oski | 371384518223a80ff5381a728ba1e4f846c93713bb39bc80fb2d95cdd8158241

General

Target

Purchase Order.pdf.exe
Size

273KB
MD5

bb5ce7931695bdec6adf8bdc1a674a14
SHA1

ac678662e2dc124111cee4ff9f180b87a8b7f2c0
SHA256

371384518223a80ff5381a728ba1e4f846c93713bb39bc80fb2d95cdd8158241
SHA512

1bde736bcafc95da870d1a51022c03de359d66b65000c50a73a070256b2fc3c971f02d70a029e1e380d544cc85eb6564bba75b2f5ea78aefac42431eabeafe7a
SSDEEP

6144:cVP0JqJ1ped5HIf7SwKCcdo1L6BQgyZVLa0pOxWW6krZKy:u0JqJenHIfnTcdnhyZVLXOwW6ktKy

Score

10^/10

oski discovery infostealer persistence spyware stealer

Malware Config

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Downloads MZ/PE file

Loads dropped DLL 3 IoCs

pid	Process
3552	Purchase Order.pdf.exe
3552	Purchase Order.pdf.exe
3552	Purchase Order.pdf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows.dll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\file.exe"	Purchase Order.pdf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4736 set thread context of 396	4736	Purchase Order.pdf.exe	29
PID 396 set thread context of 3552	396	Purchase Order.pdf.exe	43

Checks processor information in registry 2 TTPs 1 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Purchase Order.pdf.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1212	taskkill.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 396	4736	Purchase Order.pdf.exe	29
PID 4736 wrote to memory of 396	4736	Purchase Order.pdf.exe	29
PID 4736 wrote to memory of 396	4736	Purchase Order.pdf.exe	29
PID 4736 wrote to memory of 396	4736	Purchase Order.pdf.exe	29
PID 4736 wrote to memory of 396	4736	Purchase Order.pdf.exe	29
PID 4736 wrote to memory of 396	4736	Purchase Order.pdf.exe	29
PID 4736 wrote to memory of 396	4736	Purchase Order.pdf.exe	29
PID 4736 wrote to memory of 396	4736	Purchase Order.pdf.exe	29
PID 4736 wrote to memory of 396	4736	Purchase Order.pdf.exe	29
PID 4736 wrote to memory of 396	4736	Purchase Order.pdf.exe	29
PID 4736 wrote to memory of 396	4736	Purchase Order.pdf.exe	29
PID 396 wrote to memory of 3552	396	Purchase Order.pdf.exe	43
PID 396 wrote to memory of 3552	396	Purchase Order.pdf.exe	43
PID 396 wrote to memory of 3552	396	Purchase Order.pdf.exe	43
PID 396 wrote to memory of 3552	396	Purchase Order.pdf.exe	43
PID 396 wrote to memory of 3552	396	Purchase Order.pdf.exe	43
PID 396 wrote to memory of 3552	396	Purchase Order.pdf.exe	43
PID 396 wrote to memory of 3552	396	Purchase Order.pdf.exe	43
PID 396 wrote to memory of 3552	396	Purchase Order.pdf.exe	43
PID 396 wrote to memory of 3552	396	Purchase Order.pdf.exe	43

C:\Users\Admin\AppData\Local\Temp\Purchase Order.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Users\Admin\AppData\Local\Temp\Purchase Order.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order.pdf.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Users\Admin\AppData\Local\Temp\Purchase Order.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order.pdf.exe"
    3⤵
    - Loads dropped DLL
    - Checks processor information in registry
    PID:3552
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /pid 3552 & erase C:\Users\Admin\AppData\Local\Temp\Purchase Order.pdf.exe & RD /S /Q C:\\ProgramData\\793578773182691\\* & exit
      4⤵
      PID:2412

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 3552
1⤵
- Kills process with taskkill
PID:1212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
66KB

MD5
1c6c6ea2f25c8a4be07547d2e82672b4

SHA1
0cae30c1734b813de07d7685ee831fedb5a8c8c0

SHA256
c1395ed3504d1ce1b81e1520b9ecd92a27294f3874f96411a0b589b06d2dba18

SHA512
0e822a201d5886053f77e126f5a80701d2f44020338e582bb48577e6e238a0c306e2a3322f547eded4b0f0c5c2303f274d17100c3cb615dd2c786580aef935ee

Download Submit
C:\ProgramData\nss3.dll

Filesize
54KB

MD5
396dc7bdd2c407ab92d500137908d24c

SHA1
0e569c3dd1ab309fee4bb4a9b9229ae82ce91757

SHA256
e4a20549720470a98cf01abadf4eefe817dcc0e1786b186adcb0c6a2365363af

SHA512
1aa72e771f9c744f68dd5c1e8ca3a527e17c7935a870e228e1402ce2839b89d85f88892652ea87d2b0d1536cfebc412542eb9655d809c4086f77f606e3b12984

Download Submit
C:\ProgramData\sqlite3.dll

Filesize
60KB

MD5
4cf3aee726c1acb96b4db978295b2a2d

SHA1
9a8d7a0fa485ad5d7b00daa9a69ac85abd4daac0

SHA256
97490d317398a799b8acf4f3e965e2df287839b21c374e207a1b89a13db10171

SHA512
12e4c286e41fda44ca46a3283945b79019e0bed9c014a0329f637194416986c674d68a59359c84dff302415671900c644713c5fffd22f251d3fae1e16509252b

Download Submit
memory/396-133-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/396-135-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/396-140-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3552-141-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3552-137-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3552-145-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3552-147-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3552-139-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3552-138-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing