Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
16-07-2022 12:21
Static task
static1
Behavioral task
behavioral1
Sample
swift 6748.26.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
swift 6748.26.exe
Resource
win10v2004-20220414-en
General
-
Target
swift 6748.26.exe
-
Size
652KB
-
MD5
2a66e1def724a506b4a456a573b76c55
-
SHA1
ae8ea73f5754b4ca8a4ccf727e8db152c20e800f
-
SHA256
f066b22440bc1fbf1d336c95531d7966ed2c6a0e21db7479d3eb7e61364a32e5
-
SHA512
9d004d721247ec4bc1eecbfbb1e552cac3c37e20ce370e0d2aa18536ff619f8d8b66abfeb079efcf14fcbe781ae6b3138b16335b7a04f064474003d6b948c5cb
Malware Config
Extracted
oski
foodcircus.ro
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Modifies file permissions 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
swift 6748.26.exedescription pid process target process PID 3404 set thread context of 1568 3404 swift 6748.26.exe icacls.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2500 1568 WerFault.exe icacls.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
swift 6748.26.exepid process 3404 swift 6748.26.exe 3404 swift 6748.26.exe 3404 swift 6748.26.exe 3404 swift 6748.26.exe 3404 swift 6748.26.exe 3404 swift 6748.26.exe 3404 swift 6748.26.exe 3404 swift 6748.26.exe 3404 swift 6748.26.exe 3404 swift 6748.26.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
swift 6748.26.exedescription pid process Token: SeDebugPrivilege 3404 swift 6748.26.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
swift 6748.26.exedescription pid process target process PID 3404 wrote to memory of 1568 3404 swift 6748.26.exe icacls.exe PID 3404 wrote to memory of 1568 3404 swift 6748.26.exe icacls.exe PID 3404 wrote to memory of 1568 3404 swift 6748.26.exe icacls.exe PID 3404 wrote to memory of 1568 3404 swift 6748.26.exe icacls.exe PID 3404 wrote to memory of 1568 3404 swift 6748.26.exe icacls.exe PID 3404 wrote to memory of 1568 3404 swift 6748.26.exe icacls.exe PID 3404 wrote to memory of 1568 3404 swift 6748.26.exe icacls.exe PID 3404 wrote to memory of 1568 3404 swift 6748.26.exe icacls.exe PID 3404 wrote to memory of 1568 3404 swift 6748.26.exe icacls.exe PID 3404 wrote to memory of 1568 3404 swift 6748.26.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\swift 6748.26.exe"C:\Users\Admin\AppData\Local\Temp\swift 6748.26.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\SysWOW64\icacls.exe"2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 12883⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1568 -ip 15681⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1568-133-0x0000000000000000-mapping.dmp
-
memory/1568-134-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1568-135-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1568-136-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1568-137-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1568-138-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/3404-130-0x00000000002F0000-0x000000000039A000-memory.dmpFilesize
680KB
-
memory/3404-131-0x0000000004CC0000-0x0000000004D36000-memory.dmpFilesize
472KB
-
memory/3404-132-0x0000000004D70000-0x0000000004D8E000-memory.dmpFilesize
120KB