Analysis

  • max time kernel
    91s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-09-2022 20:32

General

  • Target

    Purchase Order.pdf.exe

  • Size

    273KB

  • MD5

    f90a77f7962de4074d4dc02d82b765be

  • SHA1

    e8a9ec0c4032818fa92cd148a770fa6192535ce5

  • SHA256

    b0f6371db252edc20aeaee0ed2ff64c2514515d7d0f823d508b756269ccabfbd

  • SHA512

    a36a482019f06813e5642c33db15fd6f0ef9954c5c97e427a442cffd38b8ead68931314c677940ca78232c2d2710c95413ccb2b41f234d120ffdbcad162182f9

  • SSDEEP

    6144:MVP0JqJ1peuOkG6Msr49xOfyGU3LLEE/X9jdR+j1sfw6kVtgfnZ:e0JqJeKDMs4T3kMXjg1sjYgfnZ

Malware Config

Extracted

Family

oski

C2

� &C

virzx.xyz

Signatures

  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Purchase Order.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order.pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:5024
    • C:\Users\Admin\AppData\Local\Temp\Purchase Order.pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase Order.pdf.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1588
      • C:\Users\Admin\AppData\Local\Temp\Purchase Order.pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\Purchase Order.pdf.exe"
        3⤵
          PID:404
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1932
            4⤵
            • Program crash
            PID:3148
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 404 -ip 404
      1⤵
        PID:2664

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Collection

      Data from Local System

      1
      T1005

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/404-139-0x0000000000000000-mapping.dmp
      • memory/404-140-0x0000000000400000-0x0000000000438000-memory.dmp
        Filesize

        224KB

      • memory/404-141-0x0000000000400000-0x0000000000438000-memory.dmp
        Filesize

        224KB

      • memory/404-142-0x0000000000400000-0x0000000000438000-memory.dmp
        Filesize

        224KB

      • memory/404-144-0x0000000000400000-0x0000000000438000-memory.dmp
        Filesize

        224KB

      • memory/404-145-0x0000000000400000-0x0000000000438000-memory.dmp
        Filesize

        224KB

      • memory/1588-135-0x0000000000000000-mapping.dmp
      • memory/1588-136-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/1588-138-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

      • memory/1588-143-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB