Malware Analysis Report

2024-09-22 21:52

Sample ID 240203-erpthsggg6
Target 8b5c6a2b226e7c6ba532e8448d6bfc82
SHA256 2a71fdd923c2c1cf13ffee31c74aed4a464ff0c97cf9a6c42a788d4fdcec3efd
Tags
oski infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a71fdd923c2c1cf13ffee31c74aed4a464ff0c97cf9a6c42a788d4fdcec3efd

Threat Level: Known bad

The file 8b5c6a2b226e7c6ba532e8448d6bfc82 was found to be: Known bad.

Malicious Activity Summary

oski infostealer spyware stealer

Oski

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Modifies registry class

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-02-03 04:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-03 04:10

Reported

2024-02-03 04:13

Platform

win7-20231215-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\8b5c6a2b226e7c6ba532e8448d6bfc82.xll

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\8b5c6a2b226e7c6ba532e8448d6bfc82.xll

Network

N/A

Files

memory/2140-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2140-1-0x000000007277D000-0x0000000072788000-memory.dmp

\Users\Admin\AppData\Local\Temp\8b5c6a2b226e7c6ba532e8448d6bfc82.xll

MD5 5bddb3a265af75c2a80ef72ba365b4d8
SHA1 ed6ac0b0688e5879cf039da3daa5453bdc7db70d
SHA256 38318c1081acb1ca2b79b828b9e7c415b168b506c6595a10ac46a15611916bd7
SHA512 07eb35d3a1fefc16af5ed3e67f12dd94910abad2e1f5e63f95372f79555fb0977760a3a79c2756b98e01459c08ce0da10df5489f85c8d386c71f72f0d2cef9fd

memory/2140-3-0x000000007277D000-0x0000000072788000-memory.dmp

memory/2140-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2140-5-0x000000007277D000-0x0000000072788000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-03 04:10

Reported

2024-02-03 04:13

Platform

win10v2004-20231215-en

Max time kernel

101s

Max time network

133s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8b5c6a2b226e7c6ba532e8448d6bfc82.xll"

Signatures

Oski

infostealer oski

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\service.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\service.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4244 set thread context of 4424 N/A C:\Users\Admin\AppData\Roaming\service.exe C:\Users\Admin\AppData\Roaming\service.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\service.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4236 wrote to memory of 4244 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Users\Admin\AppData\Roaming\service.exe
PID 4236 wrote to memory of 4244 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Users\Admin\AppData\Roaming\service.exe
PID 4236 wrote to memory of 4244 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Users\Admin\AppData\Roaming\service.exe
PID 4244 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Roaming\service.exe C:\Users\Admin\AppData\Roaming\service.exe
PID 4244 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Roaming\service.exe C:\Users\Admin\AppData\Roaming\service.exe
PID 4244 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Roaming\service.exe C:\Users\Admin\AppData\Roaming\service.exe
PID 4244 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Roaming\service.exe C:\Users\Admin\AppData\Roaming\service.exe
PID 4244 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Roaming\service.exe C:\Users\Admin\AppData\Roaming\service.exe
PID 4244 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Roaming\service.exe C:\Users\Admin\AppData\Roaming\service.exe
PID 4244 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Roaming\service.exe C:\Users\Admin\AppData\Roaming\service.exe
PID 4244 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Roaming\service.exe C:\Users\Admin\AppData\Roaming\service.exe
PID 4244 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Roaming\service.exe C:\Users\Admin\AppData\Roaming\service.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\8b5c6a2b226e7c6ba532e8448d6bfc82.xll"

C:\Users\Admin\AppData\Roaming\service.exe

"C:\Users\Admin\AppData\Roaming\service.exe"

C:\Users\Admin\AppData\Roaming\service.exe

"C:\Users\Admin\AppData\Roaming\service.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4424 -ip 4424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1296

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 irkark.xyz udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4236-0-0x00007FFEE8F10000-0x00007FFEE8F20000-memory.dmp

memory/4236-1-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

memory/4236-6-0x00007FFEE8F10000-0x00007FFEE8F20000-memory.dmp

memory/4236-5-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

memory/4236-7-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

memory/4236-9-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

memory/4236-8-0x00007FFEE8F10000-0x00007FFEE8F20000-memory.dmp

memory/4236-10-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

memory/4236-12-0x00007FFEE65B0000-0x00007FFEE65C0000-memory.dmp

memory/4236-13-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

memory/4236-14-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

memory/4236-16-0x00007FFEE65B0000-0x00007FFEE65C0000-memory.dmp

memory/4236-15-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

memory/4236-11-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

memory/4236-4-0x00007FFEE8F10000-0x00007FFEE8F20000-memory.dmp

memory/4236-3-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

memory/4236-2-0x00007FFEE8F10000-0x00007FFEE8F20000-memory.dmp

memory/4236-19-0x000001890E230000-0x000001890E3B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8b5c6a2b226e7c6ba532e8448d6bfc82.xll

MD5 345b8d7aa36df23d6c4dfe9d5370094a
SHA1 062fb3a7d39b075aa0c5a8cc6030b66abf1482d8
SHA256 22e5a766719465fbd40fc4f93f5d0e56a8d398977ab4b194d25f3b0f7adf2ee6
SHA512 4e6ff30f380a7b7769aa6de7a275bcc2d56002b8b229178f60604bcf9f1897e6e1679d159cb32ef58a37e03f7d8335d45a2a156654cd4f07e0d3eb56f5f325d6

C:\Users\Admin\AppData\Local\Temp\8b5c6a2b226e7c6ba532e8448d6bfc82.xll

MD5 172f0c0ec30e78bdbf1d4dc91aa3ebb3
SHA1 b2c3a4e8c15105eb8bfe7872db07866a1207b5e4
SHA256 c4a6e41d81f4e49533b28abcc7e167468a5c232fc1d88de4418e3a5a165d086c
SHA512 a2eb29fe3580d7fd275a509c6926ca0ba4f1c1b504362f6d777635aca539e705319dbcba016daf2dd162b006835b9a2fae52bfed4657e15c5c55ec238e39d1b4

memory/4236-22-0x000001890E590000-0x000001890E5AC000-memory.dmp

memory/4236-23-0x000001890E6B0000-0x000001890E6EC000-memory.dmp

memory/4236-24-0x00007FFF00B90000-0x00007FFF01651000-memory.dmp

memory/4236-26-0x0000018927E50000-0x0000018927E60000-memory.dmp

memory/4236-27-0x0000018927E50000-0x0000018927E60000-memory.dmp

memory/4236-29-0x0000018928F40000-0x0000018929048000-memory.dmp

memory/4236-28-0x0000018927E50000-0x0000018927E60000-memory.dmp

memory/4236-30-0x0000018927E50000-0x0000018927E60000-memory.dmp

memory/4236-25-0x0000018927E50000-0x0000018927E60000-memory.dmp

memory/4236-31-0x000001890E6F0000-0x000001890E700000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sample.xlsx

MD5 36cadc2fa9f7938f74061fda9b126a9f
SHA1 5252934ac46fb3bc8fdb361880ade043070501bd
SHA256 afc8ea53b3eeb62a44ce6d2b4593931d009ec00769410e76478cc88eab59d1f4
SHA512 b7668575cea53280a3d553b18e1ac7670eeafab9f2d48db5d86496722e2b1d5d48a3ac3b1e56a8d7198abd771f2d95fef4449792c214dffc2097e62273e7db1f

C:\Users\Admin\AppData\Roaming\service.exe

MD5 e10c90d48b3d65b000327e40c3dfe163
SHA1 d787616a818cf49ff4afbe316bac8df1cab54c63
SHA256 9f2adb431adc11dfa304e65a7cdb6a036a635137fa253db862811f48599c7569
SHA512 bd2a4d597815ba1ec18b94b24473cf9d157632f68e5129d6ff7bf1a2980fdf33d36b2fc6ec1cc63b162b31344670c88fa6225e62374771155673fda385665886

