Analysis
-
max time kernel
140s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
20-08-2024 14:13
Static task
static1
Behavioral task
behavioral1
Sample
ExeFile (339).exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
ExeFile (339).exe
Resource
win10v2004-20240802-en
General
-
Target
ExeFile (339).exe
-
Size
861KB
-
MD5
c20ef4961ce6eb9dd5654242ec1b418c
-
SHA1
076cb25979115c1a5baa95807f993c90f629c524
-
SHA256
80199402b66d52742db427b0a59c869d3629e2b503c8e84b0d17789db414c352
-
SHA512
e518cd58bcab49e1359d6e60fe71a12c40d6c3f3e8dcfbf974848edb901231b8bd70271fc64f55c0cd8777e975ffee08b17607e4c4bd9744a4193b2a5739a9a2
-
SSDEEP
24576:ZQqPByJzhAfD7MjzlR7m8Sdu3ar3kxggWq:ZQqZ0z0MjHy8mxrgl
Malware Config
Extracted
oski
45.141.84.184
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Executes dropped EXE 2 IoCs
Processes:
msdtc.commsdtc.compid process 2264 msdtc.com 2700 msdtc.com -
Loads dropped DLL 2 IoCs
Processes:
cmd.exemsdtc.compid process 2092 cmd.exe 2264 msdtc.com -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ExeFile (339).exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ExeFile (339).exe -
Processes:
cmd.execertutil.exepid process 2092 cmd.exe 2532 certutil.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdtc.comdescription pid process target process PID 2700 set thread context of 2724 2700 msdtc.com attrib.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ExeFile (339).execmd.execertutil.exemsdtc.commsdtc.comPING.EXEattrib.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ExeFile (339).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language certutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdtc.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdtc.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
msdtc.compid process 2700 msdtc.com -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
msdtc.commsdtc.compid process 2264 msdtc.com 2264 msdtc.com 2264 msdtc.com 2700 msdtc.com 2700 msdtc.com 2700 msdtc.com -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
msdtc.commsdtc.compid process 2264 msdtc.com 2264 msdtc.com 2264 msdtc.com 2700 msdtc.com 2700 msdtc.com 2700 msdtc.com -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
ExeFile (339).execmd.exemsdtc.commsdtc.comdescription pid process target process PID 3020 wrote to memory of 2092 3020 ExeFile (339).exe cmd.exe PID 3020 wrote to memory of 2092 3020 ExeFile (339).exe cmd.exe PID 3020 wrote to memory of 2092 3020 ExeFile (339).exe cmd.exe PID 3020 wrote to memory of 2092 3020 ExeFile (339).exe cmd.exe PID 2092 wrote to memory of 2532 2092 cmd.exe certutil.exe PID 2092 wrote to memory of 2532 2092 cmd.exe certutil.exe PID 2092 wrote to memory of 2532 2092 cmd.exe certutil.exe PID 2092 wrote to memory of 2532 2092 cmd.exe certutil.exe PID 2092 wrote to memory of 2264 2092 cmd.exe msdtc.com PID 2092 wrote to memory of 2264 2092 cmd.exe msdtc.com PID 2092 wrote to memory of 2264 2092 cmd.exe msdtc.com PID 2092 wrote to memory of 2264 2092 cmd.exe msdtc.com PID 2264 wrote to memory of 2700 2264 msdtc.com msdtc.com PID 2264 wrote to memory of 2700 2264 msdtc.com msdtc.com PID 2264 wrote to memory of 2700 2264 msdtc.com msdtc.com PID 2264 wrote to memory of 2700 2264 msdtc.com msdtc.com PID 2092 wrote to memory of 2200 2092 cmd.exe PING.EXE PID 2092 wrote to memory of 2200 2092 cmd.exe PING.EXE PID 2092 wrote to memory of 2200 2092 cmd.exe PING.EXE PID 2092 wrote to memory of 2200 2092 cmd.exe PING.EXE PID 2700 wrote to memory of 2724 2700 msdtc.com attrib.exe PID 2700 wrote to memory of 2724 2700 msdtc.com attrib.exe PID 2700 wrote to memory of 2724 2700 msdtc.com attrib.exe PID 2700 wrote to memory of 2724 2700 msdtc.com attrib.exe PID 2700 wrote to memory of 2724 2700 msdtc.com attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ExeFile (339).exe"C:\Users\Admin\AppData\Local\Temp\ExeFile (339).exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\cmd.execmd /c <nul set /p ="M" > msdtc.com & type KsTpnq.com >> msdtc.com & del KsTpnq.com & certutil -decode yTxIv.com U & msdtc.com U & ping 127.0.0.1 -n 32⤵
- Loads dropped DLL
- Deobfuscate/Decode Files or Information
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\certutil.execertutil -decode yTxIv.com U3⤵
- Deobfuscate/Decode Files or Information
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msdtc.commsdtc.com U3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msdtc.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msdtc.com U4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\attrib.exe"C:\Windows\SysWOW64\attrib.exe"5⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2724 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2200
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Deobfuscate/Decode Files or Information
1Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD5d86ab2aeeac2553c7857ece4492eda5d
SHA10828db56b556f3f0486a9de9d2c728216035e8e6
SHA2568861365fb619dbb90da0027db93d041681c30deb93071ec588121a8f8ba08436
SHA5128c0154d80fb47ea5225816e95db0126d02950f0ec7909a68205ee67a0d1c4dbff971933ee5ba0307c24658ce52400e144cde720e514acf3024fbdb2505345cfe
-
Filesize
241KB
MD5c8c4a872e297f7e536786c49d66650c5
SHA1d65329038099ba179db5331f8eaec618fb679119
SHA256f8b193619fa0fbf5e8a7fa84017dab39b15acaeb3b7888b532e3d26d017d22ee
SHA51237d26d18f19e7660b28c3b5cd58ae2a35ab40c2ffc947193c945a764a84edc61198141dab620d03f41c1585ca44c8ba940881db337a6e92ca2e454d50acb0c87
-
Filesize
200KB
MD55ea7b5afb1bf7b27844bfb150307adb1
SHA147fcfe229e937dc5d2700203c1f9d42767082903
SHA256ff8814e26980703a8d1d917a8a6991e80849037fe6fb531b05b7d984fa0db4e2
SHA5121ca5022ee0e978711fd05b9c1655d554b16672962338f86c003aaebd86def8b07170b798c570823db6fb7b63eb17684a4beed302f5029ae01f66e1f828bd3388
-
Filesize
332KB
MD50793e3a615b4e02d45e1f857fcb9b2fe
SHA1c54946443428a2e90cbe07afd9a96b6dd176f563
SHA256789eaa8e03690dd53708b429b7cb51f619f80c3f56d4616ca8971d512a63024b
SHA512f889c6bf2c6878a980d1432c2353290bbf907292b777e73e0f540414f7de3e2945d05dad58b695214fc04163e729f6830cf6a1cfc6f4e9b5394c1fcc004e0b89
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c