Analysis
-
max time kernel
137s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
16-02-2024 05:27
Static task
static1
Behavioral task
behavioral1
Sample
PO# HM00050746 13461-001,xls.xll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
PO# HM00050746 13461-001,xls.xll
Resource
win10v2004-20231215-en
General
-
Target
PO# HM00050746 13461-001,xls.xll
-
Size
1.4MB
-
MD5
a719b4a9d08553ff7683ddcb7003d68b
-
SHA1
9039d4c0ed993549537bcf365fe35c553bd2ba50
-
SHA256
fd042d218a6adcb4d496f6d0e9f6fb3dfabdc24bc8bc86681480d76597ec258b
-
SHA512
74d52ac5dda28962ddceacc7df9da371f56401ef82fbcbc77fc900bb4608574e308eec97b654b1bd781b2ad588ac79daf0166fb10604e0305768aa069f5043c7
-
SSDEEP
24576:BzbGHAzHAjX1QcLg0jHe6GxAo594f7Byqx90KdI9K9nktTpcA+kukY:BziHICE0j+6GKoj49V989KVCiHlkY
Malware Config
Extracted
Extracted
oski
himarkh.xyz
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Executes dropped EXE 2 IoCs
Processes:
service.exeservice.exepid Process 3240 service.exe 4956 service.exe -
Loads dropped DLL 2 IoCs
Processes:
EXCEL.EXEpid Process 1420 EXCEL.EXE 1420 EXCEL.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
service.exedescription pid Process procid_target PID 3240 set thread context of 4956 3240 service.exe 96 -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3364 4956 WerFault.exe 96 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid Process 1420 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid Process 1420 EXCEL.EXE 1420 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
EXCEL.EXEpid Process 1420 EXCEL.EXE 1420 EXCEL.EXE 1420 EXCEL.EXE 1420 EXCEL.EXE 1420 EXCEL.EXE 1420 EXCEL.EXE 1420 EXCEL.EXE 1420 EXCEL.EXE 1420 EXCEL.EXE 1420 EXCEL.EXE 1420 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
EXCEL.EXEservice.exedescription pid Process procid_target PID 1420 wrote to memory of 3240 1420 EXCEL.EXE 88 PID 1420 wrote to memory of 3240 1420 EXCEL.EXE 88 PID 1420 wrote to memory of 3240 1420 EXCEL.EXE 88 PID 3240 wrote to memory of 4956 3240 service.exe 96 PID 3240 wrote to memory of 4956 3240 service.exe 96 PID 3240 wrote to memory of 4956 3240 service.exe 96 PID 3240 wrote to memory of 4956 3240 service.exe 96 PID 3240 wrote to memory of 4956 3240 service.exe 96 PID 3240 wrote to memory of 4956 3240 service.exe 96 PID 3240 wrote to memory of 4956 3240 service.exe 96 PID 3240 wrote to memory of 4956 3240 service.exe 96 PID 3240 wrote to memory of 4956 3240 service.exe 96
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PO# HM00050746 13461-001,xls.xll"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Users\Admin\AppData\Roaming\service.exe"C:\Users\Admin\AppData\Roaming\service.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Users\Admin\AppData\Roaming\service.exe"C:\Users\Admin\AppData\Roaming\service.exe"3⤵
- Executes dropped EXE
PID:4956 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 12284⤵
- Program crash
PID:3364
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4956 -ip 49561⤵PID:4524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5a719b4a9d08553ff7683ddcb7003d68b
SHA19039d4c0ed993549537bcf365fe35c553bd2ba50
SHA256fd042d218a6adcb4d496f6d0e9f6fb3dfabdc24bc8bc86681480d76597ec258b
SHA51274d52ac5dda28962ddceacc7df9da371f56401ef82fbcbc77fc900bb4608574e308eec97b654b1bd781b2ad588ac79daf0166fb10604e0305768aa069f5043c7
-
Filesize
12KB
MD536cadc2fa9f7938f74061fda9b126a9f
SHA15252934ac46fb3bc8fdb361880ade043070501bd
SHA256afc8ea53b3eeb62a44ce6d2b4593931d009ec00769410e76478cc88eab59d1f4
SHA512b7668575cea53280a3d553b18e1ac7670eeafab9f2d48db5d86496722e2b1d5d48a3ac3b1e56a8d7198abd771f2d95fef4449792c214dffc2097e62273e7db1f
-
Filesize
64KB
MD5adcffe8642dc00a4ffa3b3fc0f714913
SHA157c4609cb93fb3b39df0bc3849aa729c3436fd1a
SHA256bc2419aba3272c09ddbf14fbb22a695929ff34314ff16b9684bb080a9de822d0
SHA5122b548cc8511b56cb9f364ffbcd99cfd496d8ab0fe34d39a15a4a801f3e5c9bcaa388fd4d86ab52c190a3d6c08c2a54bdd013361189f315f623b49c872bb22d98
-
Filesize
964KB
MD526290bd5d8894f44aad3bf9acbfe7343
SHA1e67e76e649e34602d3eedd5d9f500e5cff6ead14
SHA2565cf015c5169ac573c0cdebc3822b1c33009e4c920eee4fc37ea6adbd0a60cd02
SHA5122047754da0dfbe2ae375a3c54407470e45eabcc8dcc92025d2bbc0b556b2eab279363e1956d5e16eafa55eedbcc9c44dfd92e00795bbf2457811d6ba74e23816
-
Filesize
996KB
MD5fd488d558cce533dbdd6dd407ef1fd32
SHA1bc57c81ad80d65fca56edde78cbf9db7ed53beb3
SHA2562c37d0e68dc954c03b941ba7cd3188993bba2a5867093b8905c696f811e93914
SHA512d14c80f803714ef9fb0b6e9169735ba30b6371e217d24bfdfc325c0058e5c470a82b652706f65ba733074fecc9471b35023fa7ad57e727b19554012da2c825f8