oski | 80199402b66d52742db427b0a59c869d3629e2b503c8e84b0d17789db414c352

General

Target

ExeFile (339).exe
Size

861KB
MD5

c20ef4961ce6eb9dd5654242ec1b418c
SHA1

076cb25979115c1a5baa95807f993c90f629c524
SHA256

80199402b66d52742db427b0a59c869d3629e2b503c8e84b0d17789db414c352
SHA512

e518cd58bcab49e1359d6e60fe71a12c40d6c3f3e8dcfbf974848edb901231b8bd70271fc64f55c0cd8777e975ffee08b17607e4c4bd9744a4193b2a5739a9a2
SSDEEP

24576:ZQqPByJzhAfD7MjzlR7m8Sdu3ar3kxggWq:ZQqZ0z0MjHy8mxrgl

Score

10^/10

oski defense_evasion discovery infostealer persistence

Malware Config

Extracted

Family

oski

C2

45.141.84.184

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Executes dropped EXE 2 IoCs

Processes:

msdtc.commsdtc.com

pid process

2264 msdtc.com
2700 msdtc.com
Loads dropped DLL 2 IoCs

Processes:

cmd.exemsdtc.com

pid process

2092 cmd.exe
2264 msdtc.com

pid	process
2264	msdtc.com
2700	msdtc.com

pid	process
2092	cmd.exe
2264	msdtc.com

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ExeFile (339).exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ExeFile (339).exe

Deobfuscate/Decode Files or Information 1 TTPs 2 IoCs
Payload decoded via CertUtil.
defense_evasion

Deobfuscate/Decode Files or Information
T1140

Processes:

cmd.execertutil.exe

pid process

2092 cmd.exe
2532 certutil.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

msdtc.com

description pid process target process

PID 2700 set thread context of 2724 2700 msdtc.com attrib.exe

pid	process
2092	cmd.exe
2532	certutil.exe

description	pid	process	target process
PID 2700 set thread context of 2724	2700	msdtc.com	attrib.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ExeFile (339).execmd.execertutil.exemsdtc.commsdtc.comPING.EXEattrib.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExeFile (339).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdtc.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdtc.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

2200 PING.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2200 PING.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

msdtc.com

pid process

2700 msdtc.com
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

msdtc.commsdtc.com

pid process

2264 msdtc.com
2264 msdtc.com
2264 msdtc.com
2700 msdtc.com
2700 msdtc.com
2700 msdtc.com
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

msdtc.commsdtc.com

pid process

2264 msdtc.com
2264 msdtc.com
2264 msdtc.com
2700 msdtc.com
2700 msdtc.com
2700 msdtc.com

pid	process
2200	PING.EXE

pid	process
2200	PING.EXE

pid	process
2700	msdtc.com

pid	process
2264	msdtc.com
2264	msdtc.com
2264	msdtc.com
2700	msdtc.com
2700	msdtc.com
2700	msdtc.com

pid	process
2264	msdtc.com
2264	msdtc.com
2264	msdtc.com
2700	msdtc.com
2700	msdtc.com
2700	msdtc.com

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

ExeFile (339).execmd.exemsdtc.commsdtc.com

description	pid	process	target process
PID 3020 wrote to memory of 2092	3020	ExeFile (339).exe	cmd.exe
PID 3020 wrote to memory of 2092	3020	ExeFile (339).exe	cmd.exe
PID 3020 wrote to memory of 2092	3020	ExeFile (339).exe	cmd.exe
PID 3020 wrote to memory of 2092	3020	ExeFile (339).exe	cmd.exe
PID 2092 wrote to memory of 2532	2092	cmd.exe	certutil.exe
PID 2092 wrote to memory of 2532	2092	cmd.exe	certutil.exe
PID 2092 wrote to memory of 2532	2092	cmd.exe	certutil.exe
PID 2092 wrote to memory of 2532	2092	cmd.exe	certutil.exe
PID 2092 wrote to memory of 2264	2092	cmd.exe	msdtc.com
PID 2092 wrote to memory of 2264	2092	cmd.exe	msdtc.com
PID 2092 wrote to memory of 2264	2092	cmd.exe	msdtc.com
PID 2092 wrote to memory of 2264	2092	cmd.exe	msdtc.com
PID 2264 wrote to memory of 2700	2264	msdtc.com	msdtc.com
PID 2264 wrote to memory of 2700	2264	msdtc.com	msdtc.com
PID 2264 wrote to memory of 2700	2264	msdtc.com	msdtc.com
PID 2264 wrote to memory of 2700	2264	msdtc.com	msdtc.com
PID 2092 wrote to memory of 2200	2092	cmd.exe	PING.EXE
PID 2092 wrote to memory of 2200	2092	cmd.exe	PING.EXE
PID 2092 wrote to memory of 2200	2092	cmd.exe	PING.EXE
PID 2092 wrote to memory of 2200	2092	cmd.exe	PING.EXE
PID 2700 wrote to memory of 2724	2700	msdtc.com	attrib.exe
PID 2700 wrote to memory of 2724	2700	msdtc.com	attrib.exe
PID 2700 wrote to memory of 2724	2700	msdtc.com	attrib.exe
PID 2700 wrote to memory of 2724	2700	msdtc.com	attrib.exe
PID 2700 wrote to memory of 2724	2700	msdtc.com	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2724 attrib.exe

pid	process
2724	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ExeFile (339).exe
"C:\Users\Admin\AppData\Local\Temp\ExeFile (339).exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c <nul set /p ="M" > msdtc.com & type KsTpnq.com >> msdtc.com & del KsTpnq.com & certutil -decode yTxIv.com U & msdtc.com U & ping 127.0.0.1 -n 3
  2⤵
  - Loads dropped DLL
  - Deobfuscate/Decode Files or Information
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\certutil.exe
    certutil -decode yTxIv.com U
    3⤵
    - Deobfuscate/Decode Files or Information
    - System Location Discovery: System Language Discovery
    PID:2532
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msdtc.com
    msdtc.com U
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msdtc.com
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\msdtc.com U
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\attrib.exe
        
        "C:\Windows\SysWOW64\attrib.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2724
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Deobfuscate/Decode Files or Information

1

T1140

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Remote System Discovery

1

T1018

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KsTpnq.com

Filesize
872KB

MD5
d86ab2aeeac2553c7857ece4492eda5d

SHA1
0828db56b556f3f0486a9de9d2c728216035e8e6

SHA256
8861365fb619dbb90da0027db93d041681c30deb93071ec588121a8f8ba08436

SHA512
8c0154d80fb47ea5225816e95db0126d02950f0ec7909a68205ee67a0d1c4dbff971933ee5ba0307c24658ce52400e144cde720e514acf3024fbdb2505345cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\U

Filesize
241KB

MD5
c8c4a872e297f7e536786c49d66650c5

SHA1
d65329038099ba179db5331f8eaec618fb679119

SHA256
f8b193619fa0fbf5e8a7fa84017dab39b15acaeb3b7888b532e3d26d017d22ee

SHA512
37d26d18f19e7660b28c3b5cd58ae2a35ab40c2ffc947193c945a764a84edc61198141dab620d03f41c1585ca44c8ba940881db337a6e92ca2e454d50acb0c87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bWPQ.com

Filesize
200KB

MD5
5ea7b5afb1bf7b27844bfb150307adb1

SHA1
47fcfe229e937dc5d2700203c1f9d42767082903

SHA256
ff8814e26980703a8d1d917a8a6991e80849037fe6fb531b05b7d984fa0db4e2

SHA512
1ca5022ee0e978711fd05b9c1655d554b16672962338f86c003aaebd86def8b07170b798c570823db6fb7b63eb17684a4beed302f5029ae01f66e1f828bd3388

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yTxIv.com

Filesize
332KB

MD5
0793e3a615b4e02d45e1f857fcb9b2fe

SHA1
c54946443428a2e90cbe07afd9a96b6dd176f563

SHA256
789eaa8e03690dd53708b429b7cb51f619f80c3f56d4616ca8971d512a63024b

SHA512
f889c6bf2c6878a980d1432c2353290bbf907292b777e73e0f540414f7de3e2945d05dad58b695214fc04163e729f6830cf6a1cfc6f4e9b5394c1fcc004e0b89

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\msdtc.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/2724-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2724-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads