oski | ead4fbb41f9237091a53a9c5be2b50c222f3a7fce542bc6bab7acd302405c508

General

Target

e11c3b1cc868bcac2b10f1e7739b2501.exe
Size

381KB
MD5

e11c3b1cc868bcac2b10f1e7739b2501
SHA1

9ac339112cc6fd56efa6026953004bb75bd76cc0
SHA256

ead4fbb41f9237091a53a9c5be2b50c222f3a7fce542bc6bab7acd302405c508
SHA512

27b2d7981856a39b598306725e6701e001a26149e0a7b28229ff0893ca21e17581907ed416c261a73cc31653f498f9e5e2a901f757c62ec80b0ee32ad43a87ea
SSDEEP

6144:d2VEppbDxzjl1+FEIHWknFDKYuzBXmrp22NHdsIfR6tbrIp40A4Dh:5pp31CFEIHbFWYEcrffsIfkbrQ4pyh

Score

10^/10

oski infostealer persistence spyware stealer

Malware Config

Extracted

Family

oski

C2

kiwipl.com

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski

Executes dropped EXE 2 IoCs

pid	Process
2200	miore.exe
2604	lioc.exe

Loads dropped DLL 11 IoCs

pid	Process
2184	e11c3b1cc868bcac2b10f1e7739b2501.exe
2184	e11c3b1cc868bcac2b10f1e7739b2501.exe
2184	e11c3b1cc868bcac2b10f1e7739b2501.exe
2184	e11c3b1cc868bcac2b10f1e7739b2501.exe
2184	e11c3b1cc868bcac2b10f1e7739b2501.exe
2184	e11c3b1cc868bcac2b10f1e7739b2501.exe
2184	e11c3b1cc868bcac2b10f1e7739b2501.exe
2184	e11c3b1cc868bcac2b10f1e7739b2501.exe
2196	WerFault.exe
2196	WerFault.exe
2196	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c5e504606bceb80648bcecb9e1bfe1ee.exe / start"	miore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2196	2604	WerFault.exe	29

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	lioc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	lioc.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2200	miore.exe
2200	miore.exe
2200	miore.exe
2200	miore.exe
2200	miore.exe
2200	miore.exe
2200	miore.exe
2200	miore.exe
2200	miore.exe
2200	miore.exe
2200	miore.exe
2200	miore.exe
2200	miore.exe
2200	miore.exe
2200	miore.exe
2200	miore.exe
2200	miore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	miore.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2200	2184	e11c3b1cc868bcac2b10f1e7739b2501.exe	28
PID 2184 wrote to memory of 2200	2184	e11c3b1cc868bcac2b10f1e7739b2501.exe	28
PID 2184 wrote to memory of 2200	2184	e11c3b1cc868bcac2b10f1e7739b2501.exe	28
PID 2184 wrote to memory of 2200	2184	e11c3b1cc868bcac2b10f1e7739b2501.exe	28
PID 2184 wrote to memory of 2604	2184	e11c3b1cc868bcac2b10f1e7739b2501.exe	29
PID 2184 wrote to memory of 2604	2184	e11c3b1cc868bcac2b10f1e7739b2501.exe	29
PID 2184 wrote to memory of 2604	2184	e11c3b1cc868bcac2b10f1e7739b2501.exe	29
PID 2184 wrote to memory of 2604	2184	e11c3b1cc868bcac2b10f1e7739b2501.exe	29
PID 2604 wrote to memory of 2196	2604	lioc.exe	31
PID 2604 wrote to memory of 2196	2604	lioc.exe	31
PID 2604 wrote to memory of 2196	2604	lioc.exe	31
PID 2604 wrote to memory of 2196	2604	lioc.exe	31

C:\Users\Admin\AppData\Local\Temp\e11c3b1cc868bcac2b10f1e7739b2501.exe
"C:\Users\Admin\AppData\Local\Temp\e11c3b1cc868bcac2b10f1e7739b2501.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\miore.exe
  "C:\Users\Admin\AppData\Local\Temp\miore.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Users\Admin\AppData\Local\Temp\lioc.exe
  "C:\Users\Admin\AppData\Local\Temp\lioc.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 1412
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\msvcp140.dll

Filesize
153B

MD5
d9e4660829c2f1d3aeece0700a737d21

SHA1
208af3a0734482cb5b70e62148878da995bc12df

SHA256
c649b72d40b182375b97337744d6ed80b886d0a4cce87fe9f3b7bd7ebef7f6de

SHA512
c93272e68a3dd02e5136b4a60c6a5a31ac8f3c3733228627da0526b0c6bdbd91ff0c16c20e1e26380e3853a7235a39b4147ead44733044dc291087d064b654dd

Download Submit
\Users\Admin\AppData\Local\Temp\lioc.exe

Filesize
200KB

MD5
631baafff18a2c46a0ddddb6cd4db7dd

SHA1
e4268660608735cdc166c97432e03c4f5de0f7c1

SHA256
c740ab68c89323420fc94e5b2f7be88958ad33c1d0ae70c9a28088e576cee2e4

SHA512
153be28e1ad161cbc1c5dcf9058f12608d7bb11338c9fae7e12aadf22bcbe8206d182a018cc5c3db8483c3ee9ba055c156ebdbcb84da968a351141afa044d3ae

Download Submit
\Users\Admin\AppData\Local\Temp\miore.exe

Filesize
109KB

MD5
0e5c12df26f858b2d4e6741917a4cd1b

SHA1
b81171ecac330f1179012c16dae56b1de81b56e7

SHA256
5e51ec3a5ff289f2b0db602b4dd4b987db17bda4964a8b1caa44d9e6bcf4355e

SHA512
e48c55f8c04de46d89db96d0068728fa27bd9768a3b8dc189d6adff694fcc35fd42291fd60655020df50c5ba4404198f0d0115c4c2e007b35c696204a1da5910

Download Submit
memory/2184-3-0x00000000002B0000-0x00000000002D1000-memory.dmp

Filesize
132KB

Download
memory/2184-4-0x0000000000400000-0x0000000000916000-memory.dmp

Filesize
5.1MB

Download
memory/2184-33-0x0000000000400000-0x0000000000916000-memory.dmp

Filesize
5.1MB

Download
memory/2184-2-0x00000000009A0000-0x0000000000AA0000-memory.dmp

Filesize
1024KB

Download
memory/2200-35-0x00000000001C0000-0x00000000001E2000-memory.dmp

Filesize
136KB

Download
memory/2200-37-0x0000000004D10000-0x0000000004D50000-memory.dmp

Filesize
256KB

Download
memory/2200-41-0x0000000004D10000-0x0000000004D50000-memory.dmp

Filesize
256KB

Download
memory/2200-36-0x00000000744C0000-0x0000000074BAE000-memory.dmp

Filesize
6.9MB

Download
memory/2200-67-0x00000000744C0000-0x0000000074BAE000-memory.dmp

Filesize
6.9MB

Download
memory/2200-68-0x0000000004D10000-0x0000000004D50000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads