Analysis
-
max time kernel
4294183s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
29-03-2022 18:19
Static task
static1
Behavioral task
behavioral1
Sample
74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe
Resource
win10v2004-20220310-en
General
-
Target
74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe
-
Size
718KB
-
MD5
75a5844d899fa2a98c3c68a9b159d2b2
-
SHA1
dd3768dd750ee5b26d522b591d1c8f34814a1141
-
SHA256
74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40
-
SHA512
b6e0886f1b52047e000571902248b41a8209fa410ef8b4675d182904a755bd96268b59d842be25886406ead50f3497e8905a323c3cd469356ce548d7b3de3ade
Malware Config
Extracted
oski
80.89.230.198
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1968 set thread context of 676 1968 74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe 27 -
Program crash 1 IoCs
pid pid_target Process procid_target 540 676 WerFault.exe 27 -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1968 wrote to memory of 676 1968 74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe 27 PID 1968 wrote to memory of 676 1968 74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe 27 PID 1968 wrote to memory of 676 1968 74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe 27 PID 1968 wrote to memory of 676 1968 74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe 27 PID 1968 wrote to memory of 676 1968 74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe 27 PID 1968 wrote to memory of 676 1968 74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe 27 PID 1968 wrote to memory of 676 1968 74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe 27 PID 1968 wrote to memory of 676 1968 74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe 27 PID 1968 wrote to memory of 676 1968 74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe 27 PID 1968 wrote to memory of 676 1968 74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe 27 PID 676 wrote to memory of 540 676 MSBuild.exe 28 PID 676 wrote to memory of 540 676 MSBuild.exe 28 PID 676 wrote to memory of 540 676 MSBuild.exe 28 PID 676 wrote to memory of 540 676 MSBuild.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe"C:\Users\Admin\AppData\Local\Temp\74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 1123⤵
- Program crash
PID:540
-
-