oski | f066b22440bc1fbf1d336c95531d7966ed2c6a0e21db7479d3eb7e61364a32e5

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
16-07-2022 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

swift 6748.26.exe
Size

652KB
MD5

2a66e1def724a506b4a456a573b76c55
SHA1

ae8ea73f5754b4ca8a4ccf727e8db152c20e800f
SHA256

f066b22440bc1fbf1d336c95531d7966ed2c6a0e21db7479d3eb7e61364a32e5
SHA512

9d004d721247ec4bc1eecbfbb1e552cac3c37e20ce370e0d2aa18536ff619f8d8b66abfeb079efcf14fcbe781ae6b3138b16335b7a04f064474003d6b948c5cb

Score

10^/10

oski discovery infostealer suricata

Malware Config

Extracted

Family

oski

foodcircus.ro

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1568	icacls.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3404 set thread context of 1568	3404	swift 6748.26.exe	78

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2500	1568	WerFault.exe	78

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3404	swift 6748.26.exe
3404	swift 6748.26.exe
3404	swift 6748.26.exe
3404	swift 6748.26.exe
3404	swift 6748.26.exe
3404	swift 6748.26.exe
3404	swift 6748.26.exe
3404	swift 6748.26.exe
3404	swift 6748.26.exe
3404	swift 6748.26.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3404	swift 6748.26.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 1568	3404	swift 6748.26.exe	78
PID 3404 wrote to memory of 1568	3404	swift 6748.26.exe	78
PID 3404 wrote to memory of 1568	3404	swift 6748.26.exe	78
PID 3404 wrote to memory of 1568	3404	swift 6748.26.exe	78
PID 3404 wrote to memory of 1568	3404	swift 6748.26.exe	78
PID 3404 wrote to memory of 1568	3404	swift 6748.26.exe	78
PID 3404 wrote to memory of 1568	3404	swift 6748.26.exe	78
PID 3404 wrote to memory of 1568	3404	swift 6748.26.exe	78
PID 3404 wrote to memory of 1568	3404	swift 6748.26.exe	78
PID 3404 wrote to memory of 1568	3404	swift 6748.26.exe	78

C:\Users\Admin\AppData\Local\Temp\swift 6748.26.exe
"C:\Users\Admin\AppData\Local\Temp\swift 6748.26.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Windows\SysWOW64\icacls.exe
  "C:\Windows\SysWOW64\icacls.exe"
  2⤵
  - Modifies file permissions
  PID:1568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 1288
    3⤵
    - Program crash
    PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1568 -ip 1568
1⤵
PID:2272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1568-134-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1568-135-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1568-136-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1568-137-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1568-138-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3404-130-0x00000000002F0000-0x000000000039A000-memory.dmp

Filesize
680KB

Download
memory/3404-131-0x0000000004CC0000-0x0000000004D36000-memory.dmp

Filesize
472KB

Download
memory/3404-132-0x0000000004D70000-0x0000000004D8E000-memory.dmp

Filesize
120KB

Download