Overview

overview

10

Static

static

3

e11c3b1cc8...01.exe

windows7-x64

10

e11c3b1cc8...01.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2024 07:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e11c3b1cc868bcac2b10f1e7739b2501.exe

  • Size

    381KB

  • MD5

    e11c3b1cc868bcac2b10f1e7739b2501

  • SHA1

    9ac339112cc6fd56efa6026953004bb75bd76cc0

  • SHA256

    ead4fbb41f9237091a53a9c5be2b50c222f3a7fce542bc6bab7acd302405c508

  • SHA512

    27b2d7981856a39b598306725e6701e001a26149e0a7b28229ff0893ca21e17581907ed416c261a73cc31653f498f9e5e2a901f757c62ec80b0ee32ad43a87ea

  • SSDEEP

    6144:d2VEppbDxzjl1+FEIHWknFDKYuzBXmrp22NHdsIfR6tbrIp40A4Dh:5pp31CFEIHbFWYEcrffsIfkbrQ4pyh

Score
10/10
oskiinfostealerpersistencespywarestealer

Malware Config

Signatures

  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e11c3b1cc868bcac2b10f1e7739b2501.exe
    "C:\Users\Admin\AppData\Local\Temp\e11c3b1cc868bcac2b10f1e7739b2501.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Users\Admin\AppData\Local\Temp\miore.exe
      "C:\Users\Admin\AppData\Local\Temp\miore.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5000
    • C:\Users\Admin\AppData\Local\Temp\lioc.exe
      "C:\Users\Admin\AppData\Local\Temp\lioc.exe"
      2⤵
      • Executes dropped EXE
      PID:3276
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 1560
        3⤵
        • Program crash
        PID:1204
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 1108
      2⤵
      • Program crash
      PID:3476
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3996 -ip 3996
    1⤵
      PID:4728
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3276 -ip 3276
      1⤵
        PID:2116

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\msvcp140.dll
        Filesize

        153B

        MD5

        d9e4660829c2f1d3aeece0700a737d21

        SHA1

        208af3a0734482cb5b70e62148878da995bc12df

        SHA256

        c649b72d40b182375b97337744d6ed80b886d0a4cce87fe9f3b7bd7ebef7f6de

        SHA512

        c93272e68a3dd02e5136b4a60c6a5a31ac8f3c3733228627da0526b0c6bdbd91ff0c16c20e1e26380e3853a7235a39b4147ead44733044dc291087d064b654dd

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\lioc.exe
        Filesize

        200KB

        MD5

        631baafff18a2c46a0ddddb6cd4db7dd

        SHA1

        e4268660608735cdc166c97432e03c4f5de0f7c1

        SHA256

        c740ab68c89323420fc94e5b2f7be88958ad33c1d0ae70c9a28088e576cee2e4

        SHA512

        153be28e1ad161cbc1c5dcf9058f12608d7bb11338c9fae7e12aadf22bcbe8206d182a018cc5c3db8483c3ee9ba055c156ebdbcb84da968a351141afa044d3ae

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\miore.exe
        Filesize

        109KB

        MD5

        0e5c12df26f858b2d4e6741917a4cd1b

        SHA1

        b81171ecac330f1179012c16dae56b1de81b56e7

        SHA256

        5e51ec3a5ff289f2b0db602b4dd4b987db17bda4964a8b1caa44d9e6bcf4355e

        SHA512

        e48c55f8c04de46d89db96d0068728fa27bd9768a3b8dc189d6adff694fcc35fd42291fd60655020df50c5ba4404198f0d0115c4c2e007b35c696204a1da5910

        Download Submit

      • memory/3996-1-0x0000000000CD0000-0x0000000000DD0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3996-2-0x00000000001C0000-0x00000000001E1000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3996-3-0x0000000000400000-0x0000000000916000-memory.dmp

        Filesize

        5.1MB

        Download

      • memory/3996-32-0x00000000001C0000-0x00000000001E1000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3996-31-0x0000000000400000-0x0000000000916000-memory.dmp

        Filesize

        5.1MB

        Download

      • memory/5000-28-0x0000000005560000-0x0000000005570000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5000-27-0x00000000056A0000-0x0000000005732000-memory.dmp

        Filesize

        584KB

        Download

      • memory/5000-26-0x0000000005C50000-0x00000000061F4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/5000-29-0x00000000055C0000-0x00000000055CA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/5000-30-0x00000000058B0000-0x0000000005906000-memory.dmp

        Filesize

        344KB

        Download

      • memory/5000-25-0x0000000005600000-0x000000000569C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/5000-23-0x0000000000BA0000-0x0000000000BC2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/5000-33-0x0000000007170000-0x0000000007332000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/5000-34-0x0000000005560000-0x0000000005570000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5000-24-0x00000000739B0000-0x0000000074160000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/5000-52-0x00000000739B0000-0x0000000074160000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/5000-53-0x0000000005560000-0x0000000005570000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5000-54-0x0000000005560000-0x0000000005570000-memory.dmp

        Filesize

        64KB

        Download