Overview

overview

10

Static

static

18e2b4fb63...85.exe

windows7-x64

10

18e2b4fb63...85.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    112s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-09-2022 10:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18e2b4fb63b38a0d2441bfa6f2afa3c6494e4f85479505f7d228447720ac0485.exe

  • Size

    308KB

  • MD5

    be5881faee054826d32c90d47fed53ce

  • SHA1

    25c63bcb8353bd35a4fd28826a5dd959d73379b6

  • SHA256

    18e2b4fb63b38a0d2441bfa6f2afa3c6494e4f85479505f7d228447720ac0485

  • SHA512

    b7d15268a15eec00b1069c391d18406de850334e13653ecd87eb936001d1c02aa10e9f597bd181408f1f232ca212354b01defa5496ce9bfd89a8c9b0c3d881ce

  • SSDEEP

    6144:Bu8bleVTTURmXOu5OX/oX0e2AmSTCIr53qnsAvtgcmXDqWiQJ:M8STTUR6OuCgX0UmS9i16J

Score
10/10
oskiinfostealerspywarestealer

Malware Config

Extracted

Family

oski

C2

collegesboard.org

Signatures

  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18e2b4fb63b38a0d2441bfa6f2afa3c6494e4f85479505f7d228447720ac0485.exe
    "C:\Users\Admin\AppData\Local\Temp\18e2b4fb63b38a0d2441bfa6f2afa3c6494e4f85479505f7d228447720ac0485.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Users\Admin\AppData\Local\Temp\Hrwfvhc.exe
      "C:\Users\Admin\AppData\Local\Temp\Hrwfvhc.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4796
    • C:\Users\Admin\AppData\Local\Temp\Czkorfvflbb.exe
      "C:\Users\Admin\AppData\Local\Temp\Czkorfvflbb.exe"
      2⤵
      • Executes dropped EXE
      PID:4476
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1388
        3⤵
        • Program crash
        PID:5104
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4476 -ip 4476
    1⤵
      PID:4544

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Czkorfvflbb.exe
      Filesize

      200KB

      MD5

      07ac7806a3f2bc0fc993d736ecb3572b

      SHA1

      49b54d7ece61cf9198dfc306a641f0d002b56acb

      SHA256

      165a20cece5bd869502d23ed2c9fdf5cb2e83451cca502b110f61371da70134d

      SHA512

      0bb78905d87356841e97e68be1d7c731f5cc4d15fa162017f9c520fceca327c589f8f31b9002c4869179af8626a03e89ef9b667a1a6d5e8f42eef2db98e1e123

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Czkorfvflbb.exe
      Filesize

      200KB

      MD5

      07ac7806a3f2bc0fc993d736ecb3572b

      SHA1

      49b54d7ece61cf9198dfc306a641f0d002b56acb

      SHA256

      165a20cece5bd869502d23ed2c9fdf5cb2e83451cca502b110f61371da70134d

      SHA512

      0bb78905d87356841e97e68be1d7c731f5cc4d15fa162017f9c520fceca327c589f8f31b9002c4869179af8626a03e89ef9b667a1a6d5e8f42eef2db98e1e123

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Hrwfvhc.exe
      Filesize

      1.4MB

      MD5

      a73d5a695cac720fdd6b1679c013efed

      SHA1

      9f9d210afc38d3d4967edf194811109393b4b3fe

      SHA256

      b8696cb287e5b8ca935cd69e266b17feae0f2b0f265608bedf9cdacfd025f7bf

      SHA512

      767ab55f6a21d9eb24f0708dae635cea85df511edbb530e9657155f7ec4791889879596622e5f1842665d4bf25f9d2a6f1090918fba16f29137acf41e93059bc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Hrwfvhc.exe
      Filesize

      1.4MB

      MD5

      a73d5a695cac720fdd6b1679c013efed

      SHA1

      9f9d210afc38d3d4967edf194811109393b4b3fe

      SHA256

      b8696cb287e5b8ca935cd69e266b17feae0f2b0f265608bedf9cdacfd025f7bf

      SHA512

      767ab55f6a21d9eb24f0708dae635cea85df511edbb530e9657155f7ec4791889879596622e5f1842665d4bf25f9d2a6f1090918fba16f29137acf41e93059bc

      Download Submit
    • memory/3044-132-0x0000000000A50000-0x0000000000AA4000-memory.dmp
      Filesize

      336KB

      Download
    • memory/3044-133-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3044-140-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4476-136-0x0000000000000000-mapping.dmp
      Download
    • memory/4796-134-0x0000000000000000-mapping.dmp
      Download
    • memory/4796-141-0x0000000000970000-0x0000000000ADA000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/4796-142-0x0000000005B90000-0x0000000006134000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4796-143-0x00000000054A0000-0x0000000005532000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4796-144-0x0000000005480000-0x000000000548A000-memory.dmp
      Filesize

      40KB

      Download