Overview

overview

10

Static

static

7

90cfb42d84...e2.exe

windows7-x64

10

90cfb42d84...e2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-04-2023 11:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe

  • Size

    432KB

  • MD5

    566e00ed92162e1941567623e9938067

  • SHA1

    3e285319ece4b35b877dd60a920d8970d87ed3fd

  • SHA256

    90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2

  • SHA512

    7d96e0aea8302506713613ed68a55cea2ec0f1e4cd64ba6ff424bd772c621a6ad9136da2ec9c1f80b41c4267f7bd2ace82923f2ae2221010568f1e5de63fceaa

  • SSDEEP

    6144:K2nLfyfKQu8zZ0zQ7Cn7ggrw5vK/cKomvWzMlTRay9VAHPpczK3qKTmZrqBMdGGF:K2nLYpzZUMKNHompdBwcKJurqBpJXAAu

Score
10/10
oskievasioninfostealerspywarestealerthemidatrojanupx

Malware Config

Extracted

Family

oski

C2

Fragly.top

Signatures

  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 12 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe
    "C:\Users\Admin\AppData\Local\Temp\90cfb42d8415b2804d7335d4e9ddda33264906b0169dd121ccc80bd50643d0e2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:772
    • C:\Users\Admin\AppData\Roaming\winrar-x64.exe.exe
      C:\Users\Admin\AppData\Roaming\winrar-x64.exe.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1608
    • C:\Users\Admin\AppData\Roaming\os.exe
      C:\Users\Admin\AppData\Roaming\os.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:412
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 1340
        3⤵
        • Program crash
        PID:2628
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 412 -ip 412
    1⤵
      PID:3188

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Virtualization/Sandbox Evasion

    1
    T1497

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    2
    T1012

    Virtualization/Sandbox Evasion

    1
    T1497

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\os.exe
      Filesize

      4.3MB

      MD5

      b12b4cb2ca643b0b00ce042da30ea040

      SHA1

      68fa56f7a4f250e8cf140aeb9639141874e5203a

      SHA256

      8455d1d048cc087c33fc366aed0cd25d385ef33e5f5833c199ed9f390eb9238d

      SHA512

      efa44431a80c5a70c52a9b659a1f752a80f4ed71d93ea9a7a89e9b0cd7976f1fa7fa7bd71704901d60e885be6a6087af42eef49ff1b7a515a204de7d6951727a

      Download Submit
    • C:\Users\Admin\AppData\Roaming\os.exe
      Filesize

      4.3MB

      MD5

      b12b4cb2ca643b0b00ce042da30ea040

      SHA1

      68fa56f7a4f250e8cf140aeb9639141874e5203a

      SHA256

      8455d1d048cc087c33fc366aed0cd25d385ef33e5f5833c199ed9f390eb9238d

      SHA512

      efa44431a80c5a70c52a9b659a1f752a80f4ed71d93ea9a7a89e9b0cd7976f1fa7fa7bd71704901d60e885be6a6087af42eef49ff1b7a515a204de7d6951727a

      Download Submit
    • C:\Users\Admin\AppData\Roaming\winrar-x64.exe.exe
      Filesize

      3.1MB

      MD5

      61c12d7edaa1c467c8b2bdc028936da3

      SHA1

      8c12f3f143d71e9c07abdf54429992f059ae0bb0

      SHA256

      851e6ca4857a54b6481668d84438ef4209ebfad89b930b4e30898180728f5f57

      SHA512

      f3117767a2ae1aec191c07e9d3ded0b28aeebc44b0f31d34eb7d1dbe175e9492cc3354b9f87a8419348cc589b7983ae425d574bddf19e0ca0b78487d9891393a

      Download Submit
    • C:\Users\Admin\AppData\Roaming\winrar-x64.exe.exe
      Filesize

      3.1MB

      MD5

      61c12d7edaa1c467c8b2bdc028936da3

      SHA1

      8c12f3f143d71e9c07abdf54429992f059ae0bb0

      SHA256

      851e6ca4857a54b6481668d84438ef4209ebfad89b930b4e30898180728f5f57

      SHA512

      f3117767a2ae1aec191c07e9d3ded0b28aeebc44b0f31d34eb7d1dbe175e9492cc3354b9f87a8419348cc589b7983ae425d574bddf19e0ca0b78487d9891393a

      Download Submit
    • memory/412-169-0x0000000000B90000-0x0000000001023000-memory.dmp
      Filesize

      4.6MB

      Download
    • memory/412-172-0x0000000000B90000-0x0000000001023000-memory.dmp
      Filesize

      4.6MB

      Download
    • memory/412-180-0x0000000000B90000-0x0000000001023000-memory.dmp
      Filesize

      4.6MB

      Download
    • memory/412-167-0x0000000000B90000-0x0000000001023000-memory.dmp
      Filesize

      4.6MB

      Download
    • memory/412-168-0x0000000000B90000-0x0000000001023000-memory.dmp
      Filesize

      4.6MB

      Download
    • memory/412-177-0x0000000000B90000-0x0000000001023000-memory.dmp
      Filesize

      4.6MB

      Download
    • memory/412-176-0x0000000000B90000-0x0000000001023000-memory.dmp
      Filesize

      4.6MB

      Download
    • memory/412-175-0x0000000000B90000-0x0000000001023000-memory.dmp
      Filesize

      4.6MB

      Download
    • memory/412-173-0x0000000000B90000-0x0000000001023000-memory.dmp
      Filesize

      4.6MB

      Download
    • memory/412-174-0x0000000000B90000-0x0000000001023000-memory.dmp
      Filesize

      4.6MB

      Download
    • memory/772-138-0x0000000000400000-0x00000000004FF000-memory.dmp
      Filesize

      1020KB

      Download
    • memory/772-133-0x0000000000400000-0x00000000004FF000-memory.dmp
      Filesize

      1020KB

      Download
    • memory/772-170-0x0000000000400000-0x00000000004FF000-memory.dmp
      Filesize

      1020KB

      Download
    • memory/772-166-0x0000000000400000-0x00000000004FF000-memory.dmp
      Filesize

      1020KB

      Download
    • memory/1608-181-0x0000022429B50000-0x000002242B1C7000-memory.dmp
      Filesize

      22.5MB

      Download
    • memory/1608-183-0x0000022429B50000-0x000002242B1C7000-memory.dmp
      Filesize

      22.5MB

      Download