oski | fd7a0cea676ea7114f56d5732307f5caf5444c7da5f961066c9289ed5fc766fc

Analysis

max time kernel
101s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2024 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PURCHASE ORDER AZAS112.xls.xll
Size

880KB
MD5

4ebc548df517cae4c7e3122e9c75ede6
SHA1

6e19e1e6f3a7b96cf562c2f6768f92580652d427
SHA256

6c67e1ccf77b872b1f3cf257a257d75c4995dc079945080f578b51357ccdbe55
SHA512

359be199470a83ad32db555840c5b33a6b69db96cc188d83d550639fe9fe75464529819fdf0cded9d489cb7ba03802667ac373d3ad2a3f7e4069b023c8508290
SSDEEP

24576:/zbGHAzHAjX1BcLgtBoKF0KihRPX0qFNE:/ziHILEV6Fm

Score

10^/10

oski infostealer spyware stealer

Malware Config

Extracted

Language

xlm4.0

Source

Extracted

Family

oski

himarkh.xyz

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski

Executes dropped EXE 2 IoCs

pid	Process
4636	service.exe
1916	service.exe

Loads dropped DLL 2 IoCs

pid	Process
2920	EXCEL.EXE
2920	EXCEL.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4636 set thread context of 1916	4636	service.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2064	1916	WerFault.exe	90

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2920	EXCEL.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4636	service.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2920	EXCEL.EXE
2920	EXCEL.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2920	EXCEL.EXE
2920	EXCEL.EXE
2920	EXCEL.EXE
2920	EXCEL.EXE
2920	EXCEL.EXE
2920	EXCEL.EXE
2920	EXCEL.EXE
2920	EXCEL.EXE
2920	EXCEL.EXE
2920	EXCEL.EXE
2920	EXCEL.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 4636	2920	EXCEL.EXE	89
PID 2920 wrote to memory of 4636	2920	EXCEL.EXE	89
PID 2920 wrote to memory of 4636	2920	EXCEL.EXE	89
PID 4636 wrote to memory of 1916	4636	service.exe	90
PID 4636 wrote to memory of 1916	4636	service.exe	90
PID 4636 wrote to memory of 1916	4636	service.exe	90
PID 4636 wrote to memory of 1916	4636	service.exe	90

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER AZAS112.xls.xll"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Users\Admin\AppData\Roaming\service.exe
  "C:\Users\Admin\AppData\Roaming\service.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Users\Admin\AppData\Roaming\service.exe
    "C:\Users\Admin\AppData\Roaming\service.exe"
    3⤵
    - Executes dropped EXE
    PID:1916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 1308
      4⤵
      Program crash
      PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1916 -ip 1916
1⤵
PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER AZAS112.xls.xll

Filesize
108KB

MD5
f56daffd3c269ddb92fadb631a7b4463

SHA1
056460cde949b91b40600c58f82726038c2955c8

SHA256
6845959757648240d3d019faed2a333d9f20156d03164d5838a3bbf0ba47dc99

SHA512
832552270e79ea43fc8a5db9254e629df9a217c918f147346ed3a959d746936dd012c0ea84c1d897c4d89d411f87b61982039433204318d70be1269100825a7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER AZAS112.xls.xll

Filesize
149KB

MD5
0af0932797ba8f08e9afea456b41c6ff

SHA1
e129446e8642faea959d94913f36856b1af2c40f

SHA256
ccee12057c5af2f34a1b7ff14209596ced5f0509a656722ee7a248d6438c0700

SHA512
45cb30ca4f864f75a23a4a4a3582b93f31c7093c59f5c8bf540e97cd6707d612a451d70875ae35a6b0c9a491fa280362b6d3998622840dded9abe03a2fd49454

Download Submit
C:\Users\Admin\AppData\Local\Temp\sample.xlsx

Filesize
12KB

MD5
36cadc2fa9f7938f74061fda9b126a9f

SHA1
5252934ac46fb3bc8fdb361880ade043070501bd

SHA256
afc8ea53b3eeb62a44ce6d2b4593931d009ec00769410e76478cc88eab59d1f4

SHA512
b7668575cea53280a3d553b18e1ac7670eeafab9f2d48db5d86496722e2b1d5d48a3ac3b1e56a8d7198abd771f2d95fef4449792c214dffc2097e62273e7db1f

