Analysis
-
max time kernel
135s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
29-03-2022 18:53
Static task
static1
Behavioral task
behavioral1
Sample
9eda629d972e72de604e574465b035dece9b8b8d842c8bfa295f37aa16aa00fc.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
9eda629d972e72de604e574465b035dece9b8b8d842c8bfa295f37aa16aa00fc.exe
Resource
win10v2004-en-20220113
General
-
Target
9eda629d972e72de604e574465b035dece9b8b8d842c8bfa295f37aa16aa00fc.exe
-
Size
459KB
-
MD5
a44fb506c742cdff42f37356502c3298
-
SHA1
674e8729f2598cd7e34d2d07b5ab2ff53b638c37
-
SHA256
9eda629d972e72de604e574465b035dece9b8b8d842c8bfa295f37aa16aa00fc
-
SHA512
8fa4c6d8e693189d494d5746954b9919c821989cd1f767b26737869f26e4c2cfab2c1771f01a752883c4201169b7efa070662d958d3c0e4958772d22b8f959e1
Malware Config
Extracted
oski
4llion.com
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 624 set thread context of 3492 624 9eda629d972e72de604e574465b035dece9b8b8d842c8bfa295f37aa16aa00fc.exe 84 -
Program crash 1 IoCs
pid pid_target Process procid_target 1292 3492 WerFault.exe 84 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 624 9eda629d972e72de604e574465b035dece9b8b8d842c8bfa295f37aa16aa00fc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 624 wrote to memory of 3492 624 9eda629d972e72de604e574465b035dece9b8b8d842c8bfa295f37aa16aa00fc.exe 84 PID 624 wrote to memory of 3492 624 9eda629d972e72de604e574465b035dece9b8b8d842c8bfa295f37aa16aa00fc.exe 84 PID 624 wrote to memory of 3492 624 9eda629d972e72de604e574465b035dece9b8b8d842c8bfa295f37aa16aa00fc.exe 84 PID 624 wrote to memory of 3492 624 9eda629d972e72de604e574465b035dece9b8b8d842c8bfa295f37aa16aa00fc.exe 84 PID 624 wrote to memory of 3492 624 9eda629d972e72de604e574465b035dece9b8b8d842c8bfa295f37aa16aa00fc.exe 84 PID 624 wrote to memory of 3492 624 9eda629d972e72de604e574465b035dece9b8b8d842c8bfa295f37aa16aa00fc.exe 84 PID 624 wrote to memory of 3492 624 9eda629d972e72de604e574465b035dece9b8b8d842c8bfa295f37aa16aa00fc.exe 84 PID 624 wrote to memory of 3492 624 9eda629d972e72de604e574465b035dece9b8b8d842c8bfa295f37aa16aa00fc.exe 84 PID 624 wrote to memory of 3492 624 9eda629d972e72de604e574465b035dece9b8b8d842c8bfa295f37aa16aa00fc.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\9eda629d972e72de604e574465b035dece9b8b8d842c8bfa295f37aa16aa00fc.exe"C:\Users\Admin\AppData\Local\Temp\9eda629d972e72de604e574465b035dece9b8b8d842c8bfa295f37aa16aa00fc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\9eda629d972e72de604e574465b035dece9b8b8d842c8bfa295f37aa16aa00fc.exe"C:\Users\Admin\AppData\Local\Temp\9eda629d972e72de604e574465b035dece9b8b8d842c8bfa295f37aa16aa00fc.exe"2⤵PID:3492
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 2443⤵
- Program crash
PID:1292
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3492 -ip 34921⤵PID:2296