7d14b75e90d81bbedb15b

    SHA1

    698e0272fe1dc6368a6d50e3ae9d12184098639e

    SHA256

    74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770

    SHA512

    5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08

  • \Users\Admin\AppData\Local\Temp\bbjjgn.exe

    Filesize

    109KB

    MD5

    55c5d5f188d7d14b75e90d81bbedb15b

    SHA1

    698e0272fe1dc6368a6d50e3ae9d12184098639e

    SHA256

    74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770

    SHA512

    5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08

  • \Users\Admin\AppData\Local\Temp\bbjjgn.exe

    Filesize

    109KB

    MD5

    55c5d5f188d7d14b75e90d81bbedb15b

    SHA1

    698e0272fe1dc6368a6d50e3ae9d12184098639e

    SHA256

    74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770

    SHA512

    5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08

  • \Users\Admin\AppData\Local\Temp\bbjjgn.exe

    Filesize

    109KB

    MD5

    55c5d5f188d7d14b75e90d81bbedb15b

    SHA1

    698e0272fe1dc6368a6d50e3ae9d12184098639e

    SHA256

    74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770

    SHA512

    5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08

  • \Users\Admin\AppData\Local\Temp\bbjjgn.exe

    Filesize

    109KB

    MD5

    55c5d5f188d7d14b75e90d81bbedb15b

    SHA1

    698e0272fe1dc6368a6d50e3ae9d12184098639e

    SHA256

    74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770

    SHA512

    5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08

  • \Users\Admin\AppData\Local\Temp\bbjjgn.exe

    Filesize

    109KB

    MD5

    55c5d5f188d7d14b75e90d81bbedb15b

    SHA1

    698e0272fe1dc6368a6d50e3ae9d12184098639e

    SHA256

    74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770

    SHA512

    5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08

  • memory/1068-72-0x0000000000070000-0x00000000000A8000-memory.dmp

    Filesize

    224KB

  • memory/1068-66-0x0000000000070000-0x00000000000A8000-memory.dmp

    Filesize

    224KB

  • memory/1068-69-0x0000000000070000-0x00000000000A8000-memory.dmp

    Filesize

    224KB

  • memory/2028-54-0x0000000075271000-0x0000000075273000-memory.dmp

    Filesize

    8KB