Analysis Overview
SHA256
078e034c9471d383cda140f060f9ff26960d0674cfc9d0c05d0c704dbe5cf9ab
Threat Level: Known bad
The file 95C729597254D7D13131A1D787EE8672.exe was found to be: Known bad.
Malicious Activity Summary
Oski
Oski family
Downloads MZ/PE file
Deletes itself
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-03 17:36
Signatures
Oski family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-03 17:36
Reported
2023-11-03 17:38
Platform
win7-20231020-en
Max time kernel
118s
Max time network
126s
Command Line
Signatures
Oski
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95C729597254D7D13131A1D787EE8672.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95C729597254D7D13131A1D787EE8672.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95C729597254D7D13131A1D787EE8672.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\95C729597254D7D13131A1D787EE8672.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2632 wrote to memory of 2540 | N/A | C:\Users\Admin\AppData\Local\Temp\95C729597254D7D13131A1D787EE8672.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2632 wrote to memory of 2540 | N/A | C:\Users\Admin\AppData\Local\Temp\95C729597254D7D13131A1D787EE8672.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2632 wrote to memory of 2540 | N/A | C:\Users\Admin\AppData\Local\Temp\95C729597254D7D13131A1D787EE8672.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2632 wrote to memory of 2540 | N/A | C:\Users\Admin\AppData\Local\Temp\95C729597254D7D13131A1D787EE8672.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2540 wrote to memory of 2624 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 2540 wrote to memory of 2624 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 2540 wrote to memory of 2624 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 2540 wrote to memory of 2624 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\95C729597254D7D13131A1D787EE8672.exe
"C:\Users\Admin\AppData\Local\Temp\95C729597254D7D13131A1D787EE8672.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 2632 & erase C:\Users\Admin\AppData\Local\Temp\95C729597254D7D13131A1D787EE8672.exe & RD /S /Q C:\\ProgramData\\754425714824321\\* & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 2632
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 9enternecera.ru.com | udp |
| IN | 103.83.194.50:80 | 9enternecera.ru.com | tcp |
Files
\ProgramData\sqlite3.dll
| MD5 | e477a96c8f2b18d6b5c27bde49c990bf |
| SHA1 | e980c9bf41330d1e5bd04556db4646a0210f7409 |
| SHA256 | 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660 |
| SHA512 | 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c |
\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-03 17:36
Reported
2023-11-03 17:38
Platform
win10v2004-20231023-en
Max time kernel
77s
Max time network
132s
Command Line
Signatures
Oski
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\95C729597254D7D13131A1D787EE8672.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95C729597254D7D13131A1D787EE8672.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95C729597254D7D13131A1D787EE8672.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\95C729597254D7D13131A1D787EE8672.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\95C729597254D7D13131A1D787EE8672.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4196 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\95C729597254D7D13131A1D787EE8672.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4196 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\95C729597254D7D13131A1D787EE8672.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4196 wrote to memory of 2748 | N/A | C:\Users\Admin\AppData\Local\Temp\95C729597254D7D13131A1D787EE8672.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2748 wrote to memory of 4516 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 2748 wrote to memory of 4516 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 2748 wrote to memory of 4516 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\95C729597254D7D13131A1D787EE8672.exe
"C:\Users\Admin\AppData\Local\Temp\95C729597254D7D13131A1D787EE8672.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 4196 & erase C:\Users\Admin\AppData\Local\Temp\95C729597254D7D13131A1D787EE8672.exe & RD /S /Q C:\\ProgramData\\062198496607747\\* & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 4196
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9enternecera.ru.com | udp |
| IN | 103.83.194.50:80 | 9enternecera.ru.com | tcp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.194.83.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 254.109.26.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\ProgramData\sqlite3.dll
| MD5 | e477a96c8f2b18d6b5c27bde49c990bf |
| SHA1 | e980c9bf41330d1e5bd04556db4646a0210f7409 |
| SHA256 | 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660 |
| SHA512 | 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c |
C:\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
C:\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |