oski | 18e2b4fb63b38a0d2441bfa6f2afa3c6494e4f85479505f7d228447720ac0485

General

Target

18e2b4fb63b38a0d2441bfa6f2afa3c6494e4f85479505f7d228447720ac0485.exe
Size

308KB
MD5

be5881faee054826d32c90d47fed53ce
SHA1

25c63bcb8353bd35a4fd28826a5dd959d73379b6
SHA256

18e2b4fb63b38a0d2441bfa6f2afa3c6494e4f85479505f7d228447720ac0485
SHA512

b7d15268a15eec00b1069c391d18406de850334e13653ecd87eb936001d1c02aa10e9f597bd181408f1f232ca212354b01defa5496ce9bfd89a8c9b0c3d881ce
SSDEEP

6144:Bu8bleVTTURmXOu5OX/oX0e2AmSTCIr53qnsAvtgcmXDqWiQJ:M8STTUR6OuCgX0UmS9i16J

Score

10^/10

oski infostealer spyware stealer

Malware Config

Extracted

Family

oski

C2

collegesboard.org

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski

Executes dropped EXE 2 IoCs

pid	Process
4796	Hrwfvhc.exe
4476	Czkorfvflbb.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	18e2b4fb63b38a0d2441bfa6f2afa3c6494e4f85479505f7d228447720ac0485.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5104	4476	WerFault.exe	84

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4796	Hrwfvhc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 4796	3044	18e2b4fb63b38a0d2441bfa6f2afa3c6494e4f85479505f7d228447720ac0485.exe	83
PID 3044 wrote to memory of 4796	3044	18e2b4fb63b38a0d2441bfa6f2afa3c6494e4f85479505f7d228447720ac0485.exe	83
PID 3044 wrote to memory of 4796	3044	18e2b4fb63b38a0d2441bfa6f2afa3c6494e4f85479505f7d228447720ac0485.exe	83
PID 3044 wrote to memory of 4476	3044	18e2b4fb63b38a0d2441bfa6f2afa3c6494e4f85479505f7d228447720ac0485.exe	84
PID 3044 wrote to memory of 4476	3044	18e2b4fb63b38a0d2441bfa6f2afa3c6494e4f85479505f7d228447720ac0485.exe	84
PID 3044 wrote to memory of 4476	3044	18e2b4fb63b38a0d2441bfa6f2afa3c6494e4f85479505f7d228447720ac0485.exe	84

C:\Users\Admin\AppData\Local\Temp\18e2b4fb63b38a0d2441bfa6f2afa3c6494e4f85479505f7d228447720ac0485.exe
"C:\Users\Admin\AppData\Local\Temp\18e2b4fb63b38a0d2441bfa6f2afa3c6494e4f85479505f7d228447720ac0485.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\Hrwfvhc.exe
  "C:\Users\Admin\AppData\Local\Temp\Hrwfvhc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4796
- C:\Users\Admin\AppData\Local\Temp\Czkorfvflbb.exe
  "C:\Users\Admin\AppData\Local\Temp\Czkorfvflbb.exe"
  2⤵
  - Executes dropped EXE
  PID:4476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1388
    3⤵
    - Program crash
    PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4476 -ip 4476
1⤵
PID:4544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Czkorfvflbb.exe

Filesize
200KB

MD5
07ac7806a3f2bc0fc993d736ecb3572b

SHA1
49b54d7ece61cf9198dfc306a641f0d002b56acb

SHA256
165a20cece5bd869502d23ed2c9fdf5cb2e83451cca502b110f61371da70134d

SHA512
0bb78905d87356841e97e68be1d7c731f5cc4d15fa162017f9c520fceca327c589f8f31b9002c4869179af8626a03e89ef9b667a1a6d5e8f42eef2db98e1e123

Download Submit
C:\Users\Admin\AppData\Local\Temp\Czkorfvflbb.exe

Filesize
200KB

MD5
07ac7806a3f2bc0fc993d736ecb3572b

SHA1
49b54d7ece61cf9198dfc306a641f0d002b56acb

SHA256
165a20cece5bd869502d23ed2c9fdf5cb2e83451cca502b110f61371da70134d

SHA512
0bb78905d87356841e97e68be1d7c731f5cc4d15fa162017f9c520fceca327c589f8f31b9002c4869179af8626a03e89ef9b667a1a6d5e8f42eef2db98e1e123

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hrwfvhc.exe

Filesize
1.4MB

MD5
a73d5a695cac720fdd6b1679c013efed

SHA1
9f9d210afc38d3d4967edf194811109393b4b3fe

SHA256
b8696cb287e5b8ca935cd69e266b17feae0f2b0f265608bedf9cdacfd025f7bf

SHA512
767ab55f6a21d9eb24f0708dae635cea85df511edbb530e9657155f7ec4791889879596622e5f1842665d4bf25f9d2a6f1090918fba16f29137acf41e93059bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hrwfvhc.exe

Filesize
1.4MB

MD5
a73d5a695cac720fdd6b1679c013efed

SHA1
9f9d210afc38d3d4967edf194811109393b4b3fe

SHA256
b8696cb287e5b8ca935cd69e266b17feae0f2b0f265608bedf9cdacfd025f7bf

SHA512
767ab55f6a21d9eb24f0708dae635cea85df511edbb530e9657155f7ec4791889879596622e5f1842665d4bf25f9d2a6f1090918fba16f29137acf41e93059bc

Download Submit
memory/3044-132-0x0000000000A50000-0x0000000000AA4000-memory.dmp

Filesize
336KB

Download
memory/3044-133-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/3044-140-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

Filesize
10.8MB

Download
memory/4796-141-0x0000000000970000-0x0000000000ADA000-memory.dmp

Filesize
1.4MB

Download
memory/4796-142-0x0000000005B90000-0x0000000006134000-memory.dmp

Filesize
5.6MB

Download
memory/4796-143-0x00000000054A0000-0x0000000005532000-memory.dmp

Filesize
584KB

Download
memory/4796-144-0x0000000005480000-0x000000000548A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing