IMG_0501_765_013.exe

General
Target

IMG_0501_765_013.exe

Filesize

222KB

Completed

06-05-2021 14:16

Score
10 /10
MD5

716e89179126809cc5a4b476a03dda11

SHA1

29bfe1170a118c56776938fb44289884da261294

SHA256

2976262aeed56001f874b183072c03360a1dbcdde67bfdcc982078d3bc246857

Malware Config

Extracted

Family oski
C2

31.210.21.154

Signatures 5

Filter: none

  • Oski

    Description

    Oski is an infostealer targeting browser data, crypto wallets.

  • Suspicious use of SetThreadContext
    IMG_0501_765_013.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1992 set thread context of 7481992IMG_0501_765_013.exeIMG_0501_765_013.exe
  • Suspicious behavior: EnumeratesProcesses
    IMG_0501_765_013.exe

    Reported IOCs

    pidprocess
    1992IMG_0501_765_013.exe
    1992IMG_0501_765_013.exe
    1992IMG_0501_765_013.exe
    1992IMG_0501_765_013.exe
    1992IMG_0501_765_013.exe
    1992IMG_0501_765_013.exe
    1992IMG_0501_765_013.exe
    1992IMG_0501_765_013.exe
    1992IMG_0501_765_013.exe
    1992IMG_0501_765_013.exe
    1992IMG_0501_765_013.exe
    1992IMG_0501_765_013.exe
    1992IMG_0501_765_013.exe
    1992IMG_0501_765_013.exe
    1992IMG_0501_765_013.exe
    1992IMG_0501_765_013.exe
    1992IMG_0501_765_013.exe
    1992IMG_0501_765_013.exe
  • Suspicious use of AdjustPrivilegeToken
    IMG_0501_765_013.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1992IMG_0501_765_013.exe
  • Suspicious use of WriteProcessMemory
    IMG_0501_765_013.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1992 wrote to memory of 16161992IMG_0501_765_013.exeIMG_0501_765_013.exe
    PID 1992 wrote to memory of 16161992IMG_0501_765_013.exeIMG_0501_765_013.exe
    PID 1992 wrote to memory of 16161992IMG_0501_765_013.exeIMG_0501_765_013.exe
    PID 1992 wrote to memory of 16161992IMG_0501_765_013.exeIMG_0501_765_013.exe
    PID 1992 wrote to memory of 16121992IMG_0501_765_013.exeIMG_0501_765_013.exe
    PID 1992 wrote to memory of 16121992IMG_0501_765_013.exeIMG_0501_765_013.exe
    PID 1992 wrote to memory of 16121992IMG_0501_765_013.exeIMG_0501_765_013.exe
    PID 1992 wrote to memory of 16121992IMG_0501_765_013.exeIMG_0501_765_013.exe
    PID 1992 wrote to memory of 16481992IMG_0501_765_013.exeIMG_0501_765_013.exe
    PID 1992 wrote to memory of 16481992IMG_0501_765_013.exeIMG_0501_765_013.exe
    PID 1992 wrote to memory of 16481992IMG_0501_765_013.exeIMG_0501_765_013.exe
    PID 1992 wrote to memory of 16481992IMG_0501_765_013.exeIMG_0501_765_013.exe
    PID 1992 wrote to memory of 6521992IMG_0501_765_013.exeIMG_0501_765_013.exe
    PID 1992 wrote to memory of 6521992IMG_0501_765_013.exeIMG_0501_765_013.exe
    PID 1992 wrote to memory of 6521992IMG_0501_765_013.exeIMG_0501_765_013.exe
    PID 1992 wrote to memory of 6521992IMG_0501_765_013.exeIMG_0501_765_013.exe
    PID 1992 wrote to memory of 7481992IMG_0501_765_013.exeIMG_0501_765_013.exe
    PID 1992 wrote to memory of 7481992IMG_0501_765_013.exeIMG_0501_765_013.exe
    PID 1992 wrote to memory of 7481992IMG_0501_765_013.exeIMG_0501_765_013.exe
    PID 1992 wrote to memory of 7481992IMG_0501_765_013.exeIMG_0501_765_013.exe
    PID 1992 wrote to memory of 7481992IMG_0501_765_013.exeIMG_0501_765_013.exe
    PID 1992 wrote to memory of 7481992IMG_0501_765_013.exeIMG_0501_765_013.exe
    PID 1992 wrote to memory of 7481992IMG_0501_765_013.exeIMG_0501_765_013.exe
    PID 1992 wrote to memory of 7481992IMG_0501_765_013.exeIMG_0501_765_013.exe
    PID 1992 wrote to memory of 7481992IMG_0501_765_013.exeIMG_0501_765_013.exe
    PID 1992 wrote to memory of 7481992IMG_0501_765_013.exeIMG_0501_765_013.exe
Processes 6
  • C:\Users\Admin\AppData\Local\Temp\IMG_0501_765_013.exe
    "C:\Users\Admin\AppData\Local\Temp\IMG_0501_765_013.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Users\Admin\AppData\Local\Temp\IMG_0501_765_013.exe
      C:\Users\Admin\AppData\Local\Temp\IMG_0501_765_013.exe
      PID:1616
    • C:\Users\Admin\AppData\Local\Temp\IMG_0501_765_013.exe
      C:\Users\Admin\AppData\Local\Temp\IMG_0501_765_013.exe
      PID:1612
    • C:\Users\Admin\AppData\Local\Temp\IMG_0501_765_013.exe
      C:\Users\Admin\AppData\Local\Temp\IMG_0501_765_013.exe
      PID:1648
    • C:\Users\Admin\AppData\Local\Temp\IMG_0501_765_013.exe
      C:\Users\Admin\AppData\Local\Temp\IMG_0501_765_013.exe
      PID:652
    • C:\Users\Admin\AppData\Local\Temp\IMG_0501_765_013.exe
      C:\Users\Admin\AppData\Local\Temp\IMG_0501_765_013.exe
      PID:748
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/748-67-0x0000000075B31000-0x0000000075B33000-memory.dmp

                          • memory/748-68-0x0000000000400000-0x0000000000438000-memory.dmp

                          • memory/748-65-0x0000000000400000-0x0000000000438000-memory.dmp

                          • memory/748-66-0x000000000040717B-mapping.dmp

                          • memory/1992-63-0x00000000005A0000-0x00000000005A1000-memory.dmp

                          • memory/1992-64-0x00000000005E0000-0x00000000005FF000-memory.dmp

                          • memory/1992-60-0x0000000000160000-0x0000000000161000-memory.dmp

                          • memory/1992-62-0x00000000004F0000-0x00000000004F2000-memory.dmp