Analysis
-
max time kernel
106s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-01-2023 11:41
Behavioral task
behavioral1
Sample
c86f5effa03017eb59c8b9d6f25359c8a97b36b4d0f782b4749fc3a74cd68274.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
c86f5effa03017eb59c8b9d6f25359c8a97b36b4d0f782b4749fc3a74cd68274.exe
Resource
win10v2004-20221111-en
General
-
Target
c86f5effa03017eb59c8b9d6f25359c8a97b36b4d0f782b4749fc3a74cd68274.exe
-
Size
200KB
-
MD5
32796b5ab01af3bb6585ac7c2f31402f
-
SHA1
c7456b083fcac2b5995c3a1621c2a508d55154bf
-
SHA256
c86f5effa03017eb59c8b9d6f25359c8a97b36b4d0f782b4749fc3a74cd68274
-
SHA512
03c2b772084d73bd5532eac1232e18d5b12c4474872d0283a7413ff64f6401b830d91755f050411951efcd3e59520a8b9955d454ea8d3791df535342863b0d6e
-
SSDEEP
3072:WfUomEuYm98dlSq7gt5q7Dx+XgS6aCEwhOfUbCalNT2pbB3fIf1Xi6FLPo3c:WfUauY68uSWCx+XA7mg2pNO1Ljo3c
Malware Config
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c86f5effa03017eb59c8b9d6f25359c8a97b36b4d0f782b4749fc3a74cd68274.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation c86f5effa03017eb59c8b9d6f25359c8a97b36b4d0f782b4749fc3a74cd68274.exe -
Loads dropped DLL 3 IoCs
Processes:
c86f5effa03017eb59c8b9d6f25359c8a97b36b4d0f782b4749fc3a74cd68274.exepid process 4596 c86f5effa03017eb59c8b9d6f25359c8a97b36b4d0f782b4749fc3a74cd68274.exe 4596 c86f5effa03017eb59c8b9d6f25359c8a97b36b4d0f782b4749fc3a74cd68274.exe 4596 c86f5effa03017eb59c8b9d6f25359c8a97b36b4d0f782b4749fc3a74cd68274.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
c86f5effa03017eb59c8b9d6f25359c8a97b36b4d0f782b4749fc3a74cd68274.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString c86f5effa03017eb59c8b9d6f25359c8a97b36b4d0f782b4749fc3a74cd68274.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3656 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 3656 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c86f5effa03017eb59c8b9d6f25359c8a97b36b4d0f782b4749fc3a74cd68274.execmd.exedescription pid process target process PID 4596 wrote to memory of 216 4596 c86f5effa03017eb59c8b9d6f25359c8a97b36b4d0f782b4749fc3a74cd68274.exe cmd.exe PID 4596 wrote to memory of 216 4596 c86f5effa03017eb59c8b9d6f25359c8a97b36b4d0f782b4749fc3a74cd68274.exe cmd.exe PID 4596 wrote to memory of 216 4596 c86f5effa03017eb59c8b9d6f25359c8a97b36b4d0f782b4749fc3a74cd68274.exe cmd.exe PID 216 wrote to memory of 3656 216 cmd.exe taskkill.exe PID 216 wrote to memory of 3656 216 cmd.exe taskkill.exe PID 216 wrote to memory of 3656 216 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c86f5effa03017eb59c8b9d6f25359c8a97b36b4d0f782b4749fc3a74cd68274.exe"C:\Users\Admin\AppData\Local\Temp\c86f5effa03017eb59c8b9d6f25359c8a97b36b4d0f782b4749fc3a74cd68274.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 4596 & erase C:\Users\Admin\AppData\Local\Temp\c86f5effa03017eb59c8b9d6f25359c8a97b36b4d0f782 & RD /S /Q C:\\ProgramData\\562136025822800\\* & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 45963⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\mozglue.dllFilesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\ProgramData\nss3.dllFilesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
C:\ProgramData\sqlite3.dllFilesize
630KB
MD5e477a96c8f2b18d6b5c27bde49c990bf
SHA1e980c9bf41330d1e5bd04556db4646a0210f7409
SHA25616574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c
-
memory/216-135-0x0000000000000000-mapping.dmp
-
memory/3656-136-0x0000000000000000-mapping.dmp