Overview

overview

10

Static

static

379ab7eebd...46.exe

windows7-x64

10

379ab7eebd...46.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    61s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2022 15:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    379ab7eebd100778e2605df3c32da046.exe

  • Size

    595KB

  • MD5

    379ab7eebd100778e2605df3c32da046

  • SHA1

    cba7f97fb75338262c97549608a653c155150813

  • SHA256

    0d680dba51deffe04686d1df8c87de9c6c0310f7060bf4cfb0079a2f25caef10

  • SHA512

    f95a923b84b7594a464bcf981e01af94d4e4d1d3bc98e52c022aac12c9393106fe1fda97a66b15cfdae867e2272585a1a99e6e7237f823fde6c0183c6676a7a3

Score
10/10
oskiinfostealerpersistence

Malware Config

Extracted

Family

oski

C2

quisha.axwebsite.com

Signatures

  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\379ab7eebd100778e2605df3c32da046.exe
    "C:\Users\Admin\AppData\Local\Temp\379ab7eebd100778e2605df3c32da046.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1264
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4328
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
        PID:4920
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        2⤵
          PID:4856
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 1288
            3⤵
            • Program crash
            PID:4772
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4856 -ip 4856
        1⤵
          PID:4816

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1264-130-0x0000000000460000-0x00000000004FA000-memory.dmp
          Filesize

          616KB

          Download
        • memory/1264-131-0x0000000004EF0000-0x0000000004F12000-memory.dmp
          Filesize

          136KB

          Download
        • memory/4328-138-0x0000000007560000-0x0000000007BDA000-memory.dmp
          Filesize

          6.5MB

          Download
        • memory/4328-139-0x00000000063F0000-0x000000000640A000-memory.dmp
          Filesize

          104KB

          Download
        • memory/4328-134-0x00000000053B0000-0x00000000059D8000-memory.dmp
          Filesize

          6.2MB

          Download
        • memory/4328-135-0x00000000050D0000-0x0000000005136000-memory.dmp
          Filesize

          408KB

          Download
        • memory/4328-136-0x00000000051F0000-0x0000000005256000-memory.dmp
          Filesize

          408KB

          Download
        • memory/4328-137-0x0000000005EF0000-0x0000000005F0E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/4328-132-0x0000000000000000-mapping.dmp
          Download
        • memory/4328-133-0x0000000002900000-0x0000000002936000-memory.dmp
          Filesize

          216KB

          Download
        • memory/4856-141-0x0000000000000000-mapping.dmp
          Download
        • memory/4856-142-0x0000000000400000-0x0000000000438000-memory.dmp
          Filesize

          224KB

          Download
        • memory/4856-143-0x0000000000400000-0x0000000000438000-memory.dmp
          Filesize

          224KB

          Download
        • memory/4856-144-0x0000000000400000-0x0000000000438000-memory.dmp
          Filesize

          224KB

          Download
        • memory/4856-145-0x0000000000400000-0x0000000000438000-memory.dmp
          Filesize

          224KB

          Download
        • memory/4856-146-0x0000000000400000-0x0000000000438000-memory.dmp
          Filesize

          224KB

          Download
        • memory/4920-140-0x0000000000000000-mapping.dmp
          Download