Analysis

  • max time kernel
    1848s
  • max time network
    1853s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    16-09-2022 16:55

General

  • Target

    https://www.upload.ee/files/14365900/Oski_Stealer.rar.html

Malware Config

Extracted

Family

oski

C2

62.77.159.212

panel.com

Signatures

  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

  • Executes dropped EXE 4 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
  • Modifies registry class 37 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.upload.ee/files/14365900/Oski_Stealer.rar.html
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.upload.ee/files/14365900/Oski_Stealer.rar.html
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1036
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1036.0.376813773\1441589455" -parentBuildID 20200403170909 -prefsHandle 1180 -prefMapHandle 1172 -prefsLen 1 -prefMapSize 220106 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1036 "\\.\pipe\gecko-crash-server-pipe.1036" 1244 gpu
        3⤵
          PID:1240
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1036.3.999632833\721739798" -childID 1 -isForBrowser -prefsHandle 1824 -prefMapHandle 1724 -prefsLen 122 -prefMapSize 220106 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1036 "\\.\pipe\gecko-crash-server-pipe.1036" 1556 tab
          3⤵
            PID:2036
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1036.13.1084036182\2053841369" -childID 2 -isForBrowser -prefsHandle 2620 -prefMapHandle 2604 -prefsLen 6904 -prefMapSize 220106 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1036 "\\.\pipe\gecko-crash-server-pipe.1036" 2632 tab
            3⤵
              PID:1096
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1036.14.125793770\903399857" -childID 3 -isForBrowser -prefsHandle 2640 -prefMapHandle 2620 -prefsLen 6904 -prefMapSize 220106 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1036 "\\.\pipe\gecko-crash-server-pipe.1036" 2712 tab
              3⤵
                PID:840
          • C:\Program Files\7-Zip\7zG.exe
            "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Oski_Stealer\" -spe -an -ai#7zMap5402:86:7zEvent11199
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            PID:2456
          • C:\Windows\system32\AUDIODG.EXE
            C:\Windows\system32\AUDIODG.EXE 0x1c4
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2540
          • C:\Users\Admin\Downloads\Oski_Stealer\Oski_Stealer.exe
            "C:\Users\Admin\Downloads\Oski_Stealer\Oski_Stealer.exe"
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2608
            • C:\Users\Admin\Downloads\Oski_Stealer\crack.exe
              "C:\Users\Admin\Downloads\Oski_Stealer\crack.exe"
              2⤵
              • Executes dropped EXE
              • Drops startup file
              • Suspicious behavior: AddClipboardFormatListener
              PID:2804
          • C:\Users\Admin\Downloads\Oski_Stealer\Oski Cracked.exe
            "C:\Users\Admin\Downloads\Oski_Stealer\Oski Cracked.exe"
            1⤵
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:2764
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" http://t.me/lenskiyteamoff
              2⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              PID:2904
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:275457 /prefetch:2
                3⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2976
          • C:\Users\Admin\Downloads\Oski_Stealer\Oski_Cracked_panel.com.exe
            "C:\Users\Admin\Downloads\Oski_Stealer\Oski_Cracked_panel.com.exe"
            1⤵
            • Executes dropped EXE
            PID:2204
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 616
              2⤵
              • Loads dropped DLL
              • Program crash
              PID:2776

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Credentials in Files

          1
          T1081

          Discovery

          System Information Discovery

          2
          T1082

          Query Registry

          1
          T1012

          Collection

          Data from Local System

          1
          T1005

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\Downloads\Oski_Stealer.rar
            Filesize

            21MB

            MD5

            8b08722c088f4d3cd86f6febe3009218

            SHA1

            6f861205315deeb116e7089bdd6bf9084e5b319a

            SHA256

            5a98eeb8380e97436bd6d1f4a828b2e443e0020df9e8220b28a71e18b0338141

            SHA512

            1188110fe449c68ccd92d206dc19f759fdffe2bbe1f46c43113a23060f84a4a4254b8aa3d0b8afad5a052dfc14df580dd841ef80b850652b82a9feeb4672f08f

          • C:\Users\Admin\Downloads\Oski_Stealer\Oski Cracked.exe
            Filesize

            3MB

            MD5

            2bd0e61c45d352697c5e16437d8055b0

            SHA1

            0b9b24d396a50c2dc13d73e1f2d57c1891de3f31

            SHA256

            71efc8fc1dede4f96e837043ad3cbd38a65bd530ce71ae4d44ddc29843fab70b

            SHA512

            80044d4ece73637328e9b456c3127be02ecc9cea4b12fee65a884fed0266187aec58e6906c652face3b6125d59b9fa10303f02e1d8bfa33dbccb62fd2bc2b73d

          • C:\Users\Admin\Downloads\Oski_Stealer\Oski Cracked.exe
            Filesize

            3MB

            MD5

            2bd0e61c45d352697c5e16437d8055b0

            SHA1

            0b9b24d396a50c2dc13d73e1f2d57c1891de3f31

            SHA256

            71efc8fc1dede4f96e837043ad3cbd38a65bd530ce71ae4d44ddc29843fab70b

            SHA512

            80044d4ece73637328e9b456c3127be02ecc9cea4b12fee65a884fed0266187aec58e6906c652face3b6125d59b9fa10303f02e1d8bfa33dbccb62fd2bc2b73d

          • C:\Users\Admin\Downloads\Oski_Stealer\Oski_Cracked_panel.com.exe
            Filesize

            200KB

            MD5

            6a24d4e31d46c2f602996981fe525fb6

            SHA1

            4134cbbdfec13e772a5d4b7af79159248781ef04

            SHA256

            b1a5d1029b72e65e2063bbdfff90d6e6c9ce98863859ddfa0c5f38f7afa7b770

            SHA512

            338f1252beb06140b4ac07087b38cfa9cc6b8a116e42c448ba2a489daf5ed039d6715c2e7f2288e71d94e964eae0fae1387a00264251043ec69bb170a62f8cfe

          • C:\Users\Admin\Downloads\Oski_Stealer\Oski_Stealer.exe
            Filesize

            20MB

            MD5

            e805420c064b84ae287b068f14ffb2e8

            SHA1

            bbd5cf53618c2cdf47464d6c688d7baa433747c3

            SHA256

            d727c2ed17780b47f2c8661cf896d434d2a1946a30888245dd1d47e7e7fdcbbf

            SHA512

            0881d0023d54581a723f4523be720b42f8417cc9c0ad057fdc235ed90e246643034471300ec4fd6e5cb8d97d33ce136f9edabab5141f4af23fa27ec4dbd61e33

          • C:\Users\Admin\Downloads\Oski_Stealer\Oski_Stealer.exe
            Filesize

            20MB

            MD5

            e805420c064b84ae287b068f14ffb2e8

            SHA1

            bbd5cf53618c2cdf47464d6c688d7baa433747c3

            SHA256

            d727c2ed17780b47f2c8661cf896d434d2a1946a30888245dd1d47e7e7fdcbbf

            SHA512

            0881d0023d54581a723f4523be720b42f8417cc9c0ad057fdc235ed90e246643034471300ec4fd6e5cb8d97d33ce136f9edabab5141f4af23fa27ec4dbd61e33

          • C:\Users\Admin\Downloads\Oski_Stealer\bat.exe
            Filesize

            200KB

            MD5

            3ac80dee855e85c52c0170373af79a04

            SHA1

            79b6a5708b05b88847b605dfe5271073826ba5f4

            SHA256

            52338add561f1e396b0f8377e77bae2a05bcb8d7cc19548dbf9ff8cf0b57cc1f

            SHA512

            0a2eae9404bec953ba84d98c05455b0fd42500c80ab66e8c9ffb19e102a81cb98dd09b82e862dbe15fb142e39165514ff6ac12d6acf47494a73222052923eb3c

          • C:\Users\Admin\Downloads\Oski_Stealer\bot.exe
            Filesize

            200KB

            MD5

            3ac80dee855e85c52c0170373af79a04

            SHA1

            79b6a5708b05b88847b605dfe5271073826ba5f4

            SHA256

            52338add561f1e396b0f8377e77bae2a05bcb8d7cc19548dbf9ff8cf0b57cc1f

            SHA512

            0a2eae9404bec953ba84d98c05455b0fd42500c80ab66e8c9ffb19e102a81cb98dd09b82e862dbe15fb142e39165514ff6ac12d6acf47494a73222052923eb3c

          • C:\Users\Admin\Downloads\Oski_Stealer\crack.exe
            Filesize

            18KB

            MD5

            2a62b2d78f2c0f2efd39f07641d231e1

            SHA1

            30e17f27edb951a306fd907e37aacc170bf3c7be

            SHA256

            b4b1dd5fc206b0089ca1e7d613d6475a9a06bbcf4c207830d7c0cf02a94ae79a

            SHA512

            4246bb79753f803aaeef24ec6bb9f5ec23859f2cc24d3cfb58c901722cd089b98cf8a2eae6763d18f1a2a330f71887aa8dfbfbd2bb92865680c2f1135a371ca5

          • C:\Users\Admin\Downloads\Oski_Stealer\crack.exe
            Filesize

            18KB

            MD5

            2a62b2d78f2c0f2efd39f07641d231e1

            SHA1

            30e17f27edb951a306fd907e37aacc170bf3c7be

            SHA256

            b4b1dd5fc206b0089ca1e7d613d6475a9a06bbcf4c207830d7c0cf02a94ae79a

            SHA512

            4246bb79753f803aaeef24ec6bb9f5ec23859f2cc24d3cfb58c901722cd089b98cf8a2eae6763d18f1a2a330f71887aa8dfbfbd2bb92865680c2f1135a371ca5

          • C:\Users\Admin\Downloads\Oski_Stealer\learn all kind of hacking.url
            Filesize

