Overview

overview

10

Static

static

1

80199402b6...52.exe

windows7-x64

10

80199402b6...52.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    137s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    21-08-2024 01:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    80199402b66d52742db427b0a59c869d3629e2b503c8e84b0d17789db414c352.exe

  • Size

    861KB

  • MD5

    c20ef4961ce6eb9dd5654242ec1b418c

  • SHA1

    076cb25979115c1a5baa95807f993c90f629c524

  • SHA256

    80199402b66d52742db427b0a59c869d3629e2b503c8e84b0d17789db414c352

  • SHA512

    e518cd58bcab49e1359d6e60fe71a12c40d6c3f3e8dcfbf974848edb901231b8bd70271fc64f55c0cd8777e975ffee08b17607e4c4bd9744a4193b2a5739a9a2

  • SSDEEP

    24576:ZQqPByJzhAfD7MjzlR7m8Sdu3ar3kxggWq:ZQqZ0z0MjHy8mxrgl

Score
10/10
oskidefense_evasiondiscoveryinfostealerpersistence

Malware Config

Extracted

Family

oski

C2

45.141.84.184

Signatures

  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Deobfuscate/Decode Files or Information 1 TTPs 2 IoCs

    Payload decoded via CertUtil.

    defense_evasion
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\80199402b66d52742db427b0a59c869d3629e2b503c8e84b0d17789db414c352.exe
    "C:\Users\Admin\AppData\Local\Temp\80199402b66d52742db427b0a59c869d3629e2b503c8e84b0d17789db414c352.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c <nul set /p ="M" > msdtc.com & type KsTpnq.com >> msdtc.com & del KsTpnq.com & certutil -decode yTxIv.com U & msdtc.com U & ping 127.0.0.1 -n 3
      2⤵
      • Loads dropped DLL
      • Deobfuscate/Decode Files or Information
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\SysWOW64\certutil.exe
        certutil -decode yTxIv.com U
        3⤵
        • Deobfuscate/Decode Files or Information
        • System Location Discovery: System Language Discovery
        PID:2748
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msdtc.com
        msdtc.com U
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msdtc.com
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msdtc.com U
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2808
          • C:\Windows\SysWOW64\attrib.exe
            "C:\Windows\SysWOW64\attrib.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:2564
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 3
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2780

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KsTpnq.com
    Filesize

    872KB

    MD5

    d86ab2aeeac2553c7857ece4492eda5d

    SHA1

    0828db56b556f3f0486a9de9d2c728216035e8e6

    SHA256

    8861365fb619dbb90da0027db93d041681c30deb93071ec588121a8f8ba08436

    SHA512

    8c0154d80fb47ea5225816e95db0126d02950f0ec7909a68205ee67a0d1c4dbff971933ee5ba0307c24658ce52400e144cde720e514acf3024fbdb2505345cfe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\U
    Filesize

    241KB

    MD5

    c8c4a872e297f7e536786c49d66650c5

    SHA1

    d65329038099ba179db5331f8eaec618fb679119

    SHA256

    f8b193619fa0fbf5e8a7fa84017dab39b15acaeb3b7888b532e3d26d017d22ee

    SHA512

    37d26d18f19e7660b28c3b5cd58ae2a35ab40c2ffc947193c945a764a84edc61198141dab620d03f41c1585ca44c8ba940881db337a6e92ca2e454d50acb0c87

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bWPQ.com
    Filesize

    200KB

    MD5

    5ea7b5afb1bf7b27844bfb150307adb1

    SHA1

    47fcfe229e937dc5d2700203c1f9d42767082903

    SHA256

    ff8814e26980703a8d1d917a8a6991e80849037fe6fb531b05b7d984fa0db4e2

    SHA512

    1ca5022ee0e978711fd05b9c1655d554b16672962338f86c003aaebd86def8b07170b798c570823db6fb7b63eb17684a4beed302f5029ae01f66e1f828bd3388

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yTxIv.com
    Filesize

    332KB

    MD5

    0793e3a615b4e02d45e1f857fcb9b2fe

    SHA1

    c54946443428a2e90cbe07afd9a96b6dd176f563

    SHA256

    789eaa8e03690dd53708b429b7cb51f619f80c3f56d4616ca8971d512a63024b

    SHA512

    f889c6bf2c6878a980d1432c2353290bbf907292b777e73e0f540414f7de3e2945d05dad58b695214fc04163e729f6830cf6a1cfc6f4e9b5394c1fcc004e0b89

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\msdtc.com
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit

  • memory/2564-20-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

    Download

  • memory/2564-21-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

    Download