Analysis
-
max time kernel
2s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 02:33
Static task
static1
Behavioral task
behavioral1
Sample
537dafbf2acf47786823913fcb138634.ps1
Resource
win7-20231129-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
537dafbf2acf47786823913fcb138634.ps1
Resource
win10v2004-20231215-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
537dafbf2acf47786823913fcb138634.ps1
-
Size
656KB
-
MD5
537dafbf2acf47786823913fcb138634
-
SHA1
750303a51406a6947f8c5043c9010a0f95590522
-
SHA256
3a7ddba50c414ef70d1796f1e3eef20b1684811f03a0c400d5388a0079ef4ce5
-
SHA512
778a88719be802f22facc88dbd0a19a153c5c2e79e043f2db0c4b4bb8995972a37485738763365ccc1815742fc183110f6f6c699532ccbe1034395fe0dfb7006
-
SSDEEP
12288:EZjw0RJ9u5ILYDxD3fxYehza/tw64c8TVkc5A+:g3gTmr+
Score
10/10
Malware Config
Extracted
Family
oski
C2
/103.114.107.28/l1919/
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3292 set thread context of 4200 3292 powershell.exe 35 -
Program crash 1 IoCs
pid pid_target Process procid_target 4760 4200 WerFault.exe 35 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3292 powershell.exe 3292 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3292 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3292 wrote to memory of 4200 3292 powershell.exe 35 PID 3292 wrote to memory of 4200 3292 powershell.exe 35 PID 3292 wrote to memory of 4200 3292 powershell.exe 35 PID 3292 wrote to memory of 4200 3292 powershell.exe 35 PID 3292 wrote to memory of 4200 3292 powershell.exe 35 PID 3292 wrote to memory of 4200 3292 powershell.exe 35 PID 3292 wrote to memory of 4200 3292 powershell.exe 35 PID 3292 wrote to memory of 4200 3292 powershell.exe 35 PID 3292 wrote to memory of 4200 3292 powershell.exe 35
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\537dafbf2acf47786823913fcb138634.ps11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe#cmd2⤵PID:4200
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 11203⤵
- Program crash
PID:4760
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4200 -ip 42001⤵PID:1964