oski | 8e07cf5e12ed70918b410fdb95fdf6905c191df169df5fdf994daac99c8bd359

Analysis

max time kernel
75s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

406171ecbe8c3d96852acef91ec2e6db.exe
Size

571KB
MD5

406171ecbe8c3d96852acef91ec2e6db
SHA1

5fb7a4fc46659b510fbcbb51d9e08bdf08490b62
SHA256

8e07cf5e12ed70918b410fdb95fdf6905c191df169df5fdf994daac99c8bd359
SHA512

d0c472148ded74e627d33f1f1124b9275ba8ab9d2cb1443a88ebfecce57755b7e88d39e77819bbba75dad6cf905ba85e5372ca9341790f56e121263ababf10a3
SSDEEP

12288:B5tM+E02iNv4sxxrMAbU3Sg9r28R1g9lHQI0uS:vbE01usjMMuSg96WIjV

Score

10^/10

oski infostealer

Malware Config

Extracted

Family

oski

fair.le-pearl.com

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2684	4292	WerFault.exe	104

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4256	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\406171ecbe8c3d96852acef91ec2e6db.exe
"C:\Users\Admin\AppData\Local\Temp\406171ecbe8c3d96852acef91ec2e6db.exe"
1⤵
PID:4212
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YmTlkQcO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB65B.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4256
- C:\Users\Admin\AppData\Local\Temp\406171ecbe8c3d96852acef91ec2e6db.exe
  "{path}"
  2⤵
  PID:4320
- C:\Users\Admin\AppData\Local\Temp\406171ecbe8c3d96852acef91ec2e6db.exe
  "{path}"
  2⤵
  PID:4292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1328
    3⤵
    - Program crash
    PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4292 -ip 4292
1⤵
PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DV2I56HE\suspendedpage[1].htm

Filesize
496B

MD5
1842eed13fddc700a50adada08a0f84d

SHA1
5e7b6997ffaf89afdb803de2e9231cd8886621ae

SHA256
47ac9eef48022403111f9cef6871af594079acdd88da83e7d2b2a92fa47f7368

SHA512
0d0086367e60782f81324abc5a79ae4c19aaa96aeb7aead23d4ca2dde0af5cc7cf3cc9b6e391b95405ed97a136fcd99af3f868a6027b89b5fcc47cff52272b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB65B.tmp

Filesize
1KB

MD5
8f1a230760a5f30e5eafd3cfeed001c3

SHA1
312b5dca9a4bda5c87db7dd4a4a7db9b8537e442

SHA256
5e41c0941ffbd96d8efb19d36a7b1ab2128f658455294adce2a3079980cf3a34

SHA512
712fdbf54ac242ba79040a1ab8a294cff209709720fd5b4d1300972a2a6d720b774a7d977183d77b474043606ce442b8d5db48a6ea46f6a059a923441ff66250

Download Submit
memory/4212-10-0x0000000005FB0000-0x000000000602A000-memory.dmp

Filesize
488KB

Download
memory/4212-11-0x0000000005EC0000-0x0000000005EF8000-memory.dmp

Filesize
224KB

Download
memory/4212-4-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/4212-5-0x0000000004B70000-0x0000000004B7A000-memory.dmp

Filesize
40KB

Download
memory/4212-7-0x0000000004E90000-0x0000000004F2C000-memory.dmp

Filesize
624KB

Download
memory/4212-6-0x0000000004CD0000-0x0000000004CD8000-memory.dmp

Filesize
32KB

Download
memory/4212-8-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/4212-9-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/4212-1-0x0000000000040000-0x00000000000D6000-memory.dmp

Filesize
600KB

Download
memory/4212-3-0x0000000004AD0000-0x0000000004B62000-memory.dmp

Filesize
584KB

Download
memory/4212-2-0x00000000051E0000-0x0000000005784000-memory.dmp

Filesize
5.6MB

Download
memory/4212-0-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/4212-20-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/4292-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4292-18-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4292-15-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4292-16-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4292-38-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads