oski | 90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2

Analysis

max time kernel
227s
max time network
278s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-04-2023 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe
Size

432KB
MD5

566e00ed92162e1941567623e9938067
SHA1

3e285319ece4b35b877dd60a920d8970d87ed3fd
SHA256

90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2
SHA512

7d96e0aea8302506713613ed68a55cea2ec0f1e4cd64ba6ff424bd772c621a6ad9136da2ec9c1f80b41c4267f7bd2ace82923f2ae2221010568f1e5de63fceaa
SSDEEP

6144:K2nLfyfKQu8zZ0zQ7Cn7ggrw5vK/cKomvWzMlTRay9VAHPpczK3qKTmZrqBMdGGF:K2nLYpzZUMKNHompdBwcKJurqBpJXAAu

Score

10^/10

oski evasion infostealer spyware stealer themida trojan upx

Malware Config

Extracted

Family

oski

Fragly.top

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

os.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ os.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	os.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

os.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	os.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	os.exe

Executes dropped EXE 3 IoCs

Processes:

winrar-x64.exe.exeos.exe

pid process

776 winrar-x64.exe.exe
1264
2016 os.exe

pid	process
776	winrar-x64.exe.exe
1264
2016	os.exe

Loads dropped DLL 7 IoCs

Processes:

90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exeWerFault.exe

pid	process
1968	90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe
1968	90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe
940	WerFault.exe
940	WerFault.exe
940	WerFault.exe
940	WerFault.exe
940	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 20 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\os.exe	themida
\Users\Admin\AppData\Roaming\os.exe	themida
behavioral1/memory/2016-223-0x0000000000AD0000-0x0000000000F63000-memory.dmp	themida
behavioral1/memory/2016-225-0x0000000000AD0000-0x0000000000F63000-memory.dmp	themida
behavioral1/memory/2016-226-0x0000000000AD0000-0x0000000000F63000-memory.dmp	themida
behavioral1/memory/2016-227-0x0000000000AD0000-0x0000000000F63000-memory.dmp	themida
behavioral1/memory/2016-228-0x0000000000AD0000-0x0000000000F63000-memory.dmp	themida
behavioral1/memory/2016-229-0x0000000000AD0000-0x0000000000F63000-memory.dmp	themida
behavioral1/memory/2016-231-0x0000000000AD0000-0x0000000000F63000-memory.dmp	themida
behavioral1/memory/2016-230-0x0000000000AD0000-0x0000000000F63000-memory.dmp	themida
behavioral1/memory/2016-232-0x0000000000AD0000-0x0000000000F63000-memory.dmp	themida
behavioral1/memory/2016-233-0x0000000000AD0000-0x0000000000F63000-memory.dmp	themida
behavioral1/memory/2016-235-0x0000000000AD0000-0x0000000000F63000-memory.dmp	themida
behavioral1/memory/2016-245-0x0000000000AD0000-0x0000000000F63000-memory.dmp	themida
\Users\Admin\AppData\Roaming\os.exe	themida
\Users\Admin\AppData\Roaming\os.exe	themida
\Users\Admin\AppData\Roaming\os.exe	themida
\Users\Admin\AppData\Roaming\os.exe	themida
\Users\Admin\AppData\Roaming\os.exe	themida
behavioral1/memory/2016-252-0x0000000000AD0000-0x0000000000F63000-memory.dmp	themida

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1968-54-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral1/memory/1968-202-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral1/memory/1968-206-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral1/memory/1968-208-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral1/memory/1968-211-0x0000000000400000-0x00000000004FF000-memory.dmp	upx
behavioral1/memory/1968-222-0x0000000006D40000-0x00000000071D3000-memory.dmp	upx
behavioral1/memory/1968-224-0x0000000000400000-0x00000000004FF000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

os.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA os.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

os.exe

pid process

2016 os.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

940 2016 WerFault.exe os.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	os.exe

pid	process
2016	os.exe

pid	pid_target	process	target process
940	2016	WerFault.exe	os.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

winrar-x64.exe.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main	winrar-x64.exe.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

winrar-x64.exe.exe

pid process

776 winrar-x64.exe.exe
776 winrar-x64.exe.exe

pid	process
776	winrar-x64.exe.exe
776	winrar-x64.exe.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exeos.exe

description	pid	process	target process
PID 1968 wrote to memory of 776	1968	90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe	winrar-x64.exe.exe
PID 1968 wrote to memory of 776	1968	90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe	winrar-x64.exe.exe
PID 1968 wrote to memory of 776	1968	90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe	winrar-x64.exe.exe
PID 1968 wrote to memory of 776	1968	90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe	winrar-x64.exe.exe
PID 1968 wrote to memory of 2016	1968	90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe	os.exe
PID 1968 wrote to memory of 2016	1968	90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe	os.exe
PID 1968 wrote to memory of 2016	1968	90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe	os.exe
PID 1968 wrote to memory of 2016	1968	90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe	os.exe
PID 2016 wrote to memory of 940	2016	os.exe	WerFault.exe
PID 2016 wrote to memory of 940	2016	os.exe	WerFault.exe
PID 2016 wrote to memory of 940	2016	os.exe	WerFault.exe
PID 2016 wrote to memory of 940	2016	os.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe
"C:\Users\Admin\AppData\Local\Temp\90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Roaming\winrar-x64.exe.exe
C:\Users\Admin\AppData\Roaming\winrar-x64.exe.exe
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:776

