Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 02:41
Static task
static1
Behavioral task
behavioral1
Sample
54d62e92b93a40149d7e4fa19b798201.ps1
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
54d62e92b93a40149d7e4fa19b798201.ps1
Resource
win10v2004-20231222-en
General
-
Target
54d62e92b93a40149d7e4fa19b798201.ps1
-
Size
421KB
-
MD5
54d62e92b93a40149d7e4fa19b798201
-
SHA1
0404240f6104722844ace07eb116d5edbc7a4c18
-
SHA256
1384fedda1a2064b73982c64c756d109b16979a61ced905b338e7ad044c5e2f1
-
SHA512
0591e4987caad59642fb39d929465487b8d5290197b924f1a33bcf8ba5389d5a4a9d97af61b0284199e64c0b281ff41d634b9a8c4df2ef8e02e8a96842e3f4c1
-
SSDEEP
12288:+Zjw0RJ9u5ILYDxD3fxYehza/tw64ML68:q33
Malware Config
Extracted
oski
/103.114.107.28/l2626/
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1452 set thread context of 2812 1452 powershell.exe MSBuild.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2604 2812 WerFault.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1452 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1452 powershell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
powershell.exeMSBuild.exedescription pid process target process PID 1452 wrote to memory of 2812 1452 powershell.exe MSBuild.exe PID 1452 wrote to memory of 2812 1452 powershell.exe MSBuild.exe PID 1452 wrote to memory of 2812 1452 powershell.exe MSBuild.exe PID 1452 wrote to memory of 2812 1452 powershell.exe MSBuild.exe PID 1452 wrote to memory of 2812 1452 powershell.exe MSBuild.exe PID 1452 wrote to memory of 2812 1452 powershell.exe MSBuild.exe PID 1452 wrote to memory of 2812 1452 powershell.exe MSBuild.exe PID 1452 wrote to memory of 2812 1452 powershell.exe MSBuild.exe PID 1452 wrote to memory of 2812 1452 powershell.exe MSBuild.exe PID 1452 wrote to memory of 2812 1452 powershell.exe MSBuild.exe PID 2812 wrote to memory of 2604 2812 MSBuild.exe WerFault.exe PID 2812 wrote to memory of 2604 2812 MSBuild.exe WerFault.exe PID 2812 wrote to memory of 2604 2812 MSBuild.exe WerFault.exe PID 2812 wrote to memory of 2604 2812 MSBuild.exe WerFault.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\54d62e92b93a40149d7e4fa19b798201.ps11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 5043⤵
- Program crash
PID:2604