Download Submit
C:\Users\Admin\AppData\Roaming\service.exe

Filesize
71KB

MD5
dee7f30222aa40234450e82b9d9451e3

SHA1
916f7b287d5b4009d910224891ddd85d30d83636

SHA256
272140a37cbb16e5ca6a7818e50ccdaadb49da655ca1a10fad8e1fd891acf439

SHA512
96406c272f5bd75456b21f2a87cbd16bfd38d9ec32d163f241768c336be9661a008751e083e34ce2c568eb9143e569d207345d160d9bcf162471a78e1e9f3975

Download Submit
C:\Users\Admin\AppData\Roaming\service.exe

Filesize
60KB

MD5
b865c68affb6e71ed7b2e653b1d80809

SHA1
6ec33299d1fc3c9c5ca6fbae4771fb7fde9d7262

SHA256
117150cb71926b93ae80245ed262913a9c928711c22393cf5a52ce177586fe6d

SHA512
91a23953e3e2021dd0be2aed9f8f34a272927d0616a1a41378f14d37387173bddbde706065e1d3ec484e01a60698ca5b787b09de2b2eb3698b049a2d366b550b

Download Submit
C:\Users\Admin\AppData\Roaming\service.exe

Filesize
81KB

MD5
a49f37dad2ee96c2fe7b1954a967d5d9

SHA1
cd94a61eba4fa2f5ebfb2d8cf360b5c14cd3798b

SHA256
914ed70669c31461ba011f7b8440ede00cec08c14f9320f47f8ef58e8c94200f

SHA512
1b1022e0763567b4a86c87a7fe76b9f90b7ef1e3d0a2ee8c792ef30663e350a3cbcf9ec52fc8066bf5bcb069cb1be5b58dc2fe84d991bdeff613ec55ec04edf7

Download Submit
C:\Users\Admin\AppData\Roaming\service.exe

Filesize
17KB

MD5
1544d02b05bbbcf06b7476c3d8bfa796

SHA1
11f3264d4eaa0df827c61fe393fc24ac3f1d5a1a

SHA256
515673c44ff7d95798e914b95682319e8795c24b5e68c599dfabb253a7b8ba81

SHA512
5f505ea3b6a8dc99b36a777beabaa39528f0140a5e35ef0f87a7443eded1aed3b60da229dcada421fda5bf52cfb84d879a5ef0d4cab05ff33f661c2c1b350975

Download Submit
memory/1916-88-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1916-81-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1916-83-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1916-84-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1916-85-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2920-35-0x000001CA1FB80000-0x000001CA1FC36000-memory.dmp

