oski | 9db1dcab3007e75a3c78dc1ba8bf91fd7e7daaa4cf3980ac1fd39f5beb7780ad

General

Target

3fab82becf1fb796a56853a4bb6d41cf.exe
Size

417KB
MD5

3fab82becf1fb796a56853a4bb6d41cf
SHA1

4662f8a3fff9a854690ebe86067ee9cd3f633015
SHA256

9db1dcab3007e75a3c78dc1ba8bf91fd7e7daaa4cf3980ac1fd39f5beb7780ad
SHA512

e97e9ea9d44c521bf2ef315eb51a5e25e8266ef0f0964693c26583e1a42aff27549cac61805ee84ab0b2697c739efbe08745c5f724209fc8d599697939fa7f14

Score

10^/10

oski infostealer

Malware Config

Extracted

Family

oski

C2

mark02.xyz

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Loads dropped DLL 1 IoCs

Processes:

3fab82becf1fb796a56853a4bb6d41cf.exe

pid process

888 3fab82becf1fb796a56853a4bb6d41cf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1592 1416 WerFault.exe 3fab82becf1fb796a56853a4bb6d41cf.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1592 WerFault.exe
1592 WerFault.exe
1592 WerFault.exe
1592 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1592 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1592 WerFault.exe

pid	process
888	3fab82becf1fb796a56853a4bb6d41cf.exe

pid	pid_target	process	target process
1592	1416	WerFault.exe	3fab82becf1fb796a56853a4bb6d41cf.exe

pid	process
1592	WerFault.exe
1592	WerFault.exe
1592	WerFault.exe
1592	WerFault.exe

pid	process
1592	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1592	WerFault.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

3fab82becf1fb796a56853a4bb6d41cf.exe3fab82becf1fb796a56853a4bb6d41cf.exe

description	pid	process	target process
PID 888 wrote to memory of 1416	888	3fab82becf1fb796a56853a4bb6d41cf.exe	3fab82becf1fb796a56853a4bb6d41cf.exe
PID 888 wrote to memory of 1416	888	3fab82becf1fb796a56853a4bb6d41cf.exe	3fab82becf1fb796a56853a4bb6d41cf.exe
PID 888 wrote to memory of 1416	888	3fab82becf1fb796a56853a4bb6d41cf.exe	3fab82becf1fb796a56853a4bb6d41cf.exe
PID 888 wrote to memory of 1416	888	3fab82becf1fb796a56853a4bb6d41cf.exe	3fab82becf1fb796a56853a4bb6d41cf.exe
PID 888 wrote to memory of 1416	888	3fab82becf1fb796a56853a4bb6d41cf.exe	3fab82becf1fb796a56853a4bb6d41cf.exe
PID 888 wrote to memory of 1416	888	3fab82becf1fb796a56853a4bb6d41cf.exe	3fab82becf1fb796a56853a4bb6d41cf.exe
PID 888 wrote to memory of 1416	888	3fab82becf1fb796a56853a4bb6d41cf.exe	3fab82becf1fb796a56853a4bb6d41cf.exe
PID 888 wrote to memory of 1416	888	3fab82becf1fb796a56853a4bb6d41cf.exe	3fab82becf1fb796a56853a4bb6d41cf.exe
PID 888 wrote to memory of 1416	888	3fab82becf1fb796a56853a4bb6d41cf.exe	3fab82becf1fb796a56853a4bb6d41cf.exe
PID 888 wrote to memory of 1416	888	3fab82becf1fb796a56853a4bb6d41cf.exe	3fab82becf1fb796a56853a4bb6d41cf.exe
PID 1416 wrote to memory of 1592	1416	3fab82becf1fb796a56853a4bb6d41cf.exe	WerFault.exe
PID 1416 wrote to memory of 1592	1416	3fab82becf1fb796a56853a4bb6d41cf.exe	WerFault.exe
PID 1416 wrote to memory of 1592	1416	3fab82becf1fb796a56853a4bb6d41cf.exe	WerFault.exe
PID 1416 wrote to memory of 1592	1416	3fab82becf1fb796a56853a4bb6d41cf.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\3fab82becf1fb796a56853a4bb6d41cf.exe
"C:\Users\Admin\AppData\Local\Temp\3fab82becf1fb796a56853a4bb6d41cf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:888

C:\Users\Admin\AppData\Local\Temp\3fab82becf1fb796a56853a4bb6d41cf.exe
"C:\Users\Admin\AppData\Local\Temp\3fab82becf1fb796a56853a4bb6d41cf.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 112
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1592

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsy1881.tmp\hojxfiwbq.dll
MD5
35948dd04254b7bbc9fc4b32d44e4d22

SHA1
419d3f217e54c923e46270090e15631f4d641b18

SHA256
7184510a0fb80d66a3aa3ef1c875cec900fe4f132a5d2ec10d614b29493178a2

SHA512
2904e4168e471a30899fc7ddc65e284fb7e1b626c9ccaa108b449cfb89ed57ac40e62c087d56cd861abb0e27b81af7e943af2cab1a47fd52a26c7fb8404865de

Download Submit
memory/888-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/1416-56-0x0000000000000000-mapping.dmp

Download
memory/1416-57-0x00000000001C0000-0x00000000001F8000-memory.dmp

Filesize
224KB

Download
memory/1416-60-0x00000000001C0000-0x00000000001F8000-memory.dmp

Filesize
224KB

Download
memory/1416-63-0x00000000001C0000-0x00000000001F8000-memory.dmp

Filesize
224KB

Download
memory/1592-64-0x0000000000000000-mapping.dmp

Download
memory/1592-66-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing