oski | 223dfd54929007ac23d6a20dbcf81a519a14f1c4061d23afcb761b75796042d2

General

Target

da484abefb23789c13add9ecd7ea7eeb.exe
Size

693KB
MD5

da484abefb23789c13add9ecd7ea7eeb
SHA1

cf0098c51761c3c9b860cdfd290734f0d1657bba
SHA256

223dfd54929007ac23d6a20dbcf81a519a14f1c4061d23afcb761b75796042d2
SHA512

380d3227555739a95ae2514fbe1f24882cbf91db508339837aee2fc6d1ac1c5a7feabcef9bf87ebc8b4efe6fa1f142f2ad9efd595899875fd1e416aa1965d368
SSDEEP

6144:eR5RLb7fVUQdGoKtqyknjzIaC+APzRXks3ccv78vSvFvvUvsvlvzvLvbv+vhvtDf:eR5NVbdjKcVPIjPzRXks3rgpES

Score

10^/10

oski infostealer

Malware Config

Extracted

Family

oski

C2

http://2.56.59.226/www/

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1336 set thread context of 2504	1336	da484abefb23789c13add9ecd7ea7eeb.exe	28

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2712	2504	WerFault.exe	28

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	da484abefb23789c13add9ecd7ea7eeb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1336	da484abefb23789c13add9ecd7ea7eeb.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1336	da484abefb23789c13add9ecd7ea7eeb.exe
1336	da484abefb23789c13add9ecd7ea7eeb.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 2504	1336	da484abefb23789c13add9ecd7ea7eeb.exe	28
PID 1336 wrote to memory of 2504	1336	da484abefb23789c13add9ecd7ea7eeb.exe	28
PID 1336 wrote to memory of 2504	1336	da484abefb23789c13add9ecd7ea7eeb.exe	28
PID 1336 wrote to memory of 2504	1336	da484abefb23789c13add9ecd7ea7eeb.exe	28
PID 1336 wrote to memory of 2504	1336	da484abefb23789c13add9ecd7ea7eeb.exe	28
PID 1336 wrote to memory of 2504	1336	da484abefb23789c13add9ecd7ea7eeb.exe	28
PID 1336 wrote to memory of 2504	1336	da484abefb23789c13add9ecd7ea7eeb.exe	28
PID 1336 wrote to memory of 2504	1336	da484abefb23789c13add9ecd7ea7eeb.exe	28
PID 1336 wrote to memory of 2504	1336	da484abefb23789c13add9ecd7ea7eeb.exe	28
PID 1336 wrote to memory of 2504	1336	da484abefb23789c13add9ecd7ea7eeb.exe	28
PID 1336 wrote to memory of 2504	1336	da484abefb23789c13add9ecd7ea7eeb.exe	28
PID 2504 wrote to memory of 2712	2504	da484abefb23789c13add9ecd7ea7eeb.exe	29
PID 2504 wrote to memory of 2712	2504	da484abefb23789c13add9ecd7ea7eeb.exe	29
PID 2504 wrote to memory of 2712	2504	da484abefb23789c13add9ecd7ea7eeb.exe	29
PID 2504 wrote to memory of 2712	2504	da484abefb23789c13add9ecd7ea7eeb.exe	29

C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe
"C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe
  "C:\Users\Admin\AppData\Local\Temp\da484abefb23789c13add9ecd7ea7eeb.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 116
    3⤵
    - Program crash
    PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1336-22-0x00000000048E0000-0x0000000004920000-memory.dmp

Filesize
256KB

Download
memory/1336-1-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/1336-2-0x00000000048E0000-0x0000000004920000-memory.dmp

Filesize
256KB

Download
memory/1336-3-0x00000000048E0000-0x0000000004920000-memory.dmp

Filesize
256KB

Download
memory/1336-4-0x00000000048E0000-0x0000000004920000-memory.dmp

Filesize
256KB

Download
memory/1336-5-0x00000000048E0000-0x0000000004920000-memory.dmp

Filesize
256KB

Download
memory/1336-7-0x00000000056A0000-0x0000000005724000-memory.dmp

Filesize
528KB

Download
memory/1336-23-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/1336-0-0x0000000001040000-0x00000000010F4000-memory.dmp

Filesize
720KB

Download
memory/2504-10-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2504-13-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2504-15-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2504-17-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2504-18-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2504-20-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2504-11-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2504-8-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2504-24-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing