oski | acaa6723efbef5d53904d2d8e69d3c3e3f09a9e08cb17e1e79b00583316609c6

General

Target

d69b90af0812b7634f0214cd46f54ae0.exe
Size

842KB
MD5

d69b90af0812b7634f0214cd46f54ae0
SHA1

37e03ed8fa0e16a1e317c25bdf06bb0ab0565839
SHA256

acaa6723efbef5d53904d2d8e69d3c3e3f09a9e08cb17e1e79b00583316609c6
SHA512

50ad7203c97c5c43ab479b3503889686ef2f81e41779e7db9984ba068583c64a03c15a9eaf8b03c0c094c209060a40facaba6bbeb0f55298f7e6c0b750f6547e
SSDEEP

24576:voR6qgvRqwva/KnBPH2QYncjgngjobuytTN:Asjk1/KnJHqncjgbbbdN

Score

10^/10

oski infostealer

Malware Config

Extracted

Family

oski

C2

193.142.58.164/www/

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	d69b90af0812b7634f0214cd46f54ae0.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1788 set thread context of 928	1788	d69b90af0812b7634f0214cd46f54ae0.exe	112

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4076	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 4076	1788	d69b90af0812b7634f0214cd46f54ae0.exe	110
PID 1788 wrote to memory of 4076	1788	d69b90af0812b7634f0214cd46f54ae0.exe	110
PID 1788 wrote to memory of 4076	1788	d69b90af0812b7634f0214cd46f54ae0.exe	110
PID 1788 wrote to memory of 928	1788	d69b90af0812b7634f0214cd46f54ae0.exe	112
PID 1788 wrote to memory of 928	1788	d69b90af0812b7634f0214cd46f54ae0.exe	112
PID 1788 wrote to memory of 928	1788	d69b90af0812b7634f0214cd46f54ae0.exe	112
PID 1788 wrote to memory of 928	1788	d69b90af0812b7634f0214cd46f54ae0.exe	112
PID 1788 wrote to memory of 928	1788	d69b90af0812b7634f0214cd46f54ae0.exe	112
PID 1788 wrote to memory of 928	1788	d69b90af0812b7634f0214cd46f54ae0.exe	112
PID 1788 wrote to memory of 928	1788	d69b90af0812b7634f0214cd46f54ae0.exe	112
PID 1788 wrote to memory of 928	1788	d69b90af0812b7634f0214cd46f54ae0.exe	112
PID 1788 wrote to memory of 928	1788	d69b90af0812b7634f0214cd46f54ae0.exe	112

C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe
"C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cdgPKOcGVD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEDD6.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4076
- C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe
  "C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe"
  2⤵
  PID:928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4488 --field-trial-handle=2432,i,12161922670941700748,3348345705955601576,262144 --variations-seed-version /prefetch:8
1⤵
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEDD6.tmp

Filesize
1KB

MD5
68adfa6c76bfda417a520d5c0216e9ba

SHA1
94d155877cc088d436b990b7dc9fa70d0c91080e

SHA256
05aebe0997d1e7676ee7c219cedf3cbe9d445b78b75ee6f734d5e719ab198d4b

SHA512
89882914e8d61b4e4e2fcf50baa1eac02e792064afcf0ef2db2cfe8d3492608a17ea9cd3a66d4d4154d489aa40fed8a91ba9380bfbca0ca0c1c75f895cf950eb

Download Submit
memory/928-23-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/928-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/928-22-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/928-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/928-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1788-4-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download
memory/1788-7-0x00000000080B0000-0x00000000080CA000-memory.dmp

Filesize
104KB

Download
memory/1788-8-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/1788-9-0x0000000005A70000-0x0000000005A80000-memory.dmp

Filesize
64KB

Download
memory/1788-10-0x0000000006E30000-0x0000000006ED4000-memory.dmp

Filesize
656KB

Download
memory/1788-11-0x00000000080D0000-0x0000000008108000-memory.dmp

Filesize
224KB

Download
memory/1788-6-0x0000000008130000-0x00000000081CC000-memory.dmp

Filesize
624KB

Download
memory/1788-5-0x0000000005800000-0x000000000580A000-memory.dmp

Filesize
40KB

Download
memory/1788-1-0x0000000000D30000-0x0000000000E08000-memory.dmp

Filesize
864KB

Download
memory/1788-21-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/1788-3-0x0000000005860000-0x00000000058F2000-memory.dmp

Filesize
584KB

Download
memory/1788-2-0x0000000005E10000-0x00000000063B4000-memory.dmp

Filesize
5.6MB

Download
memory/1788-0-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads