oski | a375d88a6666e7101b4f582ea0239033e4716e883ecb301245011e9c58054a9c

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-03-2024 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddde6fc0ce346b0ab7bb0c8c02a09d33.exe
Size

1.2MB
MD5

ddde6fc0ce346b0ab7bb0c8c02a09d33
SHA1

1067652f21fd05902288613746b5e2ea79bd07f9
SHA256

a375d88a6666e7101b4f582ea0239033e4716e883ecb301245011e9c58054a9c
SHA512

66a92b7f14371069d78876add097fb8f847755eff95edd846939566f0ce219b686f265c8a57dbe6e19e5f12145bfbfcccff09371413a758005d1aee7d8490c49
SSDEEP

12288:PYhxa6BTGO/NkJWZeZQCmdjVv6LZRsXdmSLem2Vg4miT9UJESs6IcWByCcRQUBqh:PYv5CmHAIOsBgo0q4wMPnpx2XP4iO1H

Score

10^/10

oski infostealer spyware stealer

Malware Config

Extracted

Family

oski

fine.le-pearl.com

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/1964-3-0x0000000000430000-0x0000000000442000-memory.dmp	CustAttr

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

Processes:

ddde6fc0ce346b0ab7bb0c8c02a09d33.exe

description	pid	Process	procid_target
PID 1964 set thread context of 2020	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
324	2020	WerFault.exe	37

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
2752	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

ddde6fc0ce346b0ab7bb0c8c02a09d33.exepowershell.exepowershell.exepowershell.exe

pid	Process
1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe
1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe
2580	powershell.exe
2492	powershell.exe
2484	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

ddde6fc0ce346b0ab7bb0c8c02a09d33.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

ddde6fc0ce346b0ab7bb0c8c02a09d33.exeddde6fc0ce346b0ab7bb0c8c02a09d33.exe

description	pid	Process	procid_target
PID 1964 wrote to memory of 2580	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	28
PID 1964 wrote to memory of 2580	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	28
PID 1964 wrote to memory of 2580	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	28
PID 1964 wrote to memory of 2580	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	28
PID 1964 wrote to memory of 2484	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	30
PID 1964 wrote to memory of 2484	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	30
PID 1964 wrote to memory of 2484	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	30
PID 1964 wrote to memory of 2484	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	30
PID 1964 wrote to memory of 2752	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	32
PID 1964 wrote to memory of 2752	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	32
PID 1964 wrote to memory of 2752	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	32
PID 1964 wrote to memory of 2752	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	32
PID 1964 wrote to memory of 2492	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	34
PID 1964 wrote to memory of 2492	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	34
PID 1964 wrote to memory of 2492	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	34
PID 1964 wrote to memory of 2492	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	34
PID 1964 wrote to memory of 2948	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	36
PID 1964 wrote to memory of 2948	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	36
PID 1964 wrote to memory of 2948	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	36
PID 1964 wrote to memory of 2948	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	36
PID 1964 wrote to memory of 2020	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	37
PID 1964 wrote to memory of 2020	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	37
PID 1964 wrote to memory of 2020	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	37
PID 1964 wrote to memory of 2020	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	37
PID 1964 wrote to memory of 2020	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	37
PID 1964 wrote to memory of 2020	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	37
PID 1964 wrote to memory of 2020	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	37
PID 1964 wrote to memory of 2020	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	37
PID 1964 wrote to memory of 2020	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	37
PID 1964 wrote to memory of 2020	1964	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	37
PID 2020 wrote to memory of 324	2020	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	40
PID 2020 wrote to memory of 324	2020	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	40
PID 2020 wrote to memory of 324	2020	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	40
PID 2020 wrote to memory of 324	2020	ddde6fc0ce346b0ab7bb0c8c02a09d33.exe	40

C:\Users\Admin\AppData\Local\Temp\ddde6fc0ce346b0ab7bb0c8c02a09d33.exe
"C:\Users\Admin\AppData\Local\Temp\ddde6fc0ce346b0ab7bb0c8c02a09d33.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ddde6fc0ce346b0ab7bb0c8c02a09d33.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nllJKmehpTGztY.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nllJKmehpTGztY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB02D.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2752
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nllJKmehpTGztY.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- C:\Users\Admin\AppData\Local\Temp\ddde6fc0ce346b0ab7bb0c8c02a09d33.exe
  "C:\Users\Admin\AppData\Local\Temp\ddde6fc0ce346b0ab7bb0c8c02a09d33.exe"
  2⤵
  PID:2948
- C:\Users\Admin\AppData\Local\Temp\ddde6fc0ce346b0ab7bb0c8c02a09d33.exe
  "C:\Users\Admin\AppData\Local\Temp\ddde6fc0ce346b0ab7bb0c8c02a09d33.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 620
    3⤵
    - Program crash
    PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\13G35IEH\suspendedpage[1].htm

Filesize
496B

MD5
1842eed13fddc700a50adada08a0f84d

SHA1
5e7b6997ffaf89afdb803de2e9231cd8886621ae

SHA256
47ac9eef48022403111f9cef6871af594079acdd88da83e7d2b2a92fa47f7368

SHA512
0d0086367e60782f81324abc5a79ae4c19aaa96aeb7aead23d4ca2dde0af5cc7cf3cc9b6e391b95405ed97a136fcd99af3f868a6027b89b5fcc47cff52272b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB02D.tmp

Filesize
1KB

MD5
e23258203fb5f8188d521bee82e1067b

SHA1
269c6e52c80f9df473ff93ffa399594440d5d183

SHA256
56979eb00bf05069329eb5f45b00876e1ffe90f795d87e75ebf440bcb74ec04a

SHA512
249bc0353a350f13994e9c875827e18232164a19aa1adb45d3a5190f92370db84787e371efdc85412f809a94f060e33d608e593909aa15807c13480a3b0b4e4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6640b46dba4f1d29cde855238d55ca85

SHA1
20496aedb8673a08f78851396cb41d026ef27d12

SHA256
ebf6d5bc48228547bb1f8e355f69af665c391850c7b2bdcd9057513addef2809

SHA512
0bb351dd3b853bb85023293595c077d40bf8d300c4a1cd905d3022bb42da96d9976abdd67bcf4582cc121a16183b40cb8fdfc04685f5a46532fb06f6998b9262

Download Submit
memory/1964-39-0x0000000074C20000-0x000000007530E000-memory.dmp

Filesize
6.9MB

Download
memory/1964-1-0x0000000074C20000-0x000000007530E000-memory.dmp

Filesize
6.9MB

Download
memory/1964-5-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/1964-0-0x00000000010E0000-0x0000000001224000-memory.dmp

Filesize
1.3MB

Download
memory/1964-7-0x0000000000680000-0x00000000006BA000-memory.dmp

Filesize
232KB

Download
memory/1964-3-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/1964-2-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/1964-4-0x0000000074C20000-0x000000007530E000-memory.dmp

Filesize
6.9MB

Download
memory/1964-6-0x0000000004B80000-0x0000000004C02000-memory.dmp

Filesize
520KB

Download
memory/2020-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2020-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2020-22-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2020-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2020-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2020-38-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2020-25-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2020-27-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2020-50-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2020-31-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2484-46-0x00000000029E0000-0x0000000002A20000-memory.dmp

Filesize
256KB

Download
memory/2484-41-0x000000006FA00000-0x000000006FFAB000-memory.dmp

Filesize
5.7MB

Download
memory/2484-54-0x000000006FA00000-0x000000006FFAB000-memory.dmp

Filesize
5.7MB

Download
memory/2484-51-0x00000000029E0000-0x0000000002A20000-memory.dmp

Filesize
256KB

Download
memory/2484-43-0x000000006FA00000-0x000000006FFAB000-memory.dmp

Filesize
5.7MB

Download
memory/2492-47-0x000000006FA00000-0x000000006FFAB000-memory.dmp

Filesize
5.7MB

Download
memory/2492-49-0x0000000000240000-0x0000000000280000-memory.dmp

Filesize
256KB

Download
memory/2492-48-0x000000006FA00000-0x000000006FFAB000-memory.dmp

Filesize
5.7MB

Download
memory/2492-53-0x000000006FA00000-0x000000006FFAB000-memory.dmp

Filesize
5.7MB

Download
memory/2580-44-0x000000006FA00000-0x000000006FFAB000-memory.dmp

Filesize
5.7MB

Download
memory/2580-52-0x000000006FA00000-0x000000006FFAB000-memory.dmp

Filesize
5.7MB

Download
memory/2580-45-0x00000000027D0000-0x0000000002810000-memory.dmp

Filesize
256KB

Download
memory/2580-40-0x000000006FA00000-0x000000006FFAB000-memory.dmp

Filesize
5.7MB

Download
memory/2580-42-0x00000000027D0000-0x0000000002810000-memory.dmp

Filesize
256KB

Download