Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
06-11-2021 09:27
Static task
static1
Behavioral task
behavioral1
Sample
165A20CECE5BD869502D23ED2C9FDF5CB2E83451CCA50.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
165A20CECE5BD869502D23ED2C9FDF5CB2E83451CCA50.exe
Resource
win10-en-20211104
General
-
Target
165A20CECE5BD869502D23ED2C9FDF5CB2E83451CCA50.exe
-
Size
200KB
-
MD5
07ac7806a3f2bc0fc993d736ecb3572b
-
SHA1
49b54d7ece61cf9198dfc306a641f0d002b56acb
-
SHA256
165a20cece5bd869502d23ed2c9fdf5cb2e83451cca502b110f61371da70134d
-
SHA512
0bb78905d87356841e97e68be1d7c731f5cc4d15fa162017f9c520fceca327c589f8f31b9002c4869179af8626a03e89ef9b667a1a6d5e8f42eef2db98e1e123
Malware Config
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1880 952 WerFault.exe 165A20CECE5BD869502D23ED2C9FDF5CB2E83451CCA50.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1880 WerFault.exe 1880 WerFault.exe 1880 WerFault.exe 1880 WerFault.exe 1880 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1880 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1880 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
165A20CECE5BD869502D23ED2C9FDF5CB2E83451CCA50.exedescription pid process target process PID 952 wrote to memory of 1880 952 165A20CECE5BD869502D23ED2C9FDF5CB2E83451CCA50.exe WerFault.exe PID 952 wrote to memory of 1880 952 165A20CECE5BD869502D23ED2C9FDF5CB2E83451CCA50.exe WerFault.exe PID 952 wrote to memory of 1880 952 165A20CECE5BD869502D23ED2C9FDF5CB2E83451CCA50.exe WerFault.exe PID 952 wrote to memory of 1880 952 165A20CECE5BD869502D23ED2C9FDF5CB2E83451CCA50.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\165A20CECE5BD869502D23ED2C9FDF5CB2E83451CCA50.exe"C:\Users\Admin\AppData\Local\Temp\165A20CECE5BD869502D23ED2C9FDF5CB2E83451CCA50.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 7642⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken