oski | 6ff2df9ce53194ba8f0cd6f4b391513a024fa0c87db70a2abd27619fdcf395af

Analysis

Target

6ff2df9ce53194ba8f0cd6f4b391513a024fa0c87db70a2abd27619fdcf395af.exe
Size

185KB
MD5

45806f0f5bd793789640e2d387b360b7
SHA1

84723dc5257f3dbc04757223631f75407082a7cf
SHA256

6ff2df9ce53194ba8f0cd6f4b391513a024fa0c87db70a2abd27619fdcf395af
SHA512

8f82af8bd555a175e5699e2206492f7afc25efa4fde156816fb48e84566c1f494141c5d3c55e662c4f72bc2e9569a613499068d60ad35f9fc93a4a96d5d523cd

Score

10^/10

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
4588	1840	WerFault.exe	6ff2df9ce53194ba8f0cd6f4b391513a024fa0c87db70a2abd27619fdcf395af.exe
4480	1840	WerFault.exe	6ff2df9ce53194ba8f0cd6f4b391513a024fa0c87db70a2abd27619fdcf395af.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

6ff2df9ce53194ba8f0cd6f4b391513a024fa0c87db70a2abd27619fdcf395af.exe

description	pid	process	target process
PID 1840 wrote to memory of 4588	1840	6ff2df9ce53194ba8f0cd6f4b391513a024fa0c87db70a2abd27619fdcf395af.exe	WerFault.exe
PID 1840 wrote to memory of 4588	1840	6ff2df9ce53194ba8f0cd6f4b391513a024fa0c87db70a2abd27619fdcf395af.exe	WerFault.exe
PID 1840 wrote to memory of 4588	1840	6ff2df9ce53194ba8f0cd6f4b391513a024fa0c87db70a2abd27619fdcf395af.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\6ff2df9ce53194ba8f0cd6f4b391513a024fa0c87db70a2abd27619fdcf395af.exe
"C:\Users\Admin\AppData\Local\Temp\6ff2df9ce53194ba8f0cd6f4b391513a024fa0c87db70a2abd27619fdcf395af.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 1332
2⤵
- Program crash
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 1332
2⤵
- Program crash
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1840 -ip 1840
1⤵
PID:4564

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact