oski | f4d42993edb8d76c99b92ae963656adde31f57336032bd351163ae2322475eca

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-01-2023 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

757F9B45EE33980B07406AEF416BF25C.exe
Size

465KB
MD5

757f9b45ee33980b07406aef416bf25c
SHA1

f950bd2804f25122dbd49e1c515567e5d151a134
SHA256

f4d42993edb8d76c99b92ae963656adde31f57336032bd351163ae2322475eca
SHA512

1a48d5d530660a1cf1b744e670861e7c7ce69d251f8ba2d48ad16617c6ff8bb144b8015e36028b9f57e9101b8fa4098005c151856be92948ed5c360f59458522
SSDEEP

12288:yA/U/fxrZijLXWgPkzzzzzXy9nzzzzK4J9wzpCHzcHtR/uzn:yAcxmPkzzzzzXy9nzzzzK4J98pCHzuRe

Score

10^/10

oski discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

oski

anstransport.com

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
896	Bitcoin Wallet.exe
1352	svc host.exe
1340	svc host.exe
628	Bitcoin Wallet.exe

Loads dropped DLL 5 IoCs

pid	Process
1356	757F9B45EE33980B07406AEF416BF25C.exe
1356	757F9B45EE33980B07406AEF416BF25C.exe
628	Bitcoin Wallet.exe
628	Bitcoin Wallet.exe
628	Bitcoin Wallet.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update Folder\\Windows Update.exe"	Bitcoin Wallet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\FoGzRNCsHJ = "C:\\Users\\Admin\\AppData\\Roaming\\wDWQzMbHJQ\\xBLQRnSbFD.exe"	svc host.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1352 set thread context of 1340	1352	svc host.exe	30
PID 896 set thread context of 628	896	Bitcoin Wallet.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 1 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Bitcoin Wallet.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1552	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1552	taskkill.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 896	1356	757F9B45EE33980B07406AEF416BF25C.exe	28
PID 1356 wrote to memory of 896	1356	757F9B45EE33980B07406AEF416BF25C.exe	28
PID 1356 wrote to memory of 896	1356	757F9B45EE33980B07406AEF416BF25C.exe	28
PID 1356 wrote to memory of 896	1356	757F9B45EE33980B07406AEF416BF25C.exe	28
PID 1356 wrote to memory of 1352	1356	757F9B45EE33980B07406AEF416BF25C.exe	29
PID 1356 wrote to memory of 1352	1356	757F9B45EE33980B07406AEF416BF25C.exe	29
PID 1356 wrote to memory of 1352	1356	757F9B45EE33980B07406AEF416BF25C.exe	29
PID 1356 wrote to memory of 1352	1356	757F9B45EE33980B07406AEF416BF25C.exe	29
PID 1352 wrote to memory of 1340	1352	svc host.exe	30
PID 896 wrote to memory of 628	896	Bitcoin Wallet.exe	31
PID 896 wrote to memory of 628	896	Bitcoin Wallet.exe	31
PID 896 wrote to memory of 628	896	Bitcoin Wallet.exe	31
PID 896 wrote to memory of 628	896	Bitcoin Wallet.exe	31
PID 1352 wrote to memory of 1340	1352	svc host.exe	30
PID 1352 wrote to memory of 1340	1352	svc host.exe	30
PID 1352 wrote to memory of 1340	1352	svc host.exe	30
PID 896 wrote to memory of 628	896	Bitcoin Wallet.exe	31
PID 1352 wrote to memory of 1340	1352	svc host.exe	30
PID 1352 wrote to memory of 1340	1352	svc host.exe	30
PID 896 wrote to memory of 628	896	Bitcoin Wallet.exe	31
PID 1352 wrote to memory of 1340	1352	svc host.exe	30
PID 896 wrote to memory of 628	896	Bitcoin Wallet.exe	31
PID 1352 wrote to memory of 1340	1352	svc host.exe	30
PID 896 wrote to memory of 628	896	Bitcoin Wallet.exe	31
PID 1352 wrote to memory of 1340	1352	svc host.exe	30
PID 896 wrote to memory of 628	896	Bitcoin Wallet.exe	31
PID 896 wrote to memory of 628	896	Bitcoin Wallet.exe	31
PID 628 wrote to memory of 1816	628	Bitcoin Wallet.exe	34
PID 628 wrote to memory of 1816	628	Bitcoin Wallet.exe	34
PID 628 wrote to memory of 1816	628	Bitcoin Wallet.exe	34
PID 628 wrote to memory of 1816	628	Bitcoin Wallet.exe	34
PID 1816 wrote to memory of 1552	1816	cmd.exe	36
PID 1816 wrote to memory of 1552	1816	cmd.exe	36
PID 1816 wrote to memory of 1552	1816	cmd.exe	36
PID 1816 wrote to memory of 1552	1816	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\757F9B45EE33980B07406AEF416BF25C.exe
"C:\Users\Admin\AppData\Local\Temp\757F9B45EE33980B07406AEF416BF25C.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\AppData\Roaming\Bitcoin Wallet.exe
  "C:\Users\Admin\AppData\Roaming\Bitcoin Wallet.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Users\Admin\AppData\Roaming\Bitcoin Wallet.exe
    "C:\Users\Admin\AppData\Roaming\Bitcoin Wallet.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /pid 628 & erase C:\Users\Admin\AppData\Roaming\Bitcoin Wallet.exe & RD /S /Q C:\\ProgramData\\993637973315640\\* & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1816
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /pid 628
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
- C:\Users\Admin\AppData\Roaming\svc host.exe
  "C:\Users\Admin\AppData\Roaming\svc host.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Users\Admin\AppData\Roaming\svc host.exe
    "C:\Users\Admin\AppData\Roaming\svc host.exe"
    3⤵
    - Executes dropped EXE
    PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Bitcoin Wallet.exe

