Analysis
-
max time kernel
125s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
28-03-2022 18:10
Static task
static1
Behavioral task
behavioral1
Sample
f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe
Resource
win10v2004-20220310-en
General
-
Target
f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe
-
Size
261KB
-
MD5
ba2af377d1a970e8e083e4c4cec745e2
-
SHA1
a3d2ca408a97ddca60f581cba48d3f5e74a4fb17
-
SHA256
f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035
-
SHA512
eb854f2ee870162f39cd1678e2f88cd99dadf0e281237a66a14be6b75be489593236d6aabfa69df76b1a31a5cf1e4ef77a913e06bdd022fc957c850d26a65e06
Malware Config
Extracted
oski
darkangel.ac.ug
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3376 set thread context of 3708 3376 f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe 87 -
Program crash 1 IoCs
pid pid_target Process procid_target 2280 3708 WerFault.exe 87 -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3376 f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3376 f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3376 wrote to memory of 3708 3376 f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe 87 PID 3376 wrote to memory of 3708 3376 f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe 87 PID 3376 wrote to memory of 3708 3376 f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe 87 PID 3376 wrote to memory of 3708 3376 f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe"C:\Users\Admin\AppData\Local\Temp\f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Users\Admin\AppData\Local\Temp\f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe"C:\Users\Admin\AppData\Local\Temp\f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035.exe"2⤵PID:3708
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 13203⤵
- Program crash
PID:2280
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3708 -ip 37081⤵PID:1892