oski | b0f6371db252edc20aeaee0ed2ff64c2514515d7d0f823d508b756269ccabfbd

General

Target

Purchase Order.pdf.exe
Size

273KB
MD5

f90a77f7962de4074d4dc02d82b765be
SHA1

e8a9ec0c4032818fa92cd148a770fa6192535ce5
SHA256

b0f6371db252edc20aeaee0ed2ff64c2514515d7d0f823d508b756269ccabfbd
SHA512

a36a482019f06813e5642c33db15fd6f0ef9954c5c97e427a442cffd38b8ead68931314c677940ca78232c2d2710c95413ccb2b41f234d120ffdbcad162182f9
SSDEEP

6144:MVP0JqJ1peuOkG6Msr49xOfyGU3LLEE/X9jdR+j1sfw6kVtgfnZ:e0JqJeKDMs4T3kMXjg1sjYgfnZ

Score

10^/10

oski infostealer persistence spyware stealer

Malware Config

Extracted

Family

oski

C2

�&C

virzx.xyz

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Purchase Order.pdf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows.dll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe"	Purchase Order.pdf.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Purchase Order.pdf.exePurchase Order.pdf.exe

description	pid	process	target process
PID 1720 set thread context of 1580	1720	Purchase Order.pdf.exe	Purchase Order.pdf.exe
PID 1580 set thread context of 1716	1580	Purchase Order.pdf.exe	Purchase Order.pdf.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1544 1716 WerFault.exe Purchase Order.pdf.exe

pid	pid_target	process	target process
1544	1716	WerFault.exe	Purchase Order.pdf.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

Purchase Order.pdf.exePurchase Order.pdf.exePurchase Order.pdf.exe

description	pid	process	target process
PID 1720 wrote to memory of 1580	1720	Purchase Order.pdf.exe	Purchase Order.pdf.exe
PID 1720 wrote to memory of 1580	1720	Purchase Order.pdf.exe	Purchase Order.pdf.exe
PID 1720 wrote to memory of 1580	1720	Purchase Order.pdf.exe	Purchase Order.pdf.exe
PID 1720 wrote to memory of 1580	1720	Purchase Order.pdf.exe	Purchase Order.pdf.exe
PID 1720 wrote to memory of 1580	1720	Purchase Order.pdf.exe	Purchase Order.pdf.exe
PID 1720 wrote to memory of 1580	1720	Purchase Order.pdf.exe	Purchase Order.pdf.exe
PID 1720 wrote to memory of 1580	1720	Purchase Order.pdf.exe	Purchase Order.pdf.exe
PID 1720 wrote to memory of 1580	1720	Purchase Order.pdf.exe	Purchase Order.pdf.exe
PID 1720 wrote to memory of 1580	1720	Purchase Order.pdf.exe	Purchase Order.pdf.exe
PID 1720 wrote to memory of 1580	1720	Purchase Order.pdf.exe	Purchase Order.pdf.exe
PID 1720 wrote to memory of 1580	1720	Purchase Order.pdf.exe	Purchase Order.pdf.exe
PID 1580 wrote to memory of 1716	1580	Purchase Order.pdf.exe	Purchase Order.pdf.exe
PID 1580 wrote to memory of 1716	1580	Purchase Order.pdf.exe	Purchase Order.pdf.exe
PID 1580 wrote to memory of 1716	1580	Purchase Order.pdf.exe	Purchase Order.pdf.exe
PID 1580 wrote to memory of 1716	1580	Purchase Order.pdf.exe	Purchase Order.pdf.exe
PID 1580 wrote to memory of 1716	1580	Purchase Order.pdf.exe	Purchase Order.pdf.exe
PID 1580 wrote to memory of 1716	1580	Purchase Order.pdf.exe	Purchase Order.pdf.exe
PID 1580 wrote to memory of 1716	1580	Purchase Order.pdf.exe	Purchase Order.pdf.exe
PID 1580 wrote to memory of 1716	1580	Purchase Order.pdf.exe	Purchase Order.pdf.exe
PID 1580 wrote to memory of 1716	1580	Purchase Order.pdf.exe	Purchase Order.pdf.exe
PID 1580 wrote to memory of 1716	1580	Purchase Order.pdf.exe	Purchase Order.pdf.exe
PID 1716 wrote to memory of 1544	1716	Purchase Order.pdf.exe	WerFault.exe
PID 1716 wrote to memory of 1544	1716	Purchase Order.pdf.exe	WerFault.exe
PID 1716 wrote to memory of 1544	1716	Purchase Order.pdf.exe	WerFault.exe
PID 1716 wrote to memory of 1544	1716	Purchase Order.pdf.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\Purchase Order.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.pdf.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Local\Temp\Purchase Order.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.pdf.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 904
4⤵
- Program crash
PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1544-83-0x0000000000000000-mapping.dmp

Download
memory/1580-78-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1580-55-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1580-57-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1580-58-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1580-59-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1580-60-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1580-62-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1580-63-0x0000000000401110-mapping.dmp

Download
memory/1580-66-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1580-65-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1580-54-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1716-68-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1716-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1716-76-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1716-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1716-77-0x000000000040717B-mapping.dmp

Download
memory/1716-74-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1716-80-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1716-82-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1716-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1716-84-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads