Analysis
-
max time kernel
149s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-09-2022 10:31
Static task
static1
Behavioral task
behavioral1
Sample
4ac1f3c7d6751d5f161f82483bbcf27b795d3b205391acbde576094da81badfc.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4ac1f3c7d6751d5f161f82483bbcf27b795d3b205391acbde576094da81badfc.exe
Resource
win10v2004-20220901-en
General
-
Target
4ac1f3c7d6751d5f161f82483bbcf27b795d3b205391acbde576094da81badfc.exe
-
Size
4.8MB
-
MD5
e20c33f2403cd0bc0b8cf425586ef01c
-
SHA1
0d55b0167cffeaaea07493b5ff3b0ca3e54d67c5
-
SHA256
4ac1f3c7d6751d5f161f82483bbcf27b795d3b205391acbde576094da81badfc
-
SHA512
2308573c4b9277dbcf7cc93511ff9ecbc3340edb20c86772aa0a326e5c6621abc4b770d59e479af55f5ae0f011203b42048d43387eae500da31a85b9831cbb14
-
SSDEEP
98304:83ReZRsg6m4bZTqS1CGjqc9kfqfVhJaI/M4KBMzWOBfB+sV7q3R2u5I:KUs3mir1CzCSSM4zKI7q4Z
Malware Config
Extracted
oski
rgjeweller.mu/oski/
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Executes dropped EXE 1 IoCs
Processes:
pay.exepid process 1484 pay.exe -
Loads dropped DLL 7 IoCs
Processes:
4ac1f3c7d6751d5f161f82483bbcf27b795d3b205391acbde576094da81badfc.exeWerFault.exepid process 752 4ac1f3c7d6751d5f161f82483bbcf27b795d3b205391acbde576094da81badfc.exe 752 4ac1f3c7d6751d5f161f82483bbcf27b795d3b205391acbde576094da81badfc.exe 752 4ac1f3c7d6751d5f161f82483bbcf27b795d3b205391acbde576094da81badfc.exe 752 4ac1f3c7d6751d5f161f82483bbcf27b795d3b205391acbde576094da81badfc.exe 828 WerFault.exe 828 WerFault.exe 828 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 828 1484 WerFault.exe pay.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 1320 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 1320 AcroRd32.exe 1320 AcroRd32.exe 1320 AcroRd32.exe 1320 AcroRd32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
4ac1f3c7d6751d5f161f82483bbcf27b795d3b205391acbde576094da81badfc.exepay.exedescription pid process target process PID 752 wrote to memory of 1484 752 4ac1f3c7d6751d5f161f82483bbcf27b795d3b205391acbde576094da81badfc.exe pay.exe PID 752 wrote to memory of 1484 752 4ac1f3c7d6751d5f161f82483bbcf27b795d3b205391acbde576094da81badfc.exe pay.exe PID 752 wrote to memory of 1484 752 4ac1f3c7d6751d5f161f82483bbcf27b795d3b205391acbde576094da81badfc.exe pay.exe PID 752 wrote to memory of 1484 752 4ac1f3c7d6751d5f161f82483bbcf27b795d3b205391acbde576094da81badfc.exe pay.exe PID 752 wrote to memory of 1320 752 4ac1f3c7d6751d5f161f82483bbcf27b795d3b205391acbde576094da81badfc.exe AcroRd32.exe PID 752 wrote to memory of 1320 752 4ac1f3c7d6751d5f161f82483bbcf27b795d3b205391acbde576094da81badfc.exe AcroRd32.exe PID 752 wrote to memory of 1320 752 4ac1f3c7d6751d5f161f82483bbcf27b795d3b205391acbde576094da81badfc.exe AcroRd32.exe PID 752 wrote to memory of 1320 752 4ac1f3c7d6751d5f161f82483bbcf27b795d3b205391acbde576094da81badfc.exe AcroRd32.exe PID 1484 wrote to memory of 828 1484 pay.exe WerFault.exe PID 1484 wrote to memory of 828 1484 pay.exe WerFault.exe PID 1484 wrote to memory of 828 1484 pay.exe WerFault.exe PID 1484 wrote to memory of 828 1484 pay.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ac1f3c7d6751d5f161f82483bbcf27b795d3b205391acbde576094da81badfc.exe"C:\Users\Admin\AppData\Local\Temp\4ac1f3c7d6751d5f161f82483bbcf27b795d3b205391acbde576094da81badfc.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pay.exe"C:\Users\Admin\AppData\Local\Temp\pay.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 7763⤵
