oski | a375d88a6666e7101b4f582ea0239033e4716e883ecb301245011e9c58054a9c

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28-12-2023 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddde6fc0ce346b0ab7bb0c8c02a09d33.exe
Size

1.2MB
MD5

ddde6fc0ce346b0ab7bb0c8c02a09d33
SHA1

1067652f21fd05902288613746b5e2ea79bd07f9
SHA256

a375d88a6666e7101b4f582ea0239033e4716e883ecb301245011e9c58054a9c
SHA512

66a92b7f14371069d78876add097fb8f847755eff95edd846939566f0ce219b686f265c8a57dbe6e19e5f12145bfbfcccff09371413a758005d1aee7d8490c49
SSDEEP

12288:PYhxa6BTGO/NkJWZeZQCmdjVv6LZRsXdmSLem2Vg4miT9UJESs6IcWByCcRQUBqh:PYv5CmHAIOsBgo0q4wMPnpx2XP4iO1H

Score

10^/10

oski infostealer spyware stealer

Malware Config

Extracted

Family

oski

fine.le-pearl.com

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral1/memory/1764-3-0x0000000000340000-0x0000000000352000-memory.dmp	CustAttr

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1764 set thread context of 2528	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1296	2528	WerFault.exe	31

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe
2484	powershell.exe
2832	powershell.exe
2460	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2832	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	28
PID 1764 wrote to memory of 2832	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	28
PID 1764 wrote to memory of 2832	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	28
PID 1764 wrote to memory of 2832	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	28
PID 1764 wrote to memory of 2460	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	36
PID 1764 wrote to memory of 2460	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	36
PID 1764 wrote to memory of 2460	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	36
PID 1764 wrote to memory of 2460	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	36
PID 1764 wrote to memory of 1744	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	34
PID 1764 wrote to memory of 1744	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	34
PID 1764 wrote to memory of 1744	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	34
PID 1764 wrote to memory of 1744	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	34
PID 1764 wrote to memory of 2484	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	33
PID 1764 wrote to memory of 2484	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	33
PID 1764 wrote to memory of 2484	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	33
PID 1764 wrote to memory of 2484	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	33
PID 1764 wrote to memory of 2528	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	31
PID 1764 wrote to memory of 2528	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	31
PID 1764 wrote to memory of 2528	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	31
PID 1764 wrote to memory of 2528	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	31
PID 1764 wrote to memory of 2528	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	31
PID 1764 wrote to memory of 2528	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	31
PID 1764 wrote to memory of 2528	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	31
PID 1764 wrote to memory of 2528	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	31
PID 1764 wrote to memory of 2528	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	31
PID 1764 wrote to memory of 2528	1764	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	31
PID 2528 wrote to memory of 1296	2528	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	41
PID 2528 wrote to memory of 1296	2528	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	41
PID 2528 wrote to memory of 1296	2528	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	41
PID 2528 wrote to memory of 1296	2528	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	41

C:\Users\Admin\AppData\Local\Temp\ddde6fc0ce346b0ab7bb0c8c02a09d33.exe
"C:\Users\Admin\AppData\Local\Temp\ddde6fc0ce346b0ab7bb0c8c02a09d33.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ddde6fc0ce346b0ab7bb0c8c02a09d33.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\ddde6fc0ce346b0ab7bb0c8c02a09d33.exe
  "C:\Users\Admin\AppData\Local\Temp\ddde6fc0ce346b0ab7bb0c8c02a09d33.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 700
    3⤵
    - Program crash
    PID:1296
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nllJKmehpTGztY.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nllJKmehpTGztY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBA1B.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1744
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nllJKmehpTGztY.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBA1B.tmp

Filesize
1KB

MD5
e23258203fb5f8188d521bee82e1067b

SHA1
269c6e52c80f9df473ff93ffa399594440d5d183

SHA256
56979eb00bf05069329eb5f45b00876e1ffe90f795d87e75ebf440bcb74ec04a

SHA512
249bc0353a350f13994e9c875827e18232164a19aa1adb45d3a5190f92370db84787e371efdc85412f809a94f060e33d608e593909aa15807c13480a3b0b4e4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5dd762279569c05e75989d1ec5bac049

SHA1
0daca5fa18c364f09241b68f83b00c172414ab22

SHA256
615eadc4a7fe71379ab330233103fb45cae6a769a6a2f11339f15bb01406d7db

SHA512
bb5a235397831f1d2f4243a5950c8ce34c6e331821f2c088f42c3e6f9fdcc39e8ad33cbf42a7d826a124482dbecb5f51ca02de8ef2aab372e30eb3c939fd3ecf

Download Submit
memory/1764-4-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/1764-1-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/1764-0-0x0000000000C90000-0x0000000000DD4000-memory.dmp

Filesize
1.3MB

Download
memory/1764-5-0x0000000004D20000-0x0000000004D60000-memory.dmp

Filesize
256KB

Download
memory/1764-6-0x0000000005160000-0x00000000051E2000-memory.dmp

Filesize
520KB

Download
memory/1764-7-0x0000000000660000-0x000000000069A000-memory.dmp

Filesize
232KB

Download
memory/1764-2-0x0000000004D20000-0x0000000004D60000-memory.dmp

Filesize
256KB

Download
memory/1764-3-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1764-37-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/2460-48-0x0000000002980000-0x00000000029C0000-memory.dmp

Filesize
256KB

Download
memory/2460-49-0x0000000002980000-0x00000000029C0000-memory.dmp

Filesize
256KB

Download
memory/2460-38-0x000000006F1F0000-0x000000006F79B000-memory.dmp

Filesize
5.7MB

Download
memory/2460-40-0x0000000002980000-0x00000000029C0000-memory.dmp

Filesize
256KB

Download
memory/2460-54-0x000000006F1F0000-0x000000006F79B000-memory.dmp

Filesize
5.7MB

Download
memory/2460-42-0x000000006F1F0000-0x000000006F79B000-memory.dmp

Filesize
5.7MB

Download
memory/2484-45-0x000000006F1F0000-0x000000006F79B000-memory.dmp

Filesize
5.7MB

Download
memory/2484-55-0x000000006F1F0000-0x000000006F79B000-memory.dmp

Filesize
5.7MB

Download
memory/2484-43-0x000000006F1F0000-0x000000006F79B000-memory.dmp

Filesize
5.7MB

Download
memory/2484-44-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/2484-46-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/2484-50-0x00000000026B0000-0x00000000026F0000-memory.dmp

Filesize
256KB

Download
memory/2528-51-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2528-22-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2528-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2528-31-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2528-25-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2528-29-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2528-26-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2528-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2528-73-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2528-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2832-56-0x000000006F1F0000-0x000000006F79B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-47-0x0000000002B40000-0x0000000002B80000-memory.dmp

Filesize
256KB

Download
memory/2832-39-0x000000006F1F0000-0x000000006F79B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-41-0x000000006F1F0000-0x000000006F79B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-52-0x0000000002B40000-0x0000000002B80000-memory.dmp

Filesize
256KB

Download
memory/2832-53-0x0000000002B40000-0x0000000002B80000-memory.dmp

Filesize
256KB

Download