Analysis
-
max time kernel
91s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
04-04-2022 10:52
Static task
static1
Behavioral task
behavioral1
Sample
fatura comercial - Indaco EX20858 - OC00015.e.exe
Resource
win7-20220331-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
fatura comercial - Indaco EX20858 - OC00015.e.exe
Resource
win10v2004-20220331-en
0 signatures
0 seconds
General
-
Target
fatura comercial - Indaco EX20858 - OC00015.e.exe
-
Size
842KB
-
MD5
e9e7e3bdd64069d3b36e5362bbdcd155
-
SHA1
8f96d2cd29ee2b7730245737547b7b67867bdd41
-
SHA256
14a2149ffb9dc7a2bfa96e92ee4d7052222d5550431ffebc471b31859b397024
-
SHA512
6449ad0e4adf50532336cf7ed7b7c9fa05d74548dc209097fcda50adf2351586ec77a17b4fac2a053599593552368dc8cf82756d300813b4dcc31814cca29174
Score
10/10
Malware Config
Extracted
Family
oski
C2
zubroxmack.cf
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3404 set thread context of 2908 3404 fatura comercial - Indaco EX20858 - OC00015.e.exe 84 -
Program crash 1 IoCs
pid pid_target Process procid_target 4500 2908 WerFault.exe 84 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3404 fatura comercial - Indaco EX20858 - OC00015.e.exe 3404 fatura comercial - Indaco EX20858 - OC00015.e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3404 fatura comercial - Indaco EX20858 - OC00015.e.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3404 wrote to memory of 4148 3404 fatura comercial - Indaco EX20858 - OC00015.e.exe 83 PID 3404 wrote to memory of 4148 3404 fatura comercial - Indaco EX20858 - OC00015.e.exe 83 PID 3404 wrote to memory of 4148 3404 fatura comercial - Indaco EX20858 - OC00015.e.exe 83 PID 3404 wrote to memory of 2908 3404 fatura comercial - Indaco EX20858 - OC00015.e.exe 84 PID 3404 wrote to memory of 2908 3404 fatura comercial - Indaco EX20858 - OC00015.e.exe 84 PID 3404 wrote to memory of 2908 3404 fatura comercial - Indaco EX20858 - OC00015.e.exe 84 PID 3404 wrote to memory of 2908 3404 fatura comercial - Indaco EX20858 - OC00015.e.exe 84 PID 3404 wrote to memory of 2908 3404 fatura comercial - Indaco EX20858 - OC00015.e.exe 84 PID 3404 wrote to memory of 2908 3404 fatura comercial - Indaco EX20858 - OC00015.e.exe 84 PID 3404 wrote to memory of 2908 3404 fatura comercial - Indaco EX20858 - OC00015.e.exe 84 PID 3404 wrote to memory of 2908 3404 fatura comercial - Indaco EX20858 - OC00015.e.exe 84 PID 3404 wrote to memory of 2908 3404 fatura comercial - Indaco EX20858 - OC00015.e.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\fatura comercial - Indaco EX20858 - OC00015.e.exe"C:\Users\Admin\AppData\Local\Temp\fatura comercial - Indaco EX20858 - OC00015.e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\fatura comercial - Indaco EX20858 - OC00015.e.exe"C:\Users\Admin\AppData\Local\Temp\fatura comercial - Indaco EX20858 - OC00015.e.exe"2⤵PID:4148
-
-
C:\Users\Admin\AppData\Local\Temp\fatura comercial - Indaco EX20858 - OC00015.e.exe"C:\Users\Admin\AppData\Local\Temp\fatura comercial - Indaco EX20858 - OC00015.e.exe"2⤵PID:2908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 1923⤵
- Program crash
PID:4500
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2908 -ip 29081⤵PID:176