oski | acaa6723efbef5d53904d2d8e69d3c3e3f09a9e08cb17e1e79b00583316609c6

General

Target

d69b90af0812b7634f0214cd46f54ae0.exe
Size

842KB
MD5

d69b90af0812b7634f0214cd46f54ae0
SHA1

37e03ed8fa0e16a1e317c25bdf06bb0ab0565839
SHA256

acaa6723efbef5d53904d2d8e69d3c3e3f09a9e08cb17e1e79b00583316609c6
SHA512

50ad7203c97c5c43ab479b3503889686ef2f81e41779e7db9984ba068583c64a03c15a9eaf8b03c0c094c209060a40facaba6bbeb0f55298f7e6c0b750f6547e
SSDEEP

24576:voR6qgvRqwva/KnBPH2QYncjgngjobuytTN:Asjk1/KnJHqncjgbbbdN

Score

10^/10

oski infostealer

Malware Config

Extracted

Family

oski

C2

193.142.58.164/www/

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1712 set thread context of 588	1712	d69b90af0812b7634f0214cd46f54ae0.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2688	schtasks.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2688	1712	d69b90af0812b7634f0214cd46f54ae0.exe	30
PID 1712 wrote to memory of 2688	1712	d69b90af0812b7634f0214cd46f54ae0.exe	30
PID 1712 wrote to memory of 2688	1712	d69b90af0812b7634f0214cd46f54ae0.exe	30
PID 1712 wrote to memory of 2688	1712	d69b90af0812b7634f0214cd46f54ae0.exe	30
PID 1712 wrote to memory of 588	1712	d69b90af0812b7634f0214cd46f54ae0.exe	32
PID 1712 wrote to memory of 588	1712	d69b90af0812b7634f0214cd46f54ae0.exe	32
PID 1712 wrote to memory of 588	1712	d69b90af0812b7634f0214cd46f54ae0.exe	32
PID 1712 wrote to memory of 588	1712	d69b90af0812b7634f0214cd46f54ae0.exe	32
PID 1712 wrote to memory of 588	1712	d69b90af0812b7634f0214cd46f54ae0.exe	32
PID 1712 wrote to memory of 588	1712	d69b90af0812b7634f0214cd46f54ae0.exe	32
PID 1712 wrote to memory of 588	1712	d69b90af0812b7634f0214cd46f54ae0.exe	32
PID 1712 wrote to memory of 588	1712	d69b90af0812b7634f0214cd46f54ae0.exe	32
PID 1712 wrote to memory of 588	1712	d69b90af0812b7634f0214cd46f54ae0.exe	32
PID 1712 wrote to memory of 588	1712	d69b90af0812b7634f0214cd46f54ae0.exe	32

C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe
"C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cdgPKOcGVD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBCE9.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2688
- C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe
  "C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe"
  2⤵
  PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBCE9.tmp

Filesize
1KB

MD5
cf6cd92f4239b85d22329df182f1cadc

SHA1
c61233a859f2b56c9951ffd089e256a5fcc060b5

SHA256
02ad419cf8f0bad9cba16857120a8391f41b3adf60ef152d0247a4183b00afb3

SHA512
6eeb80be92284e56c2f41c4ac72571cf4f4004c16325e5b5b359f67f588cf0a42a2cbc3ceae86847b1e2d62a52e3b90b2fce6b45777f40d47f448be1db053a1c

Download Submit
memory/588-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/588-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/588-16-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/588-15-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/588-13-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/588-22-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/588-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/588-14-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/588-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1712-6-0x00000000059D0000-0x0000000005A74000-memory.dmp

Filesize
656KB

Download
memory/1712-4-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/1712-0-0x0000000001100000-0x00000000011D8000-memory.dmp

Filesize
864KB

Download
memory/1712-3-0x00000000004E0000-0x00000000004FA000-memory.dmp

Filesize
104KB

Download
memory/1712-1-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/1712-7-0x0000000000600000-0x0000000000638000-memory.dmp

Filesize
224KB

Download
memory/1712-23-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/1712-2-0x0000000004D10000-0x0000000004D50000-memory.dmp

Filesize
256KB

Download
memory/1712-5-0x0000000004D10000-0x0000000004D50000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads