Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

dhl.exe

windows7_x64

10

dhl.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    11/07/2022, 08:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dhl.exe

  • Size

    4.9MB

  • MD5

    28c49dff3e6cce47ac148f844d5f657f

  • SHA1

    fb5c3e86cf44dc8c627d4d78bcbb56e0d06ceaa9

  • SHA256

    8d35a509c8341803a0e7f804817f4870c68274bb47523018b8842e759252d9ea

  • SHA512

    0e68853476ccc6670ad27b5be2da6dbd465954b1a3a045c5426dc5cd038985138b3f387ec77c9a3a4fa04a3212763efe95baf48981438350600c6d7349cac7c3

Score
10/10
oskiinfostealer

Malware Config

Extracted

Family

oski

C2

domazy.ga

Signatures

  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dhl.exe
    "C:\Users\Admin\AppData\Local\Temp\dhl.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1572
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
      2⤵
        PID:1276
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 544
          3⤵
          • Program crash
          PID:3768
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1276 -ip 1276
      1⤵
        PID:3764

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1276-136-0x0000000000700000-0x0000000000738000-memory.dmp

        Filesize

        224KB

        Download

      • memory/1276-139-0x0000000000700000-0x0000000000738000-memory.dmp

        Filesize

        224KB

        Download

      • memory/1276-142-0x0000000000700000-0x0000000000738000-memory.dmp

        Filesize

        224KB

        Download

      • memory/1276-143-0x0000000000700000-0x0000000000738000-memory.dmp

        Filesize

        224KB

        Download

      • memory/1572-130-0x0000000000730000-0x0000000000C18000-memory.dmp

        Filesize

        4.9MB

        Download

      • memory/1572-131-0x0000000005A70000-0x0000000006014000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1572-132-0x00000000059B0000-0x0000000005A42000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1572-133-0x0000000007190000-0x000000000722C000-memory.dmp

        Filesize

        624KB

        Download