Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
30-12-2023 08:21
General
-
Target
134a8e6481ac306a18cf1b20baaf8289.ps1
-
Size
421KB
-
MD5
134a8e6481ac306a18cf1b20baaf8289
-
SHA1
5653dd3516e2d4dec7b3c711ebe0e1ada51dc930
-
SHA256
2476e53d066a717d8627e08d13e7d2983e6ba9ecd76a8c3968273845f7996bde
-
SHA512
4ad91e37428da130a6d0766e66f590550088d6757ac7e13266b1c38fbc1e5b1f4ba8e1225db26af98cb119ccdeb56c882291ab628eb6560ebce8f62ed66bc5bf
-
SSDEEP
12288:+Zjw0RJ9u5ILYDxD3fxYehza/tw64BL68:q3W
Score
10/10
Malware Config
Extracted
Family
oski
C2
/103.114.107.28/l32/
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\134a8e6481ac306a18cf1b20baaf8289.ps11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 5043⤵
- Program crash
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
40KB
-
Filesize
9.6MB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
4KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB