Overview

overview

10

Static

static

Sucwelxt vv.exe

windows7_x64

10

Sucwelxt vv.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    116s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    28-05-2022 01:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Sucwelxt vv.exe

  • Size

    525KB

  • MD5

    082bd91b649aa37460d4ec595878e8b4

  • SHA1

    0613f565d1f0f6a5acbea226bccb5ab99bbe8c9c

  • SHA256

    f26018f63848edfc0e7a83dbdc502a710bfafa968eacf658ce8a13915a42e783

  • SHA512

    d5a0722b50e6c2a62b007537b2fda7f64e21d41f29dcf07f104dbdc80e331d454805c97d0eb553236f4dae57ccfb76a1a3273e78891a85d53369f40adc20ed84

Score
10/10
oskiinfostealerspywarestealer

Malware Config

Extracted

Family

oski

C2

http://bsig99.xyz

Signatures

  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Sucwelxt vv.exe
    "C:\Users\Admin\AppData\Local\Temp\Sucwelxt vv.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3092
    • C:\Users\Admin\AppData\Local\Temp\Sucwelxt vv.exe
      "C:\Users\Admin\AppData\Local\Temp\Sucwelxt vv.exe"
      2⤵
        PID:1460
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 1284
          3⤵
          • Program crash
          PID:1816
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1460 -ip 1460
      1⤵
        PID:2064

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1460-136-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/1460-137-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/1460-138-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/1460-139-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/1460-140-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/3092-130-0x0000000000AB0000-0x0000000000B38000-memory.dmp

        Filesize

        544KB

        Download

      • memory/3092-131-0x0000000006D30000-0x0000000006DE2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/3092-132-0x0000000006CC0000-0x0000000006D10000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3092-133-0x0000000006E90000-0x0000000006F22000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3092-134-0x00000000074E0000-0x0000000007A84000-memory.dmp

        Filesize

        5.6MB

        Download