            121B

            MD5

            7ade4a739cbd8f44d0ef52a2f1bc6e7b

            SHA1

            20753d483e1a84cb248ba2c0fb72d44137d7d73f

            SHA256

            cc7649ed53c65e4851ace414529564fe16801bb2bed4cb15588bfd6b4ac13616

            SHA512

            5850c3d064c9d616854a47b4bd398b76494f1fbe9b356ec5e15879f97dc67970168196ec6b177fa71d15d25d25757a29319cbf9697f3a80461aa62b431d53851

          • \Users\Admin\Downloads\Oski_Stealer\Oski_Cracked_panel.com.exe
            Filesize

            200KB

            MD5

            6a24d4e31d46c2f602996981fe525fb6

            SHA1

            4134cbbdfec13e772a5d4b7af79159248781ef04

            SHA256

            b1a5d1029b72e65e2063bbdfff90d6e6c9ce98863859ddfa0c5f38f7afa7b770

            SHA512

            338f1252beb06140b4ac07087b38cfa9cc6b8a116e42c448ba2a489daf5ed039d6715c2e7f2288e71d94e964eae0fae1387a00264251043ec69bb170a62f8cfe

          • \Users\Admin\Downloads\Oski_Stealer\Oski_Cracked_panel.com.exe
            Filesize

            200KB

            MD5

            6a24d4e31d46c2f602996981fe525fb6

            SHA1

            4134cbbdfec13e772a5d4b7af79159248781ef04

            SHA256

            b1a5d1029b72e65e2063bbdfff90d6e6c9ce98863859ddfa0c5f38f7afa7b770

            SHA512

            338f1252beb06140b4ac07087b38cfa9cc6b8a116e42c448ba2a489daf5ed039d6715c2e7f2288e71d94e964eae0fae1387a00264251043ec69bb170a62f8cfe

          • \Users\Admin\Downloads\Oski_Stealer\Oski_Cracked_panel.com.exe
            Filesize

            200KB

            MD5

            6a24d4e31d46c2f602996981fe525fb6

            SHA1

            4134cbbdfec13e772a5d4b7af79159248781ef04

            SHA256

            b1a5d1029b72e65e2063bbdfff90d6e6c9ce98863859ddfa0c5f38f7afa7b770

            SHA512

            338f1252beb06140b4ac07087b38cfa9cc6b8a116e42c448ba2a489daf5ed039d6715c2e7f2288e71d94e964eae0fae1387a00264251043ec69bb170a62f8cfe

          • \Users\Admin\Downloads\Oski_Stealer\crack.exe
            Filesize

            18KB

            MD5

            2a62b2d78f2c0f2efd39f07641d231e1

            SHA1

            30e17f27edb951a306fd907e37aacc170bf3c7be

            SHA256

            b4b1dd5fc206b0089ca1e7d613d6475a9a06bbcf4c207830d7c0cf02a94ae79a

            SHA512

            4246bb79753f803aaeef24ec6bb9f5ec23859f2cc24d3cfb58c901722cd089b98cf8a2eae6763d18f1a2a330f71887aa8dfbfbd2bb92865680c2f1135a371ca5

          • \Users\Admin\Downloads\Oski_Stealer\crack.exe
            Filesize

            18KB

            MD5

            2a62b2d78f2c0f2efd39f07641d231e1

            SHA1

            30e17f27edb951a306fd907e37aacc170bf3c7be

            SHA256

            b4b1dd5fc206b0089ca1e7d613d6475a9a06bbcf4c207830d7c0cf02a94ae79a

            SHA512

            4246bb79753f803aaeef24ec6bb9f5ec23859f2cc24d3cfb58c901722cd089b98cf8a2eae6763d18f1a2a330f71887aa8dfbfbd2bb92865680c2f1135a371ca5

          • \Users\Admin\Downloads\Oski_Stealer\crack.exe
            Filesize

            18KB

            MD5

            2a62b2d78f2c0f2efd39f07641d231e1

            SHA1

            30e17f27edb951a306fd907e37aacc170bf3c7be

            SHA256

            b4b1dd5fc206b0089ca1e7d613d6475a9a06bbcf4c207830d7c0cf02a94ae79a

            SHA512

            4246bb79753f803aaeef24ec6bb9f5ec23859f2cc24d3cfb58c901722cd089b98cf8a2eae6763d18f1a2a330f71887aa8dfbfbd2bb92865680c2f1135a371ca5

          • memory/2456-54-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp
            Filesize

            8KB

          • memory/2608-57-0x0000000075BB1000-0x0000000075BB3000-memory.dmp
            Filesize

            8KB

          • memory/2764-78-0x000000001B590000-0x000000001B9AC000-memory.dmp
            Filesize

            4MB

          • memory/2764-84-0x000000001AB36000-0x000000001AB55000-memory.dmp
            Filesize

            124KB

          • memory/2764-80-0x000000001AB36000-0x000000001AB55000-memory.dmp
            Filesize

            124KB

          • memory/2764-70-0x0000000000940000-0x0000000000D36000-memory.dmp
            Filesize

            3MB

          • memory/2776-87-0x0000000000000000-mapping.dmp
          • memory/2804-77-0x00000000001C0000-0x00000000001CC000-memory.dmp
            Filesize

            48KB

          • memory/2804-74-0x0000000000000000-mapping.dmp