oski | e8b4e90cb7a9233231088d027c2c090aafc143c77e1f46d34d6b206c2c797419

General

Target

SCAN_Wells Fargo bank payment.exe
Size

912KB
MD5

e2e01c7a8e323e117cfc9c4cdf0ad1c2
SHA1

ea718bc482d968f9db9577b8d9edb08e4f24abbd
SHA256

e8b4e90cb7a9233231088d027c2c090aafc143c77e1f46d34d6b206c2c797419
SHA512

53a677c7e4f2968319c5d464446e7c777c9b7f61fed01cf5225c121fea661b65c24dc358d52fece233b24db18b1fd1d95d4bc580860c93bb803c77a87c260215

Score

10^/10

oski infostealer spyware stealer

Malware Config

Extracted

Family

oski

C2

mmcjo.com/crown/

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

SCAN_Wells Fargo bank payment.exe

description pid process target process

PID 3956 set thread context of 2044 3956 SCAN_Wells Fargo bank payment.exe SCAN_Wells Fargo bank payment.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2580 2044 WerFault.exe SCAN_Wells Fargo bank payment.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3848 schtasks.exe

description	pid	process	target process
PID 3956 set thread context of 2044	3956	SCAN_Wells Fargo bank payment.exe	SCAN_Wells Fargo bank payment.exe

pid	pid_target	process	target process
2580	2044	WerFault.exe	SCAN_Wells Fargo bank payment.exe

pid	process
3848	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

SCAN_Wells Fargo bank payment.exeWerFault.exe

pid	process
3956	SCAN_Wells Fargo bank payment.exe
2580	WerFault.exe
2580	WerFault.exe
2580	WerFault.exe
2580	WerFault.exe
2580	WerFault.exe
2580	WerFault.exe
2580	WerFault.exe
2580	WerFault.exe
2580	WerFault.exe
2580	WerFault.exe
2580	WerFault.exe
2580	WerFault.exe
2580	WerFault.exe
2580	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SCAN_Wells Fargo bank payment.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3956	SCAN_Wells Fargo bank payment.exe
Token: SeRestorePrivilege	2580	WerFault.exe
Token: SeBackupPrivilege	2580	WerFault.exe
Token: SeDebugPrivilege	2580	WerFault.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

SCAN_Wells Fargo bank payment.exe

description	pid	process	target process
PID 3956 wrote to memory of 3848	3956	SCAN_Wells Fargo bank payment.exe	schtasks.exe
PID 3956 wrote to memory of 3848	3956	SCAN_Wells Fargo bank payment.exe	schtasks.exe
PID 3956 wrote to memory of 3848	3956	SCAN_Wells Fargo bank payment.exe	schtasks.exe
PID 3956 wrote to memory of 2044	3956	SCAN_Wells Fargo bank payment.exe	SCAN_Wells Fargo bank payment.exe
PID 3956 wrote to memory of 2044	3956	SCAN_Wells Fargo bank payment.exe	SCAN_Wells Fargo bank payment.exe
PID 3956 wrote to memory of 2044	3956	SCAN_Wells Fargo bank payment.exe	SCAN_Wells Fargo bank payment.exe
PID 3956 wrote to memory of 2044	3956	SCAN_Wells Fargo bank payment.exe	SCAN_Wells Fargo bank payment.exe
PID 3956 wrote to memory of 2044	3956	SCAN_Wells Fargo bank payment.exe	SCAN_Wells Fargo bank payment.exe
PID 3956 wrote to memory of 2044	3956	SCAN_Wells Fargo bank payment.exe	SCAN_Wells Fargo bank payment.exe
PID 3956 wrote to memory of 2044	3956	SCAN_Wells Fargo bank payment.exe	SCAN_Wells Fargo bank payment.exe
PID 3956 wrote to memory of 2044	3956	SCAN_Wells Fargo bank payment.exe	SCAN_Wells Fargo bank payment.exe
PID 3956 wrote to memory of 2044	3956	SCAN_Wells Fargo bank payment.exe	SCAN_Wells Fargo bank payment.exe

C:\Users\Admin\AppData\Local\Temp\SCAN_Wells Fargo bank payment.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN_Wells Fargo bank payment.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DudhvdcY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE600.tmp"
2⤵
- Creates scheduled task(s)
PID:3848

C:\Users\Admin\AppData\Local\Temp\SCAN_Wells Fargo bank payment.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN_Wells Fargo bank payment.exe"
2⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 1172
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE600.tmp
MD5
db533f27d1a8b9202022f747a571b4fd

SHA1
7b3a0e459759703879b94222c14379d1fb5a2abe

SHA256
a46aae2ae8e5254102bfc8153a02cfd75f48cd2c4ed64d1338f20d3edfae2406

SHA512
eb9c056dc8647878a8dbabc9a59c9e5d96805315b0aa661c99b0c4603b9e5e8ac75fbf17bd2454be28ad51f520cc9088f9e5aaac1e7ea89e5189307be3bd6c80

Download Submit
memory/2044-128-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2044-126-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2044-127-0x000000000040717B-mapping.dmp

Download
memory/3848-124-0x0000000000000000-mapping.dmp

Download
memory/3956-118-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/3956-121-0x0000000005B40000-0x0000000005B5B000-memory.dmp

Filesize
108KB

Download
memory/3956-122-0x0000000008FA0000-0x0000000009013000-memory.dmp

Filesize
460KB

Download
memory/3956-123-0x0000000009020000-0x0000000009058000-memory.dmp

Filesize
224KB

Download
memory/3956-120-0x0000000005990000-0x0000000005E8E000-memory.dmp

Filesize
5.0MB

Download
memory/3956-119-0x0000000005B90000-0x0000000005B91000-memory.dmp

Filesize
4KB

Download
memory/3956-114-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/3956-117-0x0000000005890000-0x0000000005891000-memory.dmp

Filesize
4KB

Download
memory/3956-116-0x0000000005E90000-0x0000000005E91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads