Analysis Overview
SHA256
913a7c8a88dc0720ff7fe2005243939f2fdadc129f69a46cc8fcfe54a16f0e75
Threat Level: Known bad
The file 8577d33d01e9b4d70ba0abef53c03277.exe was found to be: Known bad.
Malicious Activity Summary
Oski
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Program crash
Enumerates physical storage devices
NSIS installer
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-30 02:08
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-30 02:08
Reported
2022-03-30 02:10
Platform
win7-20220311-en
Max time kernel
4294183s
Max time network
126s
Command Line
Signatures
Oski
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8577d33d01e9b4d70ba0abef53c03277.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8577d33d01e9b4d70ba0abef53c03277.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8577d33d01e9b4d70ba0abef53c03277.exe
"C:\Users\Admin\AppData\Local\Temp\8577d33d01e9b4d70ba0abef53c03277.exe"
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe C:\Users\Admin\AppData\Local\Temp\gqrgzrmb
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe C:\Users\Admin\AppData\Local\Temp\gqrgzrmb
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 112
Network
Files
memory/2028-54-0x0000000075271000-0x0000000075273000-memory.dmp
\Users\Admin\AppData\Local\Temp\bbjjgn.exe
| MD5 | 55c5d5f188d7d14b75e90d81bbedb15b |
| SHA1 | 698e0272fe1dc6368a6d50e3ae9d12184098639e |
| SHA256 | 74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770 |
| SHA512 | 5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08 |
\Users\Admin\AppData\Local\Temp\bbjjgn.exe
| MD5 | 55c5d5f188d7d14b75e90d81bbedb15b |
| SHA1 | 698e0272fe1dc6368a6d50e3ae9d12184098639e |
| SHA256 | 74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770 |
| SHA512 | 5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08 |
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe
| MD5 | 55c5d5f188d7d14b75e90d81bbedb15b |
| SHA1 | 698e0272fe1dc6368a6d50e3ae9d12184098639e |
| SHA256 | 74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770 |
| SHA512 | 5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08 |
memory/2004-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\gqrgzrmb
| MD5 | ec86abe57beb8a315221634c1163d772 |
| SHA1 | 3c1f4ae6ba50b2a900147659669318f65df8b4d8 |
| SHA256 | 6241a6b459412efd44fe4bca18f57d802dff4682211c15bf970ddb34cfc95e4b |
| SHA512 | 444227f8b3db866d057be1c583f8c043a44a2899457ce2c3843a7f69bb318ec0961cb0bc2dfac384bc5631b38422eda5514167fd83b00820d052babff0aa1f85 |
C:\Users\Admin\AppData\Local\Temp\yqjkc03awp
| MD5 | d5c7c2dc6891be5104aa4c826890772a |
| SHA1 | 21b86d278094e84fce3f455524160f4e81c673fc |
| SHA256 | 00b831f5cccded55477fd0fe55d554a7375daae88c815b8cc3ef793f7a4e3ae5 |
| SHA512 | afa170c230f718edbd53a9ec9e570c73c28ca4d2f8ded477584262e49fcef3389d1e76bb79fc6bec70fb1f68aa9194c09d35f42dae4e2b2969203fbb251d9f0d |
\Users\Admin\AppData\Local\Temp\bbjjgn.exe
| MD5 | 55c5d5f188d7d14b75e90d81bbedb15b |
| SHA1 | 698e0272fe1dc6368a6d50e3ae9d12184098639e |
| SHA256 | 74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770 |
| SHA512 | 5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08 |
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe
| MD5 | 55c5d5f188d7d14b75e90d81bbedb15b |
| SHA1 | 698e0272fe1dc6368a6d50e3ae9d12184098639e |
| SHA256 | 74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770 |
| SHA512 | 5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08 |
memory/1068-64-0x0000000000000000-mapping.dmp
memory/1068-69-0x0000000000070000-0x00000000000A8000-memory.dmp
memory/1068-66-0x0000000000070000-0x00000000000A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe
| MD5 | 55c5d5f188d7d14b75e90d81bbedb15b |
| SHA1 | 698e0272fe1dc6368a6d50e3ae9d12184098639e |
| SHA256 | 74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770 |
| SHA512 | 5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08 |
memory/1068-72-0x0000000000070000-0x00000000000A8000-memory.dmp
memory/1664-73-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\bbjjgn.exe
