Overview

overview

10

Static

static

f7a799555a...ce.exe

windows7_x64

10

f7a799555a...ce.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 21:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe

  • Size

    767KB

  • MD5

    1e8e6c7b0357b7590f694162733e1f2f

  • SHA1

    fc2ea46d76bc7ab12ada51226b655771422ec343

  • SHA256

    f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce

  • SHA512

    23a2e7544fcf2db2b7f28cefe03c7826d1f575ed6c8f8a5f4a0a1c2ea48f6f0f3e6c7529b04793f6404bdda9b651a090ed8a29277e05665f4547cd23a24177f8

Score
10/10
oskiinfostealerspywarestealer

Malware Config

Extracted

Family

oski

C2

levitt.ug

Signatures

  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe
    "C:\Users\Admin\AppData\Local\Temp\f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Users\Admin\AppData\Local\Temp\f7a799555a5177453ec51b3b9eeb9dc470e5f355b970bfbdf7dfd49e901ff4ce.exe
      "{path}"
      2⤵
        PID:4952
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1292
          3⤵
          • Program crash
          PID:3196
    • C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
      C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
      1⤵
        PID:2836
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4952 -ip 4952
        1⤵
          PID:2728

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1220-130-0x0000000074FE0000-0x0000000075591000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/4952-134-0x0000000000400000-0x0000000000434000-memory.dmp
          Filesize

          208KB

          Download
        • memory/4952-133-0x0000000000400000-0x0000000000434000-memory.dmp
          Filesize

          208KB

          Download
        • memory/4952-132-0x0000000000400000-0x0000000000434000-memory.dmp
          Filesize

          208KB

          Download
        • memory/4952-131-0x0000000000000000-mapping.dmp
          Download
        • memory/4952-135-0x0000000000400000-0x0000000000434000-memory.dmp
          Filesize

          208KB

          Download