Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
06-11-2021 09:27
Static task
static1
Behavioral task
behavioral1
Sample
165A20CECE5BD869502D23ED2C9FDF5CB2E83451CCA50.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
165A20CECE5BD869502D23ED2C9FDF5CB2E83451CCA50.exe
Resource
win10-en-20211104
General
-
Target
165A20CECE5BD869502D23ED2C9FDF5CB2E83451CCA50.exe
-
Size
200KB
-
MD5
07ac7806a3f2bc0fc993d736ecb3572b
-
SHA1
49b54d7ece61cf9198dfc306a641f0d002b56acb
-
SHA256
165a20cece5bd869502d23ed2c9fdf5cb2e83451cca502b110f61371da70134d
-
SHA512
0bb78905d87356841e97e68be1d7c731f5cc4d15fa162017f9c520fceca327c589f8f31b9002c4869179af8626a03e89ef9b667a1a6d5e8f42eef2db98e1e123
Malware Config
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1104 3448 WerFault.exe 165A20CECE5BD869502D23ED2C9FDF5CB2E83451CCA50.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 1104 WerFault.exe 1104 WerFault.exe 1104 WerFault.exe 1104 WerFault.exe 1104 WerFault.exe 1104 WerFault.exe 1104 WerFault.exe 1104 WerFault.exe 1104 WerFault.exe 1104 WerFault.exe 1104 WerFault.exe 1104 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1104 WerFault.exe Token: SeBackupPrivilege 1104 WerFault.exe Token: SeDebugPrivilege 1104 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\165A20CECE5BD869502D23ED2C9FDF5CB2E83451CCA50.exe"C:\Users\Admin\AppData\Local\Temp\165A20CECE5BD869502D23ED2C9FDF5CB2E83451CCA50.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 12442⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken