Analysis
-
max time kernel
115s -
max time network
61s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
24-07-2021 22:42
General
-
Target
884c97781aefe7f3f8aef45d44fa9340.exe
-
Size
200KB
-
MD5
884c97781aefe7f3f8aef45d44fa9340
-
SHA1
4d340d7a615e07b8d2c9d27e9d94862ea40bb577
-
SHA256
3bd85c9e47dd89f20f5ae78807a8e98288195c70ee6250e0e86583c672685119
-
SHA512
4f30c56596877c7b7fbd217cc03094d8e3bd5929d5aa52816d90414d4734523c7f61310cf15105dd2130c34f3dcf5799810dda4039f850af6d486910cf83d466
Score
10/10
Malware Config
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\884c97781aefe7f3f8aef45d44fa9340.exe"C:\Users\Admin\AppData\Local\Temp\884c97781aefe7f3f8aef45d44fa9340.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 6322⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1220-59-0x00000000769B1000-0x00000000769B3000-memory.dmpFilesize
8KB
-
memory/1712-60-0x0000000000000000-mapping.dmp
-
memory/1712-61-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB