Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    25-07-2024 10:09

General

  • Target

    2024-07-25_eee333c1637253245c3fc51775ba7395_karagany_mafia_wapomi.exe

  • Size

    216KB

  • MD5

    eee333c1637253245c3fc51775ba7395

  • SHA1

    bd111eaf7f7687a87de02aa87acdde9d4cd51eb8

  • SHA256

    e5824681466b0a8b36f470252d644bc5a4333d83a8987021df491b471ef8d473

  • SHA512

    c3ad219bacb1c7fc2feb98848bbf61bd559ed9c6ec2ebfb9d4d7380fcd7b34a4f895be7b5f3ac3f588add74bcd8a4cefe6a9b58ad73310e862030ed0f942e087

  • SSDEEP

    3072:efUomEuYm98dlSq7gt5q7Dx+XgS6aCEwhOfUbCalNT2pbB3fIh1Xi6FLPo3cCGCH:efUauY68uSWCx+XA7mg2pNQ1Ljo3cj

Malware Config

Extracted

Family

oski

C2

wellsfargocs.ddns.us

Signatures

  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-25_eee333c1637253245c3fc51775ba7395_karagany_mafia_wapomi.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-25_eee333c1637253245c3fc51775ba7395_karagany_mafia_wapomi.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Users\Admin\AppData\Local\Temp\ScqFnHip.exe
      C:\Users\Admin\AppData\Local\Temp\ScqFnHip.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\36a51a41.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1672
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 784
      2⤵
      • Program crash
      PID:1448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\msvcp140.dll
    Filesize

    252B

    MD5

    bfd986155d142e8d9b7c9abe96fee0ad

    SHA1

    a01e08e76db2322a020fea44fbdc550b2ab23840

    SHA256

    0521d11937d55b5e9549a0474209b77e6cd0df2e5da4c6b98f518065c56b50bb

    SHA512

    a3fce419969816aa99880b1613ceb2bdfd4d2383f8f4f4f7ef65c8abbdc231b8e61281b1c9240882ac03e30b0417bf06ce943d2dc590672c964aa62691b77871

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J8I3CVQY\k2[1].rar
    Filesize

    4B

    MD5

    d3b07384d113edec49eaa6238ad5ff00

    SHA1

    f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

    SHA256

    b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

    SHA512

    0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

  • C:\Users\Admin\AppData\Local\Temp\02655CF7.exe
    Filesize

    4B

    MD5

    20879c987e2f9a916e578386d499f629

    SHA1

    c7b33ddcc42361fdb847036fc07e880b81935d5d

    SHA256

    9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

    SHA512

    bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

  • C:\Users\Admin\AppData\Local\Temp\36a51a41.bat
    Filesize

    191B

    MD5

    1df85b405ad04631f2b55ff316f59ec6

    SHA1

    c45d2e3c85779b6018a53f6a1f0e562f74e0331d

    SHA256

    7679a1e222b64ba0106456e506390b7a9e3252fd0b56125516f017f99cb3460d

    SHA512

    95aac924f86494a427dd0ee5a5dd1a0794135955b46225c8a24a7938b91a1cc19205e51116cfa2799a33bb06d6f9a99ef3028831a7806fccf3d958f772dc0f4a

  • C:\Users\Admin\AppData\Local\Temp\ScqFnHip.exe
    Filesize

    15KB

    MD5

    f7d21de5c4e81341eccd280c11ddcc9a

    SHA1

    d4e9ef10d7685d491583c6fa93ae5d9105d815bd

    SHA256

    4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

    SHA512

    e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

  • memory/2108-0-0x0000000000C00000-0x0000000000C3D000-memory.dmp
    Filesize

    244KB

  • memory/2108-11-0x0000000000BE0000-0x0000000000BE9000-memory.dmp
    Filesize

    36KB

  • memory/2108-10-0x0000000000BE0000-0x0000000000BE9000-memory.dmp
    Filesize

    36KB

  • memory/2108-53-0x0000000000C00000-0x0000000000C3D000-memory.dmp
    Filesize

    244KB

  • memory/2844-12-0x0000000000BE0000-0x0000000000BE9000-memory.dmp
    Filesize

    36KB

  • memory/2844-42-0x0000000000BE0000-0x0000000000BE9000-memory.dmp
    Filesize

    36KB