Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
29-03-2022 18:19
Static task
static1
Behavioral task
behavioral1
Sample
74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe
Resource
win10v2004-20220310-en
General
-
Target
74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe
-
Size
718KB
-
MD5
75a5844d899fa2a98c3c68a9b159d2b2
-
SHA1
dd3768dd750ee5b26d522b591d1c8f34814a1141
-
SHA256
74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40
-
SHA512
b6e0886f1b52047e000571902248b41a8209fa410ef8b4675d182904a755bd96268b59d842be25886406ead50f3497e8905a323c3cd469356ce548d7b3de3ade
Malware Config
Extracted
oski
80.89.230.198
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3668 set thread context of 3980 3668 74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe 101 -
Program crash 1 IoCs
pid pid_target Process procid_target 1804 3980 WerFault.exe 101 -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3668 wrote to memory of 3980 3668 74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe 101 PID 3668 wrote to memory of 3980 3668 74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe 101 PID 3668 wrote to memory of 3980 3668 74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe 101 PID 3668 wrote to memory of 3980 3668 74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe 101 PID 3668 wrote to memory of 3980 3668 74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe 101 PID 3668 wrote to memory of 3980 3668 74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe 101 PID 3668 wrote to memory of 3980 3668 74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe 101 PID 3668 wrote to memory of 3980 3668 74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe 101 PID 3668 wrote to memory of 3980 3668 74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe"C:\Users\Admin\AppData\Local\Temp\74c0613165375c4ecc81a4398a0971f4e497e3f1f7f1f0987100af4565991b40.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:3980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 1883⤵
- Program crash
PID:1804
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3980 -ip 39801⤵PID:408