oski | 44aa270e4c081241057bad8c1d0ea5864087325f8e3209aa10747f108123f718

General

Target

452e6c334e555629c538c4aa6b2adc26.exe
Size

792KB
MD5

452e6c334e555629c538c4aa6b2adc26
SHA1

f24a31707b2b0037adcc712b0d83541074f909d2
SHA256

44aa270e4c081241057bad8c1d0ea5864087325f8e3209aa10747f108123f718
SHA512

1412c3682f9c0e239743450d7ce86b37e726101f5f1786fe215dfd18c61911f31f13533549c3af2033ce6dbf47dc638466283dca62fd8df062ea2a65e3fd811a
SSDEEP

12288:YcaQxt8LiULbgDPwFVt2NjFhslyAz1+LC6oSU4Acp82cz8/mNMgMRyLcvyQQGSI:NGb0wFVMNjTsl9zwLCZGAa8mqaQeW

Score

10^/10

oski infostealer

Malware Config

Extracted

Family

oski

C2

185.212.131.198/ww/

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2448 set thread context of 2816	2448	452e6c334e555629c538c4aa6b2adc26.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
1988	2816	WerFault.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2000	schtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2000	2448	452e6c334e555629c538c4aa6b2adc26.exe	30
PID 2448 wrote to memory of 2000	2448	452e6c334e555629c538c4aa6b2adc26.exe	30
PID 2448 wrote to memory of 2000	2448	452e6c334e555629c538c4aa6b2adc26.exe	30
PID 2448 wrote to memory of 2000	2448	452e6c334e555629c538c4aa6b2adc26.exe	30
PID 2448 wrote to memory of 2816	2448	452e6c334e555629c538c4aa6b2adc26.exe	32
PID 2448 wrote to memory of 2816	2448	452e6c334e555629c538c4aa6b2adc26.exe	32
PID 2448 wrote to memory of 2816	2448	452e6c334e555629c538c4aa6b2adc26.exe	32
PID 2448 wrote to memory of 2816	2448	452e6c334e555629c538c4aa6b2adc26.exe	32
PID 2448 wrote to memory of 2816	2448	452e6c334e555629c538c4aa6b2adc26.exe	32
PID 2448 wrote to memory of 2816	2448	452e6c334e555629c538c4aa6b2adc26.exe	32
PID 2448 wrote to memory of 2816	2448	452e6c334e555629c538c4aa6b2adc26.exe	32
PID 2448 wrote to memory of 2816	2448	452e6c334e555629c538c4aa6b2adc26.exe	32
PID 2448 wrote to memory of 2816	2448	452e6c334e555629c538c4aa6b2adc26.exe	32
PID 2448 wrote to memory of 2816	2448	452e6c334e555629c538c4aa6b2adc26.exe	32
PID 2816 wrote to memory of 1988	2816	452e6c334e555629c538c4aa6b2adc26.exe	31
PID 2816 wrote to memory of 1988	2816	452e6c334e555629c538c4aa6b2adc26.exe	31
PID 2816 wrote to memory of 1988	2816	452e6c334e555629c538c4aa6b2adc26.exe	31
PID 2816 wrote to memory of 1988	2816	452e6c334e555629c538c4aa6b2adc26.exe	31

C:\Users\Admin\AppData\Local\Temp\452e6c334e555629c538c4aa6b2adc26.exe
"C:\Users\Admin\AppData\Local\Temp\452e6c334e555629c538c4aa6b2adc26.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BqppCjWADhQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF1BE.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2000
- C:\Users\Admin\AppData\Local\Temp\452e6c334e555629c538c4aa6b2adc26.exe
  "C:\Users\Admin\AppData\Local\Temp\452e6c334e555629c538c4aa6b2adc26.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 112
1⤵
- Program crash
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF1BE.tmp

Filesize
1KB

MD5
069fdce77ba3d0cbf7baff5ade618659

SHA1
cea38eafebf6058838c7834e7ebbafe306540efd

SHA256
a9ab4405979c67059d135283580d22e6afbad89485c688d84564354819af5b19

SHA512
8bb1c4e6fd25aa8c27774493bbfefc6933b327b1047320cf45196a23848b46b1b0b4b94804516136864ad13f1154b7540e7b3ac7c8b81d378da28e6d0fe80153

Download Submit
memory/2448-4-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2448-5-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/2448-1-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2448-0-0x0000000000C30000-0x0000000000CFC000-memory.dmp

Filesize
816KB

Download
memory/2448-26-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2448-6-0x0000000008230000-0x00000000082C8000-memory.dmp

Filesize
608KB

Download
memory/2448-7-0x0000000000810000-0x0000000000848000-memory.dmp

Filesize
224KB

Download
memory/2448-2-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/2448-3-0x0000000000590000-0x00000000005AA000-memory.dmp

Filesize
104KB

Download
memory/2816-25-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2816-15-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2816-23-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2816-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2816-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2816-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2816-14-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2816-13-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads