oski | ae672a54491d01385af7932cc9524889f6314dd4b4b8b9a846dfa1ffedaa8c61

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
13-05-2022 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

payment advice.exe
Size

273KB
MD5

f6383fce1ab0d6597440259f9a1e9ddc
SHA1

247a6817bb354c0784f7a112c953646d509bd120
SHA256

ae672a54491d01385af7932cc9524889f6314dd4b4b8b9a846dfa1ffedaa8c61
SHA512

be90fef64aa2343a93456e6879465c3a5c1855490fd472b8f5a25e6c1db558798fc6fd727f00bc79d4b2e97bb91c57024e8f5178adb94ab4e72dcad83753e959

Score

10^/10

oski infostealer

Malware Config

Extracted

Family

oski

spetralnet2.com

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski

Executes dropped EXE 2 IoCs

pid	Process
864	mhxyp.exe
1612	mhxyp.exe

Loads dropped DLL 5 IoCs

pid	Process
2040	payment advice.exe
864	mhxyp.exe
1660	WerFault.exe
1660	WerFault.exe
1660	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1660	1612	WerFault.exe	29

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 864	2040	payment advice.exe	28
PID 2040 wrote to memory of 864	2040	payment advice.exe	28
PID 2040 wrote to memory of 864	2040	payment advice.exe	28
PID 2040 wrote to memory of 864	2040	payment advice.exe	28
PID 864 wrote to memory of 1612	864	mhxyp.exe	29
PID 864 wrote to memory of 1612	864	mhxyp.exe	29
PID 864 wrote to memory of 1612	864	mhxyp.exe	29
PID 864 wrote to memory of 1612	864	mhxyp.exe	29
PID 864 wrote to memory of 1612	864	mhxyp.exe	29
PID 864 wrote to memory of 1612	864	mhxyp.exe	29
PID 864 wrote to memory of 1612	864	mhxyp.exe	29
PID 864 wrote to memory of 1612	864	mhxyp.exe	29
PID 864 wrote to memory of 1612	864	mhxyp.exe	29
PID 864 wrote to memory of 1612	864	mhxyp.exe	29
PID 1612 wrote to memory of 1660	1612	mhxyp.exe	30
PID 1612 wrote to memory of 1660	1612	mhxyp.exe	30
PID 1612 wrote to memory of 1660	1612	mhxyp.exe	30
PID 1612 wrote to memory of 1660	1612	mhxyp.exe	30

C:\Users\Admin\AppData\Local\Temp\payment advice.exe
"C:\Users\Admin\AppData\Local\Temp\payment advice.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\mhxyp.exe
  C:\Users\Admin\AppData\Local\Temp\mhxyp.exe C:\Users\Admin\AppData\Local\Temp\pflzpte
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Users\Admin\AppData\Local\Temp\mhxyp.exe
    C:\Users\Admin\AppData\Local\Temp\mhxyp.exe C:\Users\Admin\AppData\Local\Temp\pflzpte
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 112
      4⤵
      Loads dropped DLL
      Program crash
      PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c88xd5h1xtw6xpo

Filesize
199KB

MD5
f12301a6c1f78205c34df0d619ef87a8

SHA1
0c529631aa6b815aaa47e647181ece74a967a81e

SHA256
4f6569165279965c3f0c7234b89d9bc1979a75e7893cb5c56c9b68b4a0ccdbb9

SHA512
33689fbff7d8ff50f4978814f22832db796bb08511906a112883ea32b0ddad97424651e27e2cf4dba0fc95d5a0621203f4ca1c8875bd0f3a84f3cfc32cca514b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhxyp.exe

Filesize
78KB

MD5
8c17fe1d66065bc1660243f34da812a2

SHA1
ac9c558c9cb571c528020d625b7f62739fcbffbe

SHA256
13db970e893a0c25661aac684da4c8b4a8489ecfcda286b3a29cc0107f5a8812

SHA512
5d24bf7711bf6a67d6db3c6a4f8bed5af3266b7ab914d6338fcb5ee2af88efd4a31247f1444a4b534a69655efc46c5bb5223e590c7fdea5caf003eb2c81fb68a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhxyp.exe

Filesize
78KB

MD5
8c17fe1d66065bc1660243f34da812a2

SHA1
ac9c558c9cb571c528020d625b7f62739fcbffbe

SHA256
13db970e893a0c25661aac684da4c8b4a8489ecfcda286b3a29cc0107f5a8812

SHA512
5d24bf7711bf6a67d6db3c6a4f8bed5af3266b7ab914d6338fcb5ee2af88efd4a31247f1444a4b534a69655efc46c5bb5223e590c7fdea5caf003eb2c81fb68a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhxyp.exe

Filesize
78KB

MD5
8c17fe1d66065bc1660243f34da812a2

SHA1
ac9c558c9cb571c528020d625b7f62739fcbffbe

SHA256
13db970e893a0c25661aac684da4c8b4a8489ecfcda286b3a29cc0107f5a8812

SHA512
5d24bf7711bf6a67d6db3c6a4f8bed5af3266b7ab914d6338fcb5ee2af88efd4a31247f1444a4b534a69655efc46c5bb5223e590c7fdea5caf003eb2c81fb68a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pflzpte

Filesize
4KB

MD5
f486426f87d8146ad766c75fc8057152

SHA1
b7fb593c57808ac50bfd3746fe03822b119fd98e

SHA256
ac2f70d04b896c67e2ae5fe094329857d25a716597a1b5db986f98a48d0569a3

SHA512
e65a0a567060bf6363ac42fa55a7c83c1034f5db1db00aade7a21aebb956a6f3ff1a4fbda7b277a7e583c12503d3ef5d12c48fac2faa7713f69392801a7fef08

Download Submit
\Users\Admin\AppData\Local\Temp\mhxyp.exe

Filesize
78KB

MD5
8c17fe1d66065bc1660243f34da812a2

SHA1
ac9c558c9cb571c528020d625b7f62739fcbffbe

SHA256
13db970e893a0c25661aac684da4c8b4a8489ecfcda286b3a29cc0107f5a8812

SHA512
5d24bf7711bf6a67d6db3c6a4f8bed5af3266b7ab914d6338fcb5ee2af88efd4a31247f1444a4b534a69655efc46c5bb5223e590c7fdea5caf003eb2c81fb68a

Download Submit
\Users\Admin\AppData\Local\Temp\mhxyp.exe

Filesize
78KB

MD5
8c17fe1d66065bc1660243f34da812a2

SHA1
ac9c558c9cb571c528020d625b7f62739fcbffbe

SHA256
13db970e893a0c25661aac684da4c8b4a8489ecfcda286b3a29cc0107f5a8812

SHA512
5d24bf7711bf6a67d6db3c6a4f8bed5af3266b7ab914d6338fcb5ee2af88efd4a31247f1444a4b534a69655efc46c5bb5223e590c7fdea5caf003eb2c81fb68a

Download Submit
\Users\Admin\AppData\Local\Temp\mhxyp.exe

Filesize
78KB

MD5
8c17fe1d66065bc1660243f34da812a2

SHA1
ac9c558c9cb571c528020d625b7f62739fcbffbe

SHA256
13db970e893a0c25661aac684da4c8b4a8489ecfcda286b3a29cc0107f5a8812

SHA512
5d24bf7711bf6a67d6db3c6a4f8bed5af3266b7ab914d6338fcb5ee2af88efd4a31247f1444a4b534a69655efc46c5bb5223e590c7fdea5caf003eb2c81fb68a

Download Submit
\Users\Admin\AppData\Local\Temp\mhxyp.exe

Filesize
78KB

MD5
8c17fe1d66065bc1660243f34da812a2

SHA1
ac9c558c9cb571c528020d625b7f62739fcbffbe

SHA256
13db970e893a0c25661aac684da4c8b4a8489ecfcda286b3a29cc0107f5a8812

SHA512
5d24bf7711bf6a67d6db3c6a4f8bed5af3266b7ab914d6338fcb5ee2af88efd4a31247f1444a4b534a69655efc46c5bb5223e590c7fdea5caf003eb2c81fb68a

Download Submit
\Users\Admin\AppData\Local\Temp\mhxyp.exe

Filesize
78KB

MD5
8c17fe1d66065bc1660243f34da812a2

SHA1
ac9c558c9cb571c528020d625b7f62739fcbffbe

SHA256
13db970e893a0c25661aac684da4c8b4a8489ecfcda286b3a29cc0107f5a8812

SHA512
5d24bf7711bf6a67d6db3c6a4f8bed5af3266b7ab914d6338fcb5ee2af88efd4a31247f1444a4b534a69655efc46c5bb5223e590c7fdea5caf003eb2c81fb68a

Download Submit
memory/1612-71-0x0000000000080000-0x00000000000B8000-memory.dmp

Filesize
224KB

Download
memory/1612-68-0x0000000000080000-0x00000000000B8000-memory.dmp

Filesize
224KB

Download
memory/1612-65-0x0000000000080000-0x00000000000B8000-memory.dmp

Filesize
224KB

Download
memory/2040-54-0x0000000075B71000-0x0000000075B73000-memory.dmp

Filesize
8KB

Download