| MD5 | 55c5d5f188d7d14b75e90d81bbedb15b |
| SHA1 | 698e0272fe1dc6368a6d50e3ae9d12184098639e |
| SHA256 | 74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770 |
| SHA512 | 5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08 |
\Users\Admin\AppData\Local\Temp\bbjjgn.exe
| MD5 | 55c5d5f188d7d14b75e90d81bbedb15b |
| SHA1 | 698e0272fe1dc6368a6d50e3ae9d12184098639e |
| SHA256 | 74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770 |
| SHA512 | 5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08 |
\Users\Admin\AppData\Local\Temp\bbjjgn.exe
| MD5 | 55c5d5f188d7d14b75e90d81bbedb15b |
| SHA1 | 698e0272fe1dc6368a6d50e3ae9d12184098639e |
| SHA256 | 74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770 |
| SHA512 | 5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-30 02:08
Reported
2022-03-30 02:11
Platform
win10v2004-20220310-en
Max time kernel
134s
Max time network
137s
Command Line
Signatures
Oski
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe | N/A |
Reads user/profile data of web browsers
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8577d33d01e9b4d70ba0abef53c03277.exe
"C:\Users\Admin\AppData\Local\Temp\8577d33d01e9b4d70ba0abef53c03277.exe"
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe C:\Users\Admin\AppData\Local\Temp\gqrgzrmb
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe C:\Users\Admin\AppData\Local\Temp\gqrgzrmb
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 124 -p 3124 -ip 3124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1344
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | licensing.mp.microsoft.com | udp |
| US | 20.223.25.224:443 | licensing.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| FR | 2.18.109.224:443 | storesdk.dsx.mp.microsoft.com | tcp |
| US | 20.223.25.224:443 | licensing.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | e4v5sa.xyz | udp |
| US | 172.67.193.69:80 | e4v5sa.xyz | tcp |
| US | 20.223.25.224:443 | licensing.mp.microsoft.com | tcp |
| US | 20.223.25.224:443 | licensing.mp.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe
| MD5 | 55c5d5f188d7d14b75e90d81bbedb15b |
| SHA1 | 698e0272fe1dc6368a6d50e3ae9d12184098639e |
| SHA256 | 74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770 |
| SHA512 | 5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08 |
memory/3596-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe
| MD5 | 55c5d5f188d7d14b75e90d81bbedb15b |
| SHA1 | 698e0272fe1dc6368a6d50e3ae9d12184098639e |
| SHA256 | 74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770 |
| SHA512 | 5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08 |
C:\Users\Admin\AppData\Local\Temp\yqjkc03awp
| MD5 | d5c7c2dc6891be5104aa4c826890772a |
| SHA1 | 21b86d278094e84fce3f455524160f4e81c673fc |
| SHA256 | 00b831f5cccded55477fd0fe55d554a7375daae88c815b8cc3ef793f7a4e3ae5 |
| SHA512 | afa170c230f718edbd53a9ec9e570c73c28ca4d2f8ded477584262e49fcef3389d1e76bb79fc6bec70fb1f68aa9194c09d35f42dae4e2b2969203fbb251d9f0d |
C:\Users\Admin\AppData\Local\Temp\gqrgzrmb
| MD5 | ec86abe57beb8a315221634c1163d772 |
| SHA1 | 3c1f4ae6ba50b2a900147659669318f65df8b4d8 |
| SHA256 | 6241a6b459412efd44fe4bca18f57d802dff4682211c15bf970ddb34cfc95e4b |
| SHA512 | 444227f8b3db866d057be1c583f8c043a44a2899457ce2c3843a7f69bb318ec0961cb0bc2dfac384bc5631b38422eda5514167fd83b00820d052babff0aa1f85 |
memory/3124-139-0x0000000000000000-mapping.dmp
memory/3124-141-0x0000000000700000-0x0000000000738000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bbjjgn.exe
| MD5 | 55c5d5f188d7d14b75e90d81bbedb15b |
| SHA1 | 698e0272fe1dc6368a6d50e3ae9d12184098639e |
| SHA256 | 74bfefcce9e8c2e34558f25efdaee37e2ba7db59e40965859065a2e408a75770 |
| SHA512 | 5f105e09abb2c67e5bec9271cb1bd1a96f93b1ccbd420ad987f8d39a2e8c7268e5f8ac7f0ef2630137a82f165231206fcbe21ef6695bc69cb39229de4a5baf08 |
memory/3124-144-0x0000000000700000-0x0000000000738000-memory.dmp
memory/3124-147-0x0000000000700000-0x0000000000738000-memory.dmp