Filesize
264KB

MD5
17b3383a638c8e71894afdab1a2a5663

SHA1
4c26ddeab4ae5bc78bfd9002e021311c80ea0396

SHA256
4ac4190585ef636ef707459413641fcd87fc6e4f3b112b72b564554e16d9fa2f

SHA512
265a8dd85bc1c3e456e38734818f08faf4c71451082dca9dd7182c348284158ff31771eb4d2ebf6ee157640ee91825c90e57a326d17af7d72efae030af23fb5c

Download Submit
C:\Users\Admin\AppData\Roaming\Bitcoin Wallet.exe

Filesize
264KB

MD5
17b3383a638c8e71894afdab1a2a5663

SHA1
4c26ddeab4ae5bc78bfd9002e021311c80ea0396

SHA256
4ac4190585ef636ef707459413641fcd87fc6e4f3b112b72b564554e16d9fa2f

SHA512
265a8dd85bc1c3e456e38734818f08faf4c71451082dca9dd7182c348284158ff31771eb4d2ebf6ee157640ee91825c90e57a326d17af7d72efae030af23fb5c

Download Submit
C:\Users\Admin\AppData\Roaming\Bitcoin Wallet.exe

Filesize
264KB

MD5
17b3383a638c8e71894afdab1a2a5663

SHA1
4c26ddeab4ae5bc78bfd9002e021311c80ea0396

SHA256
4ac4190585ef636ef707459413641fcd87fc6e4f3b112b72b564554e16d9fa2f

SHA512
265a8dd85bc1c3e456e38734818f08faf4c71451082dca9dd7182c348284158ff31771eb4d2ebf6ee157640ee91825c90e57a326d17af7d72efae030af23fb5c

Download Submit
C:\Users\Admin\AppData\Roaming\svc host.exe

Filesize
140KB

MD5
397638390e9c49c10200a5cbd7a9ec7f

SHA1
e763d4cf6f005eac4fa683647d33ff9989069a90

SHA256
0b6a4f044f5e73cea182b412fe01dd6b93b959c29c477bb729facc9d6f648c0f

SHA512
11e1d3ddc3bc932e39462cf8c5f5f876edcdb609a29913c0d7775a9130e0634836aa1f0d5bc1fe66c4b0c8ceda429a135d3ded37ecb9fc8f36fe0a37b5b34701

Download Submit
C:\Users\Admin\AppData\Roaming\svc host.exe

Filesize
140KB

MD5
397638390e9c49c10200a5cbd7a9ec7f

SHA1
e763d4cf6f005eac4fa683647d33ff9989069a90

SHA256
0b6a4f044f5e73cea182b412fe01dd6b93b959c29c477bb729facc9d6f648c0f

SHA512
11e1d3ddc3bc932e39462cf8c5f5f876edcdb609a29913c0d7775a9130e0634836aa1f0d5bc1fe66c4b0c8ceda429a135d3ded37ecb9fc8f36fe0a37b5b34701

Download Submit
C:\Users\Admin\AppData\Roaming\svc host.exe

Filesize
140KB

MD5
397638390e9c49c10200a5cbd7a9ec7f

SHA1
e763d4cf6f005eac4fa683647d33ff9989069a90

SHA256
0b6a4f044f5e73cea182b412fe01dd6b93b959c29c477bb729facc9d6f648c0f

SHA512
11e1d3ddc3bc932e39462cf8c5f5f876edcdb609a29913c0d7775a9130e0634836aa1f0d5bc1fe66c4b0c8ceda429a135d3ded37ecb9fc8f36fe0a37b5b34701

Download Submit
\ProgramData\mozglue.dll

Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll

Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll

Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\Users\Admin\AppData\Roaming\Bitcoin Wallet.exe

Filesize
264KB

MD5
17b3383a638c8e71894afdab1a2a5663

SHA1
4c26ddeab4ae5bc78bfd9002e021311c80ea0396

SHA256
4ac4190585ef636ef707459413641fcd87fc6e4f3b112b72b564554e16d9fa2f

SHA512
265a8dd85bc1c3e456e38734818f08faf4c71451082dca9dd7182c348284158ff31771eb4d2ebf6ee157640ee91825c90e57a326d17af7d72efae030af23fb5c

Download Submit
\Users\Admin\AppData\Roaming\svc host.exe

Filesize
140KB

MD5
397638390e9c49c10200a5cbd7a9ec7f

SHA1
e763d4cf6f005eac4fa683647d33ff9989069a90

SHA256
0b6a4f044f5e73cea182b412fe01dd6b93b959c29c477bb729facc9d6f648c0f

SHA512
11e1d3ddc3bc932e39462cf8c5f5f876edcdb609a29913c0d7775a9130e0634836aa1f0d5bc1fe66c4b0c8ceda429a135d3ded37ecb9fc8f36fe0a37b5b34701

Download Submit
memory/628-76-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/628-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/628-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/628-98-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/628-95-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/628-82-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/628-103-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/628-80-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/628-88-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/896-68-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/896-65-0x0000000000880000-0x00000000008CA000-memory.dmp

Filesize
296KB

Download
memory/1340-89-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1340-71-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1340-83-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1340-69-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1340-79-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1340-94-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1340-75-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1352-64-0x0000000000A10000-0x0000000000A3A000-memory.dmp

Filesize
168KB

Download
memory/1356-54-0x0000000076711000-0x0000000076713000-memory.dmp

Filesize
8KB

Download
memory/1356-63-0x0000000074F00000-0x00000000754AB000-memory.dmp

Filesize
5.7MB

Download