Analysis
-
max time kernel
189s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 08:58
Static task
static1
Behavioral task
behavioral1
Sample
6ff2df9ce53194ba8f0cd6f4b391513a024fa0c87db70a2abd27619fdcf395af.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
6ff2df9ce53194ba8f0cd6f4b391513a024fa0c87db70a2abd27619fdcf395af.exe
Resource
win10v2004-20220414-en
General
-
Target
6ff2df9ce53194ba8f0cd6f4b391513a024fa0c87db70a2abd27619fdcf395af.exe
-
Size
185KB
-
MD5
45806f0f5bd793789640e2d387b360b7
-
SHA1
84723dc5257f3dbc04757223631f75407082a7cf
-
SHA256
6ff2df9ce53194ba8f0cd6f4b391513a024fa0c87db70a2abd27619fdcf395af
-
SHA512
8f82af8bd555a175e5699e2206492f7afc25efa4fde156816fb48e84566c1f494141c5d3c55e662c4f72bc2e9569a613499068d60ad35f9fc93a4a96d5d523cd
Malware Config
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4588 1840 WerFault.exe 6ff2df9ce53194ba8f0cd6f4b391513a024fa0c87db70a2abd27619fdcf395af.exe 4480 1840 WerFault.exe 6ff2df9ce53194ba8f0cd6f4b391513a024fa0c87db70a2abd27619fdcf395af.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
6ff2df9ce53194ba8f0cd6f4b391513a024fa0c87db70a2abd27619fdcf395af.exedescription pid process target process PID 1840 wrote to memory of 4588 1840 6ff2df9ce53194ba8f0cd6f4b391513a024fa0c87db70a2abd27619fdcf395af.exe WerFault.exe PID 1840 wrote to memory of 4588 1840 6ff2df9ce53194ba8f0cd6f4b391513a024fa0c87db70a2abd27619fdcf395af.exe WerFault.exe PID 1840 wrote to memory of 4588 1840 6ff2df9ce53194ba8f0cd6f4b391513a024fa0c87db70a2abd27619fdcf395af.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ff2df9ce53194ba8f0cd6f4b391513a024fa0c87db70a2abd27619fdcf395af.exe"C:\Users\Admin\AppData\Local\Temp\6ff2df9ce53194ba8f0cd6f4b391513a024fa0c87db70a2abd27619fdcf395af.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 13322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 13322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1840 -ip 18401⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4588-130-0x0000000000000000-mapping.dmp