oski | f066b22440bc1fbf1d336c95531d7966ed2c6a0e21db7479d3eb7e61364a32e5

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
16-07-2022 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

swift 6748.26.exe
Size

652KB
MD5

2a66e1def724a506b4a456a573b76c55
SHA1

ae8ea73f5754b4ca8a4ccf727e8db152c20e800f
SHA256

f066b22440bc1fbf1d336c95531d7966ed2c6a0e21db7479d3eb7e61364a32e5
SHA512

9d004d721247ec4bc1eecbfbb1e552cac3c37e20ce370e0d2aa18536ff619f8d8b66abfeb079efcf14fcbe781ae6b3138b16335b7a04f064474003d6b948c5cb

Score

10^/10

oski discovery infostealer suricata

Malware Config

Extracted

Family

oski

foodcircus.ro

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1568 icacls.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

swift 6748.26.exe

description pid process target process

PID 3404 set thread context of 1568 3404 swift 6748.26.exe icacls.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2500 1568 WerFault.exe icacls.exe

pid	process
1568	icacls.exe

description	pid	process	target process
PID 3404 set thread context of 1568	3404	swift 6748.26.exe	icacls.exe

pid	pid_target	process	target process
2500	1568	WerFault.exe	icacls.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

swift 6748.26.exe

pid	process
3404	swift 6748.26.exe
3404	swift 6748.26.exe
3404	swift 6748.26.exe
3404	swift 6748.26.exe
3404	swift 6748.26.exe
3404	swift 6748.26.exe
3404	swift 6748.26.exe
3404	swift 6748.26.exe
3404	swift 6748.26.exe
3404	swift 6748.26.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

swift 6748.26.exe

description pid process

Token: SeDebugPrivilege 3404 swift 6748.26.exe

description	pid	process
Token: SeDebugPrivilege	3404	swift 6748.26.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

swift 6748.26.exe

description	pid	process	target process
PID 3404 wrote to memory of 1568	3404	swift 6748.26.exe	icacls.exe
PID 3404 wrote to memory of 1568	3404	swift 6748.26.exe	icacls.exe
PID 3404 wrote to memory of 1568	3404	swift 6748.26.exe	icacls.exe
PID 3404 wrote to memory of 1568	3404	swift 6748.26.exe	icacls.exe
PID 3404 wrote to memory of 1568	3404	swift 6748.26.exe	icacls.exe
PID 3404 wrote to memory of 1568	3404	swift 6748.26.exe	icacls.exe
PID 3404 wrote to memory of 1568	3404	swift 6748.26.exe	icacls.exe
PID 3404 wrote to memory of 1568	3404	swift 6748.26.exe	icacls.exe
PID 3404 wrote to memory of 1568	3404	swift 6748.26.exe	icacls.exe
PID 3404 wrote to memory of 1568	3404	swift 6748.26.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\swift 6748.26.exe
"C:\Users\Admin\AppData\Local\Temp\swift 6748.26.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\SysWOW64\icacls.exe"
2⤵
- Modifies file permissions
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 1288
3⤵
- Program crash
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1568 -ip 1568
1⤵
PID:2272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1568-133-0x0000000000000000-mapping.dmp

Download
memory/1568-134-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1568-135-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1568-136-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1568-137-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1568-138-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3404-130-0x00000000002F0000-0x000000000039A000-memory.dmp

Filesize
680KB

Download
memory/3404-131-0x0000000004CC0000-0x0000000004D36000-memory.dmp

Filesize
472KB

Download
memory/3404-132-0x0000000004D70000-0x0000000004D8E000-memory.dmp

Filesize
120KB

Download