oski | 44aa270e4c081241057bad8c1d0ea5864087325f8e3209aa10747f108123f718

General

Target

452e6c334e555629c538c4aa6b2adc26.exe
Size

792KB
MD5

452e6c334e555629c538c4aa6b2adc26
SHA1

f24a31707b2b0037adcc712b0d83541074f909d2
SHA256

44aa270e4c081241057bad8c1d0ea5864087325f8e3209aa10747f108123f718
SHA512

1412c3682f9c0e239743450d7ce86b37e726101f5f1786fe215dfd18c61911f31f13533549c3af2033ce6dbf47dc638466283dca62fd8df062ea2a65e3fd811a
SSDEEP

12288:YcaQxt8LiULbgDPwFVt2NjFhslyAz1+LC6oSU4Acp82cz8/mNMgMRyLcvyQQGSI:NGb0wFVMNjTsl9zwLCZGAa8mqaQeW

Score

10^/10

oski infostealer

Malware Config

Extracted

Family

oski

C2

185.212.131.198/ww/

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3068 set thread context of 1672	3068	452e6c334e555629c538c4aa6b2adc26.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2900	schtasks.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2900	3068	452e6c334e555629c538c4aa6b2adc26.exe	30
PID 3068 wrote to memory of 2900	3068	452e6c334e555629c538c4aa6b2adc26.exe	30
PID 3068 wrote to memory of 2900	3068	452e6c334e555629c538c4aa6b2adc26.exe	30
PID 3068 wrote to memory of 2900	3068	452e6c334e555629c538c4aa6b2adc26.exe	30
PID 3068 wrote to memory of 1672	3068	452e6c334e555629c538c4aa6b2adc26.exe	32
PID 3068 wrote to memory of 1672	3068	452e6c334e555629c538c4aa6b2adc26.exe	32
PID 3068 wrote to memory of 1672	3068	452e6c334e555629c538c4aa6b2adc26.exe	32
PID 3068 wrote to memory of 1672	3068	452e6c334e555629c538c4aa6b2adc26.exe	32
PID 3068 wrote to memory of 1672	3068	452e6c334e555629c538c4aa6b2adc26.exe	32
PID 3068 wrote to memory of 1672	3068	452e6c334e555629c538c4aa6b2adc26.exe	32
PID 3068 wrote to memory of 1672	3068	452e6c334e555629c538c4aa6b2adc26.exe	32
PID 3068 wrote to memory of 1672	3068	452e6c334e555629c538c4aa6b2adc26.exe	32
PID 3068 wrote to memory of 1672	3068	452e6c334e555629c538c4aa6b2adc26.exe	32
PID 3068 wrote to memory of 1672	3068	452e6c334e555629c538c4aa6b2adc26.exe	32

C:\Users\Admin\AppData\Local\Temp\452e6c334e555629c538c4aa6b2adc26.exe
"C:\Users\Admin\AppData\Local\Temp\452e6c334e555629c538c4aa6b2adc26.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BqppCjWADhQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp760A.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2900
- C:\Users\Admin\AppData\Local\Temp\452e6c334e555629c538c4aa6b2adc26.exe
  "C:\Users\Admin\AppData\Local\Temp\452e6c334e555629c538c4aa6b2adc26.exe"
  2⤵
  PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp760A.tmp

Filesize
1KB

MD5
3f127b7c768f72d25fc0af8f40b78da0

SHA1
899cfaaab6ff3213aaabc95ef1b204abb32dd8e3

SHA256
4ef1580cea2b10ba6ecedc8654e199c109ffe42fed00cba4d3bf9453160ed309

SHA512
74c59ca324d81c9d9da23fdd6e8237636ac59cf3080599d7ffefb02aad60618cb2838fc111d2b5b6eb7f68d9fd1cf695d846618ba3aa8a9cce4c9d809ee628ad

Download Submit
memory/1672-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1672-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1672-13-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1672-14-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1672-23-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1672-22-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1672-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1672-15-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1672-16-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1672-25-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3068-3-0x00000000003A0000-0x00000000003BA000-memory.dmp

Filesize
104KB

Download
memory/3068-1-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/3068-7-0x0000000000B80000-0x0000000000BB8000-memory.dmp

Filesize
224KB

Download
memory/3068-2-0x00000000048F0000-0x0000000004930000-memory.dmp

Filesize
256KB

Download
memory/3068-0-0x0000000001010000-0x00000000010DC000-memory.dmp

Filesize
816KB

Download
memory/3068-6-0x00000000062C0000-0x0000000006358000-memory.dmp

Filesize
608KB

Download
memory/3068-5-0x00000000048F0000-0x0000000004930000-memory.dmp

Filesize
256KB

Download
memory/3068-24-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/3068-4-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads