Analysis
-
max time kernel
2s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 02:33
Static task
static1
Behavioral task
behavioral1
Sample
537dafbf2acf47786823913fcb138634.ps1
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
537dafbf2acf47786823913fcb138634.ps1
Resource
win10v2004-20231215-en
General
-
Target
537dafbf2acf47786823913fcb138634.ps1
-
Size
656KB
-
MD5
537dafbf2acf47786823913fcb138634
-
SHA1
750303a51406a6947f8c5043c9010a0f95590522
-
SHA256
3a7ddba50c414ef70d1796f1e3eef20b1684811f03a0c400d5388a0079ef4ce5
-
SHA512
778a88719be802f22facc88dbd0a19a153c5c2e79e043f2db0c4b4bb8995972a37485738763365ccc1815742fc183110f6f6c699532ccbe1034395fe0dfb7006
-
SSDEEP
12288:EZjw0RJ9u5ILYDxD3fxYehza/tw64c8TVkc5A+:g3gTmr+
Malware Config
Extracted
oski
/103.114.107.28/l1919/
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3292 set thread context of 4200 3292 powershell.exe aspnet_compiler.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4760 4200 WerFault.exe aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 3292 powershell.exe 3292 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3292 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
powershell.exedescription pid process target process PID 3292 wrote to memory of 4200 3292 powershell.exe aspnet_compiler.exe PID 3292 wrote to memory of 4200 3292 powershell.exe aspnet_compiler.exe PID 3292 wrote to memory of 4200 3292 powershell.exe aspnet_compiler.exe PID 3292 wrote to memory of 4200 3292 powershell.exe aspnet_compiler.exe PID 3292 wrote to memory of 4200 3292 powershell.exe aspnet_compiler.exe PID 3292 wrote to memory of 4200 3292 powershell.exe aspnet_compiler.exe PID 3292 wrote to memory of 4200 3292 powershell.exe aspnet_compiler.exe PID 3292 wrote to memory of 4200 3292 powershell.exe aspnet_compiler.exe PID 3292 wrote to memory of 4200 3292 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\537dafbf2acf47786823913fcb138634.ps11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe#cmd2⤵PID:4200
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 11203⤵
- Program crash
PID:4760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4200 -ip 42001⤵PID:1964
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e