Filesize
728KB

Download
memory/2920-33-0x000001CA1FB70000-0x000001CA1FB80000-memory.dmp

Filesize
64KB

Download
memory/2920-10-0x00007FFD5EDA0000-0x00007FFD5EDB0000-memory.dmp

Filesize
64KB

Download
memory/2920-17-0x00007FFDA1450000-0x00007FFDA1645000-memory.dmp

Filesize
2.0MB

Download
memory/2920-20-0x00007FFDA1450000-0x00007FFDA1645000-memory.dmp

Filesize
2.0MB

Download
memory/2920-19-0x00007FFDA1450000-0x00007FFDA1645000-memory.dmp

Filesize
2.0MB

Download
memory/2920-22-0x00007FFDA1450000-0x00007FFDA1645000-memory.dmp

Filesize
2.0MB

Download
memory/2920-23-0x00007FFDA1450000-0x00007FFDA1645000-memory.dmp

Filesize
2.0MB

Download
memory/2920-21-0x00007FFDA1450000-0x00007FFDA1645000-memory.dmp

Filesize
2.0MB

Download
memory/2920-18-0x00007FFDA1450000-0x00007FFDA1645000-memory.dmp

Filesize
2.0MB

Download
memory/2920-16-0x00007FFDA1450000-0x00007FFDA1645000-memory.dmp

Filesize
2.0MB

Download
memory/2920-15-0x00007FFD5EDA0000-0x00007FFD5EDB0000-memory.dmp

Filesize
64KB

Download
memory/2920-25-0x000001CA03240000-0x000001CA03336000-memory.dmp

Filesize
984KB

Download
memory/2920-13-0x00007FFDA1450000-0x00007FFDA1645000-memory.dmp

Filesize
2.0MB

Download
memory/2920-11-0x00007FFDA1450000-0x00007FFDA1645000-memory.dmp

Filesize
2.0MB

Download
memory/2920-29-0x000001CA03480000-0x000001CA0349C000-memory.dmp

Filesize
112KB

Download
memory/2920-30-0x000001CA077E0000-0x000001CA0781C000-memory.dmp

Filesize
240KB

Download
memory/2920-31-0x00007FFD79300000-0x00007FFD79DC1000-memory.dmp

Filesize
10.8MB

Download
memory/2920-34-0x000001CA1FB70000-0x000001CA1FB80000-memory.dmp

Filesize
64KB

Download
memory/2920-0-0x00007FFD614D0000-0x00007FFD614E0000-memory.dmp

Filesize
64KB

Download
memory/2920-38-0x000001CA1FB70000-0x000001CA1FB80000-memory.dmp

Filesize
64KB

Download
memory/2920-12-0x00007FFDA1450000-0x00007FFDA1645000-memory.dmp

Filesize
2.0MB

Download
memory/2920-39-0x000001CA03540000-0x000001CA03550000-memory.dmp

Filesize
64KB

Download
memory/2920-37-0x000001CA1FB70000-0x000001CA1FB80000-memory.dmp

Filesize
64KB

Download
memory/2920-36-0x000001CA1FB70000-0x000001CA1FB80000-memory.dmp

Filesize
64KB

Download
memory/2920-14-0x00007FFDA1450000-0x00007FFDA1645000-memory.dmp

Filesize
2.0MB

Download
memory/2920-32-0x000001CA1FB70000-0x000001CA1FB80000-memory.dmp

Filesize
64KB

Download
memory/2920-4-0x00007FFD614D0000-0x00007FFD614E0000-memory.dmp

Filesize
64KB

Download
memory/2920-6-0x00007FFD614D0000-0x00007FFD614E0000-memory.dmp

Filesize
64KB

Download
memory/2920-9-0x00007FFDA1450000-0x00007FFDA1645000-memory.dmp

Filesize
2.0MB

Download
memory/2920-8-0x00007FFDA1450000-0x00007FFDA1645000-memory.dmp

Filesize
2.0MB

Download
memory/2920-7-0x00007FFDA1450000-0x00007FFDA1645000-memory.dmp

Filesize
2.0MB

Download
memory/2920-5-0x00007FFDA1450000-0x00007FFDA1645000-memory.dmp

Filesize
2.0MB

Download
memory/2920-3-0x00007FFDA1450000-0x00007FFDA1645000-memory.dmp

Filesize
2.0MB

Download
memory/2920-2-0x00007FFD614D0000-0x00007FFD614E0000-memory.dmp

Filesize
64KB

Download
memory/2920-121-0x00007FFD79300000-0x00007FFD79DC1000-memory.dmp

Filesize
10.8MB

Download
memory/2920-120-0x00007FFDA1450000-0x00007FFDA1645000-memory.dmp

Filesize
2.0MB

Download
memory/2920-1-0x00007FFD614D0000-0x00007FFD614E0000-memory.dmp

Filesize
64KB

Download
memory/2920-94-0x00007FFDA1450000-0x00007FFDA1645000-memory.dmp

Filesize
2.0MB

Download
memory/2920-95-0x00007FFDA1450000-0x00007FFDA1645000-memory.dmp

Filesize
2.0MB

Download
memory/2920-96-0x00007FFD79300000-0x00007FFD79DC1000-memory.dmp

Filesize
10.8MB

Download
memory/2920-99-0x000001CA1FB70000-0x000001CA1FB80000-memory.dmp

Filesize
64KB

Download
memory/2920-100-0x000001CA1FB70000-0x000001CA1FB80000-memory.dmp

Filesize
64KB

Download
memory/2920-98-0x000001CA1FB70000-0x000001CA1FB80000-memory.dmp

Filesize
64KB

Download
memory/2920-97-0x000001CA1FB70000-0x000001CA1FB80000-memory.dmp

Filesize
64KB

Download
memory/2920-101-0x000001CA1FB70000-0x000001CA1FB80000-memory.dmp

Filesize
64KB

Download
memory/2920-116-0x00007FFD614D0000-0x00007FFD614E0000-memory.dmp

Filesize
64KB

Download
memory/2920-117-0x00007FFD614D0000-0x00007FFD614E0000-memory.dmp

Filesize
64KB

Download
memory/2920-118-0x00007FFD614D0000-0x00007FFD614E0000-memory.dmp

Filesize
64KB

Download
memory/2920-119-0x00007FFD614D0000-0x00007FFD614E0000-memory.dmp

Filesize
64KB

Download
memory/4636-79-0x0000000000C00000-0x0000000000D00000-memory.dmp

Filesize
1024KB

Download
memory/4636-80-0x0000000000EA0000-0x0000000000EA2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads