Analysis Overview
SHA256
24135e78ecf7c7e30984c0f38d381f528c2400f4b7f4a05d5c37bdcf9365ced1
Threat Level: Known bad
The file 2DF2BB4BA1E6580FA4368F8B2CF681FE.exe was found to be: Known bad.
Malicious Activity Summary
Oski
Oski family
Reads user/profile data of web browsers
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-06 15:12
Signatures
Oski family
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-06 15:12
Reported
2022-04-06 15:15
Platform
win10v2004-20220331-en
Max time kernel
155s
Max time network
174s
Command Line
Signatures
Oski
Reads user/profile data of web browsers
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2DF2BB4BA1E6580FA4368F8B2CF681FE.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2DF2BB4BA1E6580FA4368F8B2CF681FE.exe
"C:\Users\Admin\AppData\Local\Temp\2DF2BB4BA1E6580FA4368F8B2CF681FE.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3044 -ip 3044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 1324
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | carding.axfree.com | udp |
| DE | 144.76.115.36:80 | carding.axfree.com | tcp |
| US | 93.184.221.240:80 | tcp | |
| NL | 13.69.109.131:443 | tcp | |
| DE | 144.76.115.36:80 | carding.axfree.com | tcp |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-06 15:12
Reported
2022-04-06 15:14
Platform
win7-20220331-en
Max time kernel
38s
Max time network
47s
Command Line
Signatures
Oski
Reads user/profile data of web browsers
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2DF2BB4BA1E6580FA4368F8B2CF681FE.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 800 wrote to memory of 948 | N/A | C:\Users\Admin\AppData\Local\Temp\2DF2BB4BA1E6580FA4368F8B2CF681FE.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 800 wrote to memory of 948 | N/A | C:\Users\Admin\AppData\Local\Temp\2DF2BB4BA1E6580FA4368F8B2CF681FE.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 800 wrote to memory of 948 | N/A | C:\Users\Admin\AppData\Local\Temp\2DF2BB4BA1E6580FA4368F8B2CF681FE.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 800 wrote to memory of 948 | N/A | C:\Users\Admin\AppData\Local\Temp\2DF2BB4BA1E6580FA4368F8B2CF681FE.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2DF2BB4BA1E6580FA4368F8B2CF681FE.exe
"C:\Users\Admin\AppData\Local\Temp\2DF2BB4BA1E6580FA4368F8B2CF681FE.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 772
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | carding.axfree.com | udp |
| DE | 144.76.115.36:80 | carding.axfree.com | tcp |
Files
memory/800-54-0x0000000076A51000-0x0000000076A53000-memory.dmp
memory/948-55-0x0000000000000000-mapping.dmp