- Loads dropped DLL
- Program crash
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\pay.pdf"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pay.exeFilesize
200KB
MD5dda0fc7975110e188a92fa9f417766f2
SHA1aca95b54cd6ae159224f903d1e1c2f58e2206174
SHA256e872b9dd00f8fd62e837cbba0a6eba7327a69866f04090c2f2402871feb8b8cc
SHA512aa1ddfa57d900f40fd8199d508bf7c20951ec770f69ba3e5889cf3e1a7a36c8b1289728c35bda247026cd7b81bc5c6decb929291996fe9497285948f7f650a8f
-
C:\Users\Admin\AppData\Local\Temp\pay.pdfFilesize
6.8MB
MD5f6302277c21ecd0563439315f98078c8
SHA14f99219add6c11d2d6dcea76cba3e82d9b7233fe
SHA256ed9f9141d3590513a05fc6117ba4567259713c687e948f45352936ff310b5b51
SHA5129a509f50da24e20cc24cce4e7a0386aa9104ebc0d34d2f8710722be2319dae2418411b00b9f00eb7ddefa6ea6f90533fa655c947ea331c647f443301f924312e
-
\Users\Admin\AppData\Local\Temp\pay.exeFilesize
200KB
MD5dda0fc7975110e188a92fa9f417766f2
SHA1aca95b54cd6ae159224f903d1e1c2f58e2206174
SHA256e872b9dd00f8fd62e837cbba0a6eba7327a69866f04090c2f2402871feb8b8cc
SHA512aa1ddfa57d900f40fd8199d508bf7c20951ec770f69ba3e5889cf3e1a7a36c8b1289728c35bda247026cd7b81bc5c6decb929291996fe9497285948f7f650a8f
-
\Users\Admin\AppData\Local\Temp\pay.exeFilesize
200KB
MD5dda0fc7975110e188a92fa9f417766f2
SHA1aca95b54cd6ae159224f903d1e1c2f58e2206174
SHA256e872b9dd00f8fd62e837cbba0a6eba7327a69866f04090c2f2402871feb8b8cc
SHA512aa1ddfa57d900f40fd8199d508bf7c20951ec770f69ba3e5889cf3e1a7a36c8b1289728c35bda247026cd7b81bc5c6decb929291996fe9497285948f7f650a8f
-
\Users\Admin\AppData\Local\Temp\pay.exeFilesize
200KB
MD5dda0fc7975110e188a92fa9f417766f2
SHA1aca95b54cd6ae159224f903d1e1c2f58e2206174
SHA256e872b9dd00f8fd62e837cbba0a6eba7327a69866f04090c2f2402871feb8b8cc
SHA512aa1ddfa57d900f40fd8199d508bf7c20951ec770f69ba3e5889cf3e1a7a36c8b1289728c35bda247026cd7b81bc5c6decb929291996fe9497285948f7f650a8f
-
\Users\Admin\AppData\Local\Temp\pay.exeFilesize
200KB
MD5dda0fc7975110e188a92fa9f417766f2
SHA1aca95b54cd6ae159224f903d1e1c2f58e2206174
SHA256e872b9dd00f8fd62e837cbba0a6eba7327a69866f04090c2f2402871feb8b8cc
SHA512aa1ddfa57d900f40fd8199d508bf7c20951ec770f69ba3e5889cf3e1a7a36c8b1289728c35bda247026cd7b81bc5c6decb929291996fe9497285948f7f650a8f
-
\Users\Admin\AppData\Local\Temp\pay.exeFilesize
200KB
MD5dda0fc7975110e188a92fa9f417766f2
SHA1aca95b54cd6ae159224f903d1e1c2f58e2206174
SHA256e872b9dd00f8fd62e837cbba0a6eba7327a69866f04090c2f2402871feb8b8cc
SHA512aa1ddfa57d900f40fd8199d508bf7c20951ec770f69ba3e5889cf3e1a7a36c8b1289728c35bda247026cd7b81bc5c6decb929291996fe9497285948f7f650a8f
-
\Users\Admin\AppData\Local\Temp\pay.exeFilesize
200KB
MD5dda0fc7975110e188a92fa9f417766f2
SHA1aca95b54cd6ae159224f903d1e1c2f58e2206174
SHA256e872b9dd00f8fd62e837cbba0a6eba7327a69866f04090c2f2402871feb8b8cc
SHA512aa1ddfa57d900f40fd8199d508bf7c20951ec770f69ba3e5889cf3e1a7a36c8b1289728c35bda247026cd7b81bc5c6decb929291996fe9497285948f7f650a8f
-
\Users\Admin\AppData\Local\Temp\pay.exeFilesize
200KB
MD5dda0fc7975110e188a92fa9f417766f2
SHA1aca95b54cd6ae159224f903d1e1c2f58e2206174
SHA256e872b9dd00f8fd62e837cbba0a6eba7327a69866f04090c2f2402871feb8b8cc
SHA512aa1ddfa57d900f40fd8199d508bf7c20951ec770f69ba3e5889cf3e1a7a36c8b1289728c35bda247026cd7b81bc5c6decb929291996fe9497285948f7f650a8f
-
memory/752-54-0x0000000075241000-0x0000000075243000-memory.dmpFilesize
8KB
-
memory/828-65-0x0000000000000000-mapping.dmp
-
memory/1320-61-0x0000000000000000-mapping.dmp
-
memory/1484-59-0x0000000000000000-mapping.dmp