Overview

overview

10

Static

static

3

807a927252...a0.exe

windows7-x64

10

807a927252...a0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    105s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2024 17:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    807a927252237ee6436724cbbcd05fa0.exe

  • Size

    732KB

  • MD5

    807a927252237ee6436724cbbcd05fa0

  • SHA1

    2344ad154e7d098704278cd5e28fccd29a9dec15

  • SHA256

    a03b45dabcaf812402454befd876b2eafbdf9e967f3bb01e66f33f3cabbdebd5

  • SHA512

    7f0bba03bd838900569e63bdab43e7caa3a1ab2d6744fcb9c38e7ca8914fcf31323b3db5d1ed2efdef1b5b5326f980c8712faef53ca6966c42318b20fd4bd541

  • SSDEEP

    12288:SPqqPtYaerpyXOSs1vJhzl7txF3gSEyI32u6Yaer:wMrpW6vfl7hpE7mmr

Score
10/10
oskiinfostealerspywarestealer

Malware Config

Extracted

Family

oski

C2

zau.divendesign.in

Signatures

  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\807a927252237ee6436724cbbcd05fa0.exe
    "C:\Users\Admin\AppData\Local\Temp\807a927252237ee6436724cbbcd05fa0.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4160
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rFmqUFUNsPfqc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCB6E.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:456
    • C:\Users\Admin\AppData\Local\Temp\807a927252237ee6436724cbbcd05fa0.exe
      "{path}"
      2⤵
        PID:5092
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1312
          3⤵
          • Program crash
          PID:1616
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5092 -ip 5092
      1⤵
        PID:4508

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpCB6E.tmp
        Filesize

        1KB

        MD5

        fd82f54536607ad7911da8877b3748da

        SHA1

        325f1ebe80bc0cd494fef898f226e3cac5873ff0

        SHA256

        dd9eaa611535ca5fcb246dfd94214fc34c3fd13be6616ab5e44ed4762c3514c0

        SHA512

        fc6ae634c296f64505713dc7a049b0969d1205504c04dffebfe135a55d3429331e798703309a5f1a0cb5609b4cc19ce6eae575c38d7d2d89cf60bcd6f71df870

        Download Submit

      • memory/4160-8-0x0000000005C80000-0x0000000005D02000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4160-7-0x00000000052D0000-0x00000000052E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4160-4-0x0000000005450000-0x00000000054EC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4160-5-0x00000000054F0000-0x0000000005582000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4160-9-0x0000000005B40000-0x0000000005B7C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4160-6-0x0000000074BA0000-0x0000000075350000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4160-2-0x00000000052D0000-0x00000000052E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4160-0-0x00000000007D0000-0x000000000088C000-memory.dmp

        Filesize

        752KB

        Download

      • memory/4160-3-0x0000000002D80000-0x0000000002D88000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4160-1-0x0000000074BA0000-0x0000000075350000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4160-18-0x0000000074BA0000-0x0000000075350000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/5092-14-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/5092-17-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/5092-16-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/5092-13-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/5092-21-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download