oski | e5824681466b0a8b36f470252d644bc5a4333d83a8987021df491b471ef8d473

General

Target

2024-07-25_eee333c1637253245c3fc51775ba7395_karagany_mafia_wapomi.exe
Size

216KB
MD5

eee333c1637253245c3fc51775ba7395
SHA1

bd111eaf7f7687a87de02aa87acdde9d4cd51eb8
SHA256

e5824681466b0a8b36f470252d644bc5a4333d83a8987021df491b471ef8d473
SHA512

c3ad219bacb1c7fc2feb98848bbf61bd559ed9c6ec2ebfb9d4d7380fcd7b34a4f895be7b5f3ac3f588add74bcd8a4cefe6a9b58ad73310e862030ed0f942e087
SSDEEP

3072:efUomEuYm98dlSq7gt5q7Dx+XgS6aCEwhOfUbCalNT2pbB3fIh1Xi6FLPo3cCGCH:efUauY68uSWCx+XA7mg2pNQ1Ljo3cj

Score

10^/10

oski aspackv2 credential_access discovery infostealer spyware stealer

Malware Config

Extracted

Family

oski

C2

wellsfargocs.ddns.us

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ScqFnHip.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

ScqFnHip.exe

pid process

2844 ScqFnHip.exe

pid	process
2844	ScqFnHip.exe

Loads dropped DLL 2 IoCs

Processes:

2024-07-25_eee333c1637253245c3fc51775ba7395_karagany_mafia_wapomi.exe

pid	process
2108	2024-07-25_eee333c1637253245c3fc51775ba7395_karagany_mafia_wapomi.exe
2108	2024-07-25_eee333c1637253245c3fc51775ba7395_karagany_mafia_wapomi.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 64 IoCs

Processes:

ScqFnHip.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	ScqFnHip.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	ScqFnHip.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	ScqFnHip.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	ScqFnHip.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	ScqFnHip.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	ScqFnHip.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	ScqFnHip.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	ScqFnHip.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Windows Journal\Journal.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	ScqFnHip.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Windows Sidebar\sidebar.exe	ScqFnHip.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	ScqFnHip.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{82C9E0F7-90DB-4BC5-9338-612926653CF7}\chrome_installer.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	ScqFnHip.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	ScqFnHip.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	ScqFnHip.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	ScqFnHip.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	ScqFnHip.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\Chess.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	ScqFnHip.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	ScqFnHip.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\WinMail.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	ScqFnHip.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	ScqFnHip.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	ScqFnHip.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1448 2108 WerFault.exe 2024-07-25_eee333c1637253245c3fc51775ba7395_karagany_mafia_wapomi.exe

pid	pid_target	process	target process
1448	2108	WerFault.exe	2024-07-25_eee333c1637253245c3fc51775ba7395_karagany_mafia_wapomi.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-07-25_eee333c1637253245c3fc51775ba7395_karagany_mafia_wapomi.exeScqFnHip.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-07-25_eee333c1637253245c3fc51775ba7395_karagany_mafia_wapomi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScqFnHip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2024-07-25_eee333c1637253245c3fc51775ba7395_karagany_mafia_wapomi.exeScqFnHip.exe

description	pid	process	target process
PID 2108 wrote to memory of 2844	2108	2024-07-25_eee333c1637253245c3fc51775ba7395_karagany_mafia_wapomi.exe	ScqFnHip.exe
PID 2108 wrote to memory of 2844	2108	2024-07-25_eee333c1637253245c3fc51775ba7395_karagany_mafia_wapomi.exe	ScqFnHip.exe
PID 2108 wrote to memory of 2844	2108	2024-07-25_eee333c1637253245c3fc51775ba7395_karagany_mafia_wapomi.exe	ScqFnHip.exe
PID 2108 wrote to memory of 2844	2108	2024-07-25_eee333c1637253245c3fc51775ba7395_karagany_mafia_wapomi.exe	ScqFnHip.exe
PID 2108 wrote to memory of 1448	2108	2024-07-25_eee333c1637253245c3fc51775ba7395_karagany_mafia_wapomi.exe	WerFault.exe
PID 2108 wrote to memory of 1448	2108	2024-07-25_eee333c1637253245c3fc51775ba7395_karagany_mafia_wapomi.exe	WerFault.exe
PID 2108 wrote to memory of 1448	2108	2024-07-25_eee333c1637253245c3fc51775ba7395_karagany_mafia_wapomi.exe	WerFault.exe
PID 2108 wrote to memory of 1448	2108	2024-07-25_eee333c1637253245c3fc51775ba7395_karagany_mafia_wapomi.exe	WerFault.exe
PID 2844 wrote to memory of 1672	2844	ScqFnHip.exe	cmd.exe
PID 2844 wrote to memory of 1672	2844	ScqFnHip.exe	cmd.exe
PID 2844 wrote to memory of 1672	2844	ScqFnHip.exe	cmd.exe
PID 2844 wrote to memory of 1672	2844	ScqFnHip.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2024-07-25_eee333c1637253245c3fc51775ba7395_karagany_mafia_wapomi.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-25_eee333c1637253245c3fc51775ba7395_karagany_mafia_wapomi.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\ScqFnHip.exe
  C:\Users\Admin\AppData\Local\Temp\ScqFnHip.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\36a51a41.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 784
  2⤵
  - Program crash
  PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\msvcp140.dll

Filesize
252B

MD5
bfd986155d142e8d9b7c9abe96fee0ad

SHA1
a01e08e76db2322a020fea44fbdc550b2ab23840

SHA256
0521d11937d55b5e9549a0474209b77e6cd0df2e5da4c6b98f518065c56b50bb

SHA512
a3fce419969816aa99880b1613ceb2bdfd4d2383f8f4f4f7ef65c8abbdc231b8e61281b1c9240882ac03e30b0417bf06ce943d2dc590672c964aa62691b77871

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J8I3CVQY\k2[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\02655CF7.exe

Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\36a51a41.bat

Filesize
191B

MD5
1df85b405ad04631f2b55ff316f59ec6

SHA1
c45d2e3c85779b6018a53f6a1f0e562f74e0331d

SHA256
7679a1e222b64ba0106456e506390b7a9e3252fd0b56125516f017f99cb3460d

SHA512
95aac924f86494a427dd0ee5a5dd1a0794135955b46225c8a24a7938b91a1cc19205e51116cfa2799a33bb06d6f9a99ef3028831a7806fccf3d958f772dc0f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScqFnHip.exe

Filesize
15KB

MD5
f7d21de5c4e81341eccd280c11ddcc9a

SHA1
d4e9ef10d7685d491583c6fa93ae5d9105d815bd

SHA256
4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

SHA512
e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

Download Submit
memory/2108-0-0x0000000000C00000-0x0000000000C3D000-memory.dmp

Filesize
244KB

Download
memory/2108-11-0x0000000000BE0000-0x0000000000BE9000-memory.dmp

Filesize
36KB

Download
memory/2108-10-0x0000000000BE0000-0x0000000000BE9000-memory.dmp

Filesize
36KB

Download
memory/2108-53-0x0000000000C00000-0x0000000000C3D000-memory.dmp

Filesize
244KB

Download
memory/2844-12-0x0000000000BE0000-0x0000000000BE9000-memory.dmp

Filesize
36KB

Download
memory/2844-42-0x0000000000BE0000-0x0000000000BE9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads