Analysis
-
max time kernel
4294183s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
28-03-2022 18:10
Static task
static1
Behavioral task
behavioral1
Sample
f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe
Resource
win10v2004-20220310-en
General
-
Target
f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe
-
Size
261KB
-
MD5
ba2af377d1a970e8e083e4c4cec745e2
-
SHA1
a3d2ca408a97ddca60f581cba48d3f5e74a4fb17
-
SHA256
f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035
-
SHA512
eb854f2ee870162f39cd1678e2f88cd99dadf0e281237a66a14be6b75be489593236d6aabfa69df76b1a31a5cf1e4ef77a913e06bdd022fc957c850d26a65e06
Malware Config
Extracted
oski
darkangel.ac.ug
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 628 set thread context of 972 628 f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe 27 -
Program crash 1 IoCs
pid pid_target Process procid_target 1664 972 WerFault.exe 27 -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 628 f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 628 f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 628 wrote to memory of 972 628 f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe 27 PID 628 wrote to memory of 972 628 f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe 27 PID 628 wrote to memory of 972 628 f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe 27 PID 628 wrote to memory of 972 628 f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe 27 PID 628 wrote to memory of 972 628 f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe 27 PID 972 wrote to memory of 1664 972 f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe 33 PID 972 wrote to memory of 1664 972 f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe 33 PID 972 wrote to memory of 1664 972 f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe 33 PID 972 wrote to memory of 1664 972 f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe"C:\Users\Admin\AppData\Local\Temp\f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Users\Admin\AppData\Local\Temp\f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe"C:\Users\Admin\AppData\Local\Temp\f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 7803⤵
- Program crash
PID:1664
-
-