Analysis
-
max time kernel
79s -
max time network
100s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 21:03
Static task
static1
Behavioral task
behavioral1
Sample
f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe
Resource
win10v2004-20220414-en
General
-
Target
f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe
-
Size
767KB
-
MD5
1e8e6c7b0357b7590f694162733e1f2f
-
SHA1
fc2ea46d76bc7ab12ada51226b655771422ec343
-
SHA256
f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce
-
SHA512
23a2e7544fcf2db2b7f28cefe03c7826d1f575ed6c8f8a5f4a0a1c2ea48f6f0f3e6c7529b04793f6404bdda9b651a090ed8a29277e05665f4547cd23a24177f8
Malware Config
Extracted
oski
levitt.ug
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exedescription pid process target process PID 1120 set thread context of 1380 1120 f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1100 1380 WerFault.exe f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exef7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exedescription pid process target process PID 1120 wrote to memory of 1380 1120 f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe PID 1120 wrote to memory of 1380 1120 f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe PID 1120 wrote to memory of 1380 1120 f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe PID 1120 wrote to memory of 1380 1120 f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe PID 1120 wrote to memory of 1380 1120 f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe PID 1120 wrote to memory of 1380 1120 f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe PID 1120 wrote to memory of 1380 1120 f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe PID 1120 wrote to memory of 1380 1120 f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe PID 1120 wrote to memory of 1380 1120 f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe PID 1120 wrote to memory of 1380 1120 f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe PID 1380 wrote to memory of 1100 1380 f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe WerFault.exe PID 1380 wrote to memory of 1100 1380 f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe WerFault.exe PID 1380 wrote to memory of 1100 1380 f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe WerFault.exe PID 1380 wrote to memory of 1100 1380 f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe"C:\Users\Admin\AppData\Local\Temp\f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 8043⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1100-71-0x0000000000000000-mapping.dmp
-
memory/1120-54-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/1120-55-0x0000000074460000-0x0000000074A0B000-memory.dmpFilesize
5.7MB
-
memory/1380-65-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1380-68-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1380-66-0x0000000000417A8B-mapping.dmp
-
memory/1380-63-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1380-61-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1380-59-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1380-57-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1380-56-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/1380-70-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB