Analysis
-
max time kernel
120s -
max time network
114s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-10-2024 22:14
Behavioral task
behavioral1
Sample
sosi.exe
Resource
win11-20241007-en
General
-
Target
sosi.exe
-
Size
200KB
-
MD5
46336799625b777d6ac52bff81d5604c
-
SHA1
0133461342d41df2e31f8a48c957c63c99793992
-
SHA256
dce3cfe541188e0267da98342cecd47a6acdaec6827e6e7be35ffdc823c22a71
-
SHA512
b8c04a060a7874000f6c4000079b50d14d28ca9286d1dde05997520509aa207e5c095ee1b15f3a782c19eab7f7aa054a69d0d974b2579cf199b0ef1e9cb1e480
-
SSDEEP
3072:WfUomEuYm98dlSq7gt5q7Dx+XgS6aCEwhOfUbCalNT2pbB3fIq1Xi6FLPo3c:WfUauY68uSWCx+XA7mg2pNn1Ljo3c
Malware Config
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Oski family
-
Downloads MZ/PE file
-
Loads dropped DLL 1 IoCs
Processes:
sosi.exepid process 3756 sosi.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
sosi.execmd.exetaskkill.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sosi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks processor information in registry 2 TTPs 1 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
sosi.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString sosi.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1324 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1324 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
sosi.execmd.exedescription pid process target process PID 3756 wrote to memory of 4368 3756 sosi.exe cmd.exe PID 3756 wrote to memory of 4368 3756 sosi.exe cmd.exe PID 3756 wrote to memory of 4368 3756 sosi.exe cmd.exe PID 4368 wrote to memory of 1324 4368 cmd.exe taskkill.exe PID 4368 wrote to memory of 1324 4368 cmd.exe taskkill.exe PID 4368 wrote to memory of 1324 4368 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sosi.exe"C:\Users\Admin\AppData\Local\Temp\sosi.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /pid 3756 & erase C:\Users\Admin\AppData\Local\Temp\sosi.exe & RD /S /Q C:\\ProgramData\\896449466092912\\* & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\SysWOW64\taskkill.exetaskkill /pid 37563⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
630KB
MD5e477a96c8f2b18d6b5c27bde49c990bf
SHA1e980c9bf41330d1e5bd04556db4646a0210f7409
SHA25616574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c