Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-07-2022 08:43
Static task
static1
Behavioral task
behavioral1
Sample
dhl.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
dhl.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
dhl.exe
-
Size
4.9MB
-
MD5
28c49dff3e6cce47ac148f844d5f657f
-
SHA1
fb5c3e86cf44dc8c627d4d78bcbb56e0d06ceaa9
-
SHA256
8d35a509c8341803a0e7f804817f4870c68274bb47523018b8842e759252d9ea
-
SHA512
0e68853476ccc6670ad27b5be2da6dbd465954b1a3a045c5426dc5cd038985138b3f387ec77c9a3a4fa04a3212763efe95baf48981438350600c6d7349cac7c3
Score
10/10
Malware Config
Extracted
Family
oski
C2
domazy.ga
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
dhl.exedescription pid process target process PID 1572 set thread context of 1276 1572 dhl.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3768 1276 WerFault.exe RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dhl.exedescription pid process Token: SeDebugPrivilege 1572 dhl.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
dhl.exedescription pid process target process PID 1572 wrote to memory of 1276 1572 dhl.exe RegAsm.exe PID 1572 wrote to memory of 1276 1572 dhl.exe RegAsm.exe PID 1572 wrote to memory of 1276 1572 dhl.exe RegAsm.exe PID 1572 wrote to memory of 1276 1572 dhl.exe RegAsm.exe PID 1572 wrote to memory of 1276 1572 dhl.exe RegAsm.exe PID 1572 wrote to memory of 1276 1572 dhl.exe RegAsm.exe PID 1572 wrote to memory of 1276 1572 dhl.exe RegAsm.exe PID 1572 wrote to memory of 1276 1572 dhl.exe RegAsm.exe PID 1572 wrote to memory of 1276 1572 dhl.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dhl.exe"C:\Users\Admin\AppData\Local\Temp\dhl.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 5443⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1276 -ip 12761⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1276-134-0x0000000000000000-mapping.dmp
-
memory/1276-136-0x0000000000700000-0x0000000000738000-memory.dmpFilesize
224KB
-
memory/1276-139-0x0000000000700000-0x0000000000738000-memory.dmpFilesize
224KB
-
memory/1276-142-0x0000000000700000-0x0000000000738000-memory.dmpFilesize
224KB
-
memory/1276-143-0x0000000000700000-0x0000000000738000-memory.dmpFilesize
224KB
-
memory/1572-130-0x0000000000730000-0x0000000000C18000-memory.dmpFilesize
4.9MB
-
memory/1572-131-0x0000000005A70000-0x0000000006014000-memory.dmpFilesize
5.6MB
-
memory/1572-132-0x00000000059B0000-0x0000000005A42000-memory.dmpFilesize
584KB
-
memory/1572-133-0x0000000007190000-0x000000000722C000-memory.dmpFilesize
624KB