oski | a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039

General

Target

a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe
Size

1021KB
MD5

9e63e88975cbb8bee38d44fb94493fef
SHA1

be87f430e0d18c15fd9ebee6cd836f504b7647e2
SHA256

a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039
SHA512

a844c11fabbe2c3dae85b7425dc587dfa87fa2ea1dc198191915bec5391108a23c725e6cd3cd0e8de7bff033ef47f2787b7b28dd7f2029a2b018404c945b796b

Score

10^/10

oski infostealer spyware stealer

Malware Config

Extracted

Family

oski

C2

swsaseguranca.com.br

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe

description	pid	process	target process
PID 2516 set thread context of 200	2516	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

196 200 WerFault.exe a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2880 schtasks.exe

pid	pid_target	process	target process
196	200	WerFault.exe	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe

pid	process
2880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exepowershell.exepowershell.exeWerFault.exe

pid	process
2516	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe
2516	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe
3160	powershell.exe
1176	powershell.exe
3160	powershell.exe
1176	powershell.exe
3160	powershell.exe
1176	powershell.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe
196	WerFault.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exepowershell.exepowershell.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	2516	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeRestorePrivilege	196	WerFault.exe
Token: SeBackupPrivilege	196	WerFault.exe
Token: SeDebugPrivilege	196	WerFault.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe

description	pid	process	target process
PID 2516 wrote to memory of 3160	2516	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe	powershell.exe
PID 2516 wrote to memory of 3160	2516	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe	powershell.exe
PID 2516 wrote to memory of 3160	2516	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe	powershell.exe
PID 2516 wrote to memory of 1176	2516	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe	powershell.exe
PID 2516 wrote to memory of 1176	2516	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe	powershell.exe
PID 2516 wrote to memory of 1176	2516	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe	powershell.exe
PID 2516 wrote to memory of 2880	2516	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe	schtasks.exe
PID 2516 wrote to memory of 2880	2516	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe	schtasks.exe
PID 2516 wrote to memory of 2880	2516	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe	schtasks.exe
PID 2516 wrote to memory of 200	2516	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe
PID 2516 wrote to memory of 200	2516	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe
PID 2516 wrote to memory of 200	2516	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe
PID 2516 wrote to memory of 200	2516	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe
PID 2516 wrote to memory of 200	2516	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe
PID 2516 wrote to memory of 200	2516	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe
PID 2516 wrote to memory of 200	2516	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe
PID 2516 wrote to memory of 200	2516	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe
PID 2516 wrote to memory of 200	2516	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe	a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe

C:\Users\Admin\AppData\Local\Temp\a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe
"C:\Users\Admin\AppData\Local\Temp\a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\lBvNGnJmBjg.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lBvNGnJmBjg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6FBD.tmp"
2⤵
- Creates scheduled task(s)
PID:2880

C:\Users\Admin\AppData\Local\Temp\a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe
"C:\Users\Admin\AppData\Local\Temp\a5f2219b1ca7dfb3a2a049a727dfd2b477982ac2b01071f6e5794a987402a039.exe"
2⤵
PID:200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 200 -s 1220
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a5efdfb62d07c09f0cb52b0674d3a25e

SHA1
5898a16dac2df89ded9c1951ca2fdd4a0f22f227

SHA256
5670828c579b516cec4b38664696420cfff255025b3b8c8c9be130ca3b44ce6d

SHA512
07c2cc96775b7fc17f3d1f508a3fd8b4527e9f6e23044c2751e323fcc8e1775a1885002a70046d13d282313561a9b482d89cb1891a29af60d87f4d58eb1f7ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6FBD.tmp
MD5
1e927c48c355da6a269d360920829818

SHA1
8ebad75ab72cb2b2619f438864da24b8467d5f19

SHA256
b807588f8ef07531959c87515ddee811af85e380e4ae9f21ce71121917fb28d9

SHA512
750d464b925bca30e0674c326cad10b6f7ed1bd99df010977c5e9fb54f93da9f968c446d114b2346877bb4f7c491bda5c0d1005d99d7d588a93293681f76e296

Download Submit
memory/200-147-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/200-138-0x000000000040717B-mapping.dmp

Download
memory/200-137-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1176-152-0x0000000007B80000-0x0000000007B81000-memory.dmp

Filesize
4KB

Download
memory/1176-133-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/1176-154-0x0000000007F40000-0x0000000007F41000-memory.dmp

Filesize
4KB

Download
memory/1176-156-0x0000000007E80000-0x0000000007E81000-memory.dmp

Filesize
4KB

Download
memory/1176-146-0x0000000004552000-0x0000000004553000-memory.dmp

Filesize
4KB

Download
memory/1176-199-0x0000000004553000-0x0000000004554000-memory.dmp

Filesize
4KB

Download
memory/1176-129-0x0000000000000000-mapping.dmp

Download
memory/1176-197-0x000000007F5E0000-0x000000007F5E1000-memory.dmp

Filesize
4KB

Download
memory/1176-145-0x0000000004550000-0x0000000004551000-memory.dmp

Filesize
4KB

Download
memory/1176-132-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/1176-158-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/1176-185-0x0000000008E30000-0x0000000008E31000-memory.dmp

Filesize
4KB

Download
memory/1176-141-0x0000000006E80000-0x0000000006E81000-memory.dmp

Filesize
4KB

Download
memory/1176-139-0x0000000006CE0000-0x0000000006CE1000-memory.dmp

Filesize
4KB

Download
memory/2516-120-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/2516-121-0x0000000002ED0000-0x0000000002ED5000-memory.dmp

Filesize
20KB

Download
memory/2516-122-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/2516-115-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/2516-123-0x0000000005F50000-0x0000000005F51000-memory.dmp

Filesize
4KB

Download
memory/2516-118-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/2516-119-0x0000000002D70000-0x0000000002E02000-memory.dmp

Filesize
584KB

Download
memory/2516-117-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/2516-124-0x0000000006220000-0x0000000006343000-memory.dmp

Filesize
1.1MB

Download
memory/2880-130-0x0000000000000000-mapping.dmp

Download
memory/3160-131-0x0000000007180000-0x0000000007181000-memory.dmp

Filesize
4KB

Download
memory/3160-150-0x0000000007A90000-0x0000000007A91000-memory.dmp

Filesize
4KB

Download
memory/3160-148-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/3160-144-0x0000000004612000-0x0000000004613000-memory.dmp

Filesize
4KB

Download
memory/3160-158-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/3160-172-0x00000000090E0000-0x0000000009113000-memory.dmp

Filesize
204KB

Download
memory/3160-143-0x0000000004610000-0x0000000004611000-memory.dmp

Filesize
4KB

Download
memory/3160-198-0x000000007EF10000-0x000000007EF11000-memory.dmp

Filesize
4KB

Download
memory/3160-128-0x0000000004620000-0x0000000004621000-memory.dmp

Filesize
4KB

Download
memory/3160-127-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/3160-200-0x0000000004613000-0x0000000004614000-memory.dmp

Filesize
4KB

Download
memory/3160-126-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/3160-125-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads