Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
90s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27/05/2022, 15:25
Static task
static1
Behavioral task
behavioral1
Sample
DHL PACKAGE DOCUMENT.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DHL PACKAGE DOCUMENT.exe
Resource
win10v2004-20220414-en
General
-
Target
DHL PACKAGE DOCUMENT.exe
-
Size
23KB
-
MD5
cf65c6f1cb9b6847cf639bd57e8282d1
-
SHA1
30e4a45690434c04643aa30456191fc78041caf4
-
SHA256
49c7f9c1a11758309f55b563b54a44b734b39f185d1d5d63436adea38e44a03d
-
SHA512
b554bd0f76522d5bd33d33481b8a98f37059f87be2cd651c012181c1c776e294831281c4e65b68104de62eae3feaa8f813b3ec8f2c827f5f438f7cfcec9ca7eb
Malware Config
Extracted
oski
unitech.co.vu
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Downloads MZ/PE file
-
Loads dropped DLL 3 IoCs
pid Process 3860 MSBuild.exe 3860 MSBuild.exe 3860 MSBuild.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chrom = "\"C:\\Users\\Admin\\AppData\\Roaming\\Chrom.exe\"" DHL PACKAGE DOCUMENT.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1912 set thread context of 3860 1912 DHL PACKAGE DOCUMENT.exe 82 -
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MSBuild.exe -
Kills process with taskkill 1 IoCs
pid Process 3512 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1912 DHL PACKAGE DOCUMENT.exe 1912 DHL PACKAGE DOCUMENT.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1912 DHL PACKAGE DOCUMENT.exe Token: SeDebugPrivilege 3512 taskkill.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1912 wrote to memory of 3860 1912 DHL PACKAGE DOCUMENT.exe 82 PID 1912 wrote to memory of 3860 1912 DHL PACKAGE DOCUMENT.exe 82 PID 1912 wrote to memory of 3860 1912 DHL PACKAGE DOCUMENT.exe 82 PID 1912 wrote to memory of 3860 1912 DHL PACKAGE DOCUMENT.exe 82 PID 1912 wrote to memory of 3860 1912 DHL PACKAGE DOCUMENT.exe 82 PID 1912 wrote to memory of 3860 1912 DHL PACKAGE DOCUMENT.exe 82 PID 1912 wrote to memory of 3860 1912 DHL PACKAGE DOCUMENT.exe 82 PID 1912 wrote to memory of 3860 1912 DHL PACKAGE DOCUMENT.exe 82 PID 1912 wrote to memory of 3860 1912 DHL PACKAGE DOCUMENT.exe 82 PID 3860 wrote to memory of 1200 3860 MSBuild.exe 85 PID 3860 wrote to memory of 1200 3860 MSBuild.exe 85 PID 3860 wrote to memory of 1200 3860 MSBuild.exe 85 PID 1200 wrote to memory of 3512 1200 cmd.exe 87 PID 1200 wrote to memory of 3512 1200 cmd.exe 87 PID 1200 wrote to memory of 3512 1200 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL PACKAGE DOCUMENT.exe"C:\Users\Admin\AppData\Local\Temp\DHL PACKAGE DOCUMENT.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 3860 & erase C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe & RD /S /Q C:\\ProgramData\\813955804164984\\* & exit3⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 38604⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3512
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
Filesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
Filesize
630KB
MD5e477a96c8f2b18d6b5c27bde49c990bf
SHA1e980c9bf41330d1e5bd04556db4646a0210f7409
SHA25616574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c