C:\Users\Admin\AppData\Roaming\os.exe
C:\Users\Admin\AppData\Roaming\os.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 780
3⤵
- Loads dropped DLL
- Program crash
PID:940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
beeeb85acc0cf296755e278c4277f4ef

SHA1
20a5657fe2798e964aba00da07a82ae99aa5c0c4

SHA256
a78f65ef609526312981f2faf1fe336953cbd4dc2668bb2b2959ec1c9fdf01be

SHA512
5193900eaba0b55858b4e70b1ecf93268acf735e7fd5cd50cc4c02c4c73b967a2ac6abdd41fa60ea17c9e1db08f735e4c36bc185a495152b4c917cbe3143399f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab822E.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar83E9.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\os.exe
Filesize
4.3MB

MD5
b12b4cb2ca643b0b00ce042da30ea040

SHA1
68fa56f7a4f250e8cf140aeb9639141874e5203a

SHA256
8455d1d048cc087c33fc366aed0cd25d385ef33e5f5833c199ed9f390eb9238d

SHA512
efa44431a80c5a70c52a9b659a1f752a80f4ed71d93ea9a7a89e9b0cd7976f1fa7fa7bd71704901d60e885be6a6087af42eef49ff1b7a515a204de7d6951727a

Download Submit
C:\Users\Admin\AppData\Roaming\winrar-x64.exe.exe
Filesize
3.1MB

MD5
61c12d7edaa1c467c8b2bdc028936da3

SHA1
8c12f3f143d71e9c07abdf54429992f059ae0bb0

SHA256
851e6ca4857a54b6481668d84438ef4209ebfad89b930b4e30898180728f5f57

SHA512
f3117767a2ae1aec191c07e9d3ded0b28aeebc44b0f31d34eb7d1dbe175e9492cc3354b9f87a8419348cc589b7983ae425d574bddf19e0ca0b78487d9891393a

Download Submit
C:\Users\Admin\AppData\Roaming\winrar-x64.exe.exe
Filesize
3.1MB

MD5
61c12d7edaa1c467c8b2bdc028936da3

SHA1
8c12f3f143d71e9c07abdf54429992f059ae0bb0

SHA256
851e6ca4857a54b6481668d84438ef4209ebfad89b930b4e30898180728f5f57

SHA512
f3117767a2ae1aec191c07e9d3ded0b28aeebc44b0f31d34eb7d1dbe175e9492cc3354b9f87a8419348cc589b7983ae425d574bddf19e0ca0b78487d9891393a

Download Submit
\Users\Admin\AppData\Roaming\os.exe
Filesize
4.3MB

MD5
b12b4cb2ca643b0b00ce042da30ea040

SHA1
68fa56f7a4f250e8cf140aeb9639141874e5203a

SHA256
8455d1d048cc087c33fc366aed0cd25d385ef33e5f5833c199ed9f390eb9238d

SHA512
efa44431a80c5a70c52a9b659a1f752a80f4ed71d93ea9a7a89e9b0cd7976f1fa7fa7bd71704901d60e885be6a6087af42eef49ff1b7a515a204de7d6951727a

Download Submit
\Users\Admin\AppData\Roaming\os.exe
Filesize
4.3MB

MD5
b12b4cb2ca643b0b00ce042da30ea040

SHA1
68fa56f7a4f250e8cf140aeb9639141874e5203a

SHA256
8455d1d048cc087c33fc366aed0cd25d385ef33e5f5833c199ed9f390eb9238d

SHA512
efa44431a80c5a70c52a9b659a1f752a80f4ed71d93ea9a7a89e9b0cd7976f1fa7fa7bd71704901d60e885be6a6087af42eef49ff1b7a515a204de7d6951727a

Download Submit
\Users\Admin\AppData\Roaming\os.exe
Filesize
4.3MB

MD5
b12b4cb2ca643b0b00ce042da30ea040

SHA1
68fa56f7a4f250e8cf140aeb9639141874e5203a

SHA256
8455d1d048cc087c33fc366aed0cd25d385ef33e5f5833c199ed9f390eb9238d

SHA512
efa44431a80c5a70c52a9b659a1f752a80f4ed71d93ea9a7a89e9b0cd7976f1fa7fa7bd71704901d60e885be6a6087af42eef49ff1b7a515a204de7d6951727a

