oski | b0f6371db252edc20aeaee0ed2ff64c2514515d7d0f823d508b756269ccabfbd

Analysis

max time kernel
91s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2022 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order.pdf.exe
Size

273KB
MD5

f90a77f7962de4074d4dc02d82b765be
SHA1

e8a9ec0c4032818fa92cd148a770fa6192535ce5
SHA256

b0f6371db252edc20aeaee0ed2ff64c2514515d7d0f823d508b756269ccabfbd
SHA512

a36a482019f06813e5642c33db15fd6f0ef9954c5c97e427a442cffd38b8ead68931314c677940ca78232c2d2710c95413ccb2b41f234d120ffdbcad162182f9
SSDEEP

6144:MVP0JqJ1peuOkG6Msr49xOfyGU3LLEE/X9jdR+j1sfw6kVtgfnZ:e0JqJeKDMs4T3kMXjg1sjYgfnZ

Score

10^/10

oski infostealer persistence spyware stealer

Malware Config

Extracted

Family

oski

�&C

virzx.xyz

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows.dll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe"	Purchase Order.pdf.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5024 set thread context of 1588	5024	Purchase Order.pdf.exe	84
PID 1588 set thread context of 404	1588	Purchase Order.pdf.exe	85

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3148	404	WerFault.exe	85

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 1588	5024	Purchase Order.pdf.exe	84
PID 5024 wrote to memory of 1588	5024	Purchase Order.pdf.exe	84
PID 5024 wrote to memory of 1588	5024	Purchase Order.pdf.exe	84
PID 5024 wrote to memory of 1588	5024	Purchase Order.pdf.exe	84
PID 5024 wrote to memory of 1588	5024	Purchase Order.pdf.exe	84
PID 5024 wrote to memory of 1588	5024	Purchase Order.pdf.exe	84
PID 5024 wrote to memory of 1588	5024	Purchase Order.pdf.exe	84
PID 5024 wrote to memory of 1588	5024	Purchase Order.pdf.exe	84
PID 5024 wrote to memory of 1588	5024	Purchase Order.pdf.exe	84
PID 5024 wrote to memory of 1588	5024	Purchase Order.pdf.exe	84
PID 5024 wrote to memory of 1588	5024	Purchase Order.pdf.exe	84
PID 1588 wrote to memory of 404	1588	Purchase Order.pdf.exe	85
PID 1588 wrote to memory of 404	1588	Purchase Order.pdf.exe	85
PID 1588 wrote to memory of 404	1588	Purchase Order.pdf.exe	85
PID 1588 wrote to memory of 404	1588	Purchase Order.pdf.exe	85
PID 1588 wrote to memory of 404	1588	Purchase Order.pdf.exe	85
PID 1588 wrote to memory of 404	1588	Purchase Order.pdf.exe	85
PID 1588 wrote to memory of 404	1588	Purchase Order.pdf.exe	85
PID 1588 wrote to memory of 404	1588	Purchase Order.pdf.exe	85
PID 1588 wrote to memory of 404	1588	Purchase Order.pdf.exe	85

C:\Users\Admin\AppData\Local\Temp\Purchase Order.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Users\Admin\AppData\Local\Temp\Purchase Order.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order.pdf.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Users\Admin\AppData\Local\Temp\Purchase Order.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order.pdf.exe"
    3⤵
    PID:404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1932
      4⤵
      Program crash
      PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 404 -ip 404
1⤵
PID:2664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/404-140-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/404-141-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/404-142-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/404-144-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/404-145-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1588-136-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1588-138-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1588-143-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download