C:\Users\Admin\AppData\Roaming\service.exe

MD5 ed0e37844462bf5276fce30896c37b5a
SHA1 29c6a8f08a5ab5abbcc5f69fe69a02dbcc8bf38c
SHA256 3d844adb11b19c5d7324f0f50f1d8c06adbec9bd34d7bcc886dcdeb288bfe051
SHA512 bb536c8e800bd6815d492f852a21b6b555111180c0936f805dd3193df88246f867e5f9e040a8bff0284ec18638edf34efb6a485a7efe48dc3274dc23d20da188

C:\Users\Admin\AppData\Roaming\service.exe

MD5 39677c1fe5c7db242e8012361dbc443e
SHA1 b94af77671343fa08e8c624713e830ed9d4e597f
SHA256 1561b667cb948226e5c2606dd0990d6fb64c8247cfe39012e4e6907db9ff870e
SHA512 472a70c30556a0338aab7e5dd86ffe0d5cb5ae35af11fc50cbbb383fc215acde6b332981bd3085def9204f5d56279bcaeec27c330f9a838c671b1f3c05aeee0e

memory/4244-72-0x0000000074C70000-0x0000000075420000-memory.dmp

memory/4244-71-0x0000000000500000-0x0000000000604000-memory.dmp

memory/4244-73-0x0000000005500000-0x0000000005AA4000-memory.dmp

memory/4244-75-0x0000000004FF0000-0x000000000508C000-memory.dmp

memory/4244-74-0x0000000004F50000-0x0000000004FE2000-memory.dmp

memory/4244-76-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

memory/4244-77-0x0000000004EB0000-0x0000000004EBA000-memory.dmp

memory/4244-78-0x0000000006A80000-0x0000000006A9A000-memory.dmp

memory/4236-84-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

memory/4236-85-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

memory/4236-86-0x00007FFF00B90000-0x00007FFF01651000-memory.dmp

memory/4236-91-0x0000018927E50000-0x0000018927E60000-memory.dmp

memory/4236-90-0x0000018927E50000-0x0000018927E60000-memory.dmp

memory/4236-89-0x0000018927E50000-0x0000018927E60000-memory.dmp

memory/4236-88-0x0000018927E50000-0x0000018927E60000-memory.dmp

memory/4236-87-0x0000018927E50000-0x0000018927E60000-memory.dmp

memory/4236-92-0x0000018927E50000-0x0000018927E60000-memory.dmp

memory/4244-93-0x0000000074C70000-0x0000000075420000-memory.dmp

memory/4244-94-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

memory/4244-95-0x0000000006D30000-0x0000000006DD2000-memory.dmp

memory/4244-96-0x00000000093B0000-0x00000000093E8000-memory.dmp

C:\Users\Admin\AppData\Roaming\service.exe

MD5 1f3f0df96f20b886328d79074944067d
SHA1 93658ff5de14681b09439fe94e272f4f329e3a8a
SHA256 51855bf07f8dbe24ca6f11c6dc9bd4e8c27bed93159f96afdb448cce7bf7d515
SHA512 61ebb3d18e21702bad5ece5701e019322ac4a44b5c1b5be4ca54fb9d7f89a4b2c9541fe7fa49fbb0f61d74751eeaca15302190233dc8d1e5ed50c958789d1b0b

memory/4424-100-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4424-103-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4244-104-0x0000000074C70000-0x0000000075420000-memory.dmp

memory/4424-106-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4424-105-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4424-109-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4236-123-0x00007FFEE8F10000-0x00007FFEE8F20000-memory.dmp

memory/4236-124-0x00007FFEE8F10000-0x00007FFEE8F20000-memory.dmp

memory/4236-125-0x00007FFEE8F10000-0x00007FFEE8F20000-memory.dmp

memory/4236-126-0x00007FFEE8F10000-0x00007FFEE8F20000-memory.dmp

memory/4236-127-0x00007FFF28E90000-0x00007FFF29085000-memory.dmp

memory/4236-128-0x00007FFF00B90000-0x00007FFF01651000-memory.dmp