Analysis
-
max time kernel
156s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-04-2022 02:09
Static task
static1
Behavioral task
behavioral1
Sample
f302eea287a2ee17eb29f4ccaab0552791e261f6bccca2b8de1398941495ecb6.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f302eea287a2ee17eb29f4ccaab0552791e261f6bccca2b8de1398941495ecb6.exe
Resource
win10v2004-20220414-en
General
-
Target
f302eea287a2ee17eb29f4ccaab0552791e261f6bccca2b8de1398941495ecb6.exe
-
Size
2.0MB
-
MD5
252f6d6f3c62d557958e2bd72f8db90e
-
SHA1
eb969c3bac3441598955d7d113d18c110a8ef54e
-
SHA256
f302eea287a2ee17eb29f4ccaab0552791e261f6bccca2b8de1398941495ecb6
-
SHA512
e0703f1f3b3f0641b25bdc7802975cdf920245da8b363d8b71a27cc14a91a68791c1b441af3db81c8a62382e4d549f393f311cfe40139bc4e3584beb342c1786
Malware Config
Extracted
oski
45.12.215.204
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4656 set thread context of 3328 4656 f302eea287a2ee17eb29f4ccaab0552791e261f6bccca2b8de1398941495ecb6.exe 84 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4656 f302eea287a2ee17eb29f4ccaab0552791e261f6bccca2b8de1398941495ecb6.exe 4656 f302eea287a2ee17eb29f4ccaab0552791e261f6bccca2b8de1398941495ecb6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4656 f302eea287a2ee17eb29f4ccaab0552791e261f6bccca2b8de1398941495ecb6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4656 wrote to memory of 4372 4656 f302eea287a2ee17eb29f4ccaab0552791e261f6bccca2b8de1398941495ecb6.exe 83 PID 4656 wrote to memory of 4372 4656 f302eea287a2ee17eb29f4ccaab0552791e261f6bccca2b8de1398941495ecb6.exe 83 PID 4656 wrote to memory of 4372 4656 f302eea287a2ee17eb29f4ccaab0552791e261f6bccca2b8de1398941495ecb6.exe 83 PID 4656 wrote to memory of 3328 4656 f302eea287a2ee17eb29f4ccaab0552791e261f6bccca2b8de1398941495ecb6.exe 84 PID 4656 wrote to memory of 3328 4656 f302eea287a2ee17eb29f4ccaab0552791e261f6bccca2b8de1398941495ecb6.exe 84 PID 4656 wrote to memory of 3328 4656 f302eea287a2ee17eb29f4ccaab0552791e261f6bccca2b8de1398941495ecb6.exe 84 PID 4656 wrote to memory of 3328 4656 f302eea287a2ee17eb29f4ccaab0552791e261f6bccca2b8de1398941495ecb6.exe 84 PID 4656 wrote to memory of 3328 4656 f302eea287a2ee17eb29f4ccaab0552791e261f6bccca2b8de1398941495ecb6.exe 84 PID 4656 wrote to memory of 3328 4656 f302eea287a2ee17eb29f4ccaab0552791e261f6bccca2b8de1398941495ecb6.exe 84 PID 4656 wrote to memory of 3328 4656 f302eea287a2ee17eb29f4ccaab0552791e261f6bccca2b8de1398941495ecb6.exe 84 PID 4656 wrote to memory of 3328 4656 f302eea287a2ee17eb29f4ccaab0552791e261f6bccca2b8de1398941495ecb6.exe 84 PID 4656 wrote to memory of 3328 4656 f302eea287a2ee17eb29f4ccaab0552791e261f6bccca2b8de1398941495ecb6.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\f302eea287a2ee17eb29f4ccaab0552791e261f6bccca2b8de1398941495ecb6.exe"C:\Users\Admin\AppData\Local\Temp\f302eea287a2ee17eb29f4ccaab0552791e261f6bccca2b8de1398941495ecb6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Users\Admin\AppData\Local\Temp\f302eea287a2ee17eb29f4ccaab0552791e261f6bccca2b8de1398941495ecb6.exe"C:\Users\Admin\AppData\Local\Temp\f302eea287a2ee17eb29f4ccaab0552791e261f6bccca2b8de1398941495ecb6.exe"2⤵PID:4372
-
-
C:\Users\Admin\AppData\Local\Temp\f302eea287a2ee17eb29f4ccaab0552791e261f6bccca2b8de1398941495ecb6.exe"C:\Users\Admin\AppData\Local\Temp\f302eea287a2ee17eb29f4ccaab0552791e261f6bccca2b8de1398941495ecb6.exe"2⤵PID:3328
-