Download Submit
\Users\Admin\AppData\Roaming\os.exe
Filesize
4.3MB

MD5
b12b4cb2ca643b0b00ce042da30ea040

SHA1
68fa56f7a4f250e8cf140aeb9639141874e5203a

SHA256
8455d1d048cc087c33fc366aed0cd25d385ef33e5f5833c199ed9f390eb9238d

SHA512
efa44431a80c5a70c52a9b659a1f752a80f4ed71d93ea9a7a89e9b0cd7976f1fa7fa7bd71704901d60e885be6a6087af42eef49ff1b7a515a204de7d6951727a

Download Submit
\Users\Admin\AppData\Roaming\os.exe
Filesize
4.3MB

MD5
b12b4cb2ca643b0b00ce042da30ea040

SHA1
68fa56f7a4f250e8cf140aeb9639141874e5203a

SHA256
8455d1d048cc087c33fc366aed0cd25d385ef33e5f5833c199ed9f390eb9238d

SHA512
efa44431a80c5a70c52a9b659a1f752a80f4ed71d93ea9a7a89e9b0cd7976f1fa7fa7bd71704901d60e885be6a6087af42eef49ff1b7a515a204de7d6951727a

Download Submit
\Users\Admin\AppData\Roaming\os.exe
Filesize
4.3MB

MD5
b12b4cb2ca643b0b00ce042da30ea040

SHA1
68fa56f7a4f250e8cf140aeb9639141874e5203a

SHA256
8455d1d048cc087c33fc366aed0cd25d385ef33e5f5833c199ed9f390eb9238d

SHA512
efa44431a80c5a70c52a9b659a1f752a80f4ed71d93ea9a7a89e9b0cd7976f1fa7fa7bd71704901d60e885be6a6087af42eef49ff1b7a515a204de7d6951727a

Download Submit
\Users\Admin\AppData\Roaming\winrar-x64.exe.exe
Filesize
3.1MB

MD5
61c12d7edaa1c467c8b2bdc028936da3

SHA1
8c12f3f143d71e9c07abdf54429992f059ae0bb0

SHA256
851e6ca4857a54b6481668d84438ef4209ebfad89b930b4e30898180728f5f57

SHA512
f3117767a2ae1aec191c07e9d3ded0b28aeebc44b0f31d34eb7d1dbe175e9492cc3354b9f87a8419348cc589b7983ae425d574bddf19e0ca0b78487d9891393a

Download Submit
\Users\Admin\AppData\Roaming\winrar-x64.exe.exe
Filesize
3.1MB

MD5
61c12d7edaa1c467c8b2bdc028936da3

SHA1
8c12f3f143d71e9c07abdf54429992f059ae0bb0

SHA256
851e6ca4857a54b6481668d84438ef4209ebfad89b930b4e30898180728f5f57

SHA512
f3117767a2ae1aec191c07e9d3ded0b28aeebc44b0f31d34eb7d1dbe175e9492cc3354b9f87a8419348cc589b7983ae425d574bddf19e0ca0b78487d9891393a

Download Submit
memory/1968-202-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/1968-54-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/1968-224-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/1968-222-0x0000000006D40000-0x00000000071D3000-memory.dmp

Filesize
4.6MB

Download
memory/1968-211-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/1968-208-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/1968-206-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2016-223-0x0000000000AD0000-0x0000000000F63000-memory.dmp

Filesize
4.6MB

Download
memory/2016-231-0x0000000000AD0000-0x0000000000F63000-memory.dmp

Filesize
4.6MB

Download
memory/2016-230-0x0000000000AD0000-0x0000000000F63000-memory.dmp

Filesize
4.6MB

Download
memory/2016-232-0x0000000000AD0000-0x0000000000F63000-memory.dmp

Filesize
4.6MB

Download
memory/2016-233-0x0000000000AD0000-0x0000000000F63000-memory.dmp

Filesize
4.6MB

Download
memory/2016-235-0x0000000000AD0000-0x0000000000F63000-memory.dmp

Filesize
4.6MB

Download
memory/2016-245-0x0000000000AD0000-0x0000000000F63000-memory.dmp

Filesize
4.6MB

Download
memory/2016-229-0x0000000000AD0000-0x0000000000F63000-memory.dmp

Filesize
4.6MB

Download
memory/2016-228-0x0000000000AD0000-0x0000000000F63000-memory.dmp

Filesize
4.6MB

Download
memory/2016-227-0x0000000000AD0000-0x0000000000F63000-memory.dmp

Filesize
4.6MB

Download
memory/2016-226-0x0000000000AD0000-0x0000000000F63000-memory.dmp

Filesize
4.6MB

Download
memory/2016-225-0x0000000000AD0000-0x0000000000F63000-memory.dmp

Filesize
4.6MB

Download
memory/2016-252-0x0000000000AD0000-0x0000000000F63000-memory.dmp

Filesize
4.6MB

Download