Analysis
-
max time kernel
29s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 04:12
Static task
static1
Behavioral task
behavioral1
Sample
caf1bf6339d21c8bf3451420e78097bf7c8fa0a6baad42afa9a4f32981864120.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
caf1bf6339d21c8bf3451420e78097bf7c8fa0a6baad42afa9a4f32981864120.exe
Resource
win10v2004-20220414-en
General
-
Target
caf1bf6339d21c8bf3451420e78097bf7c8fa0a6baad42afa9a4f32981864120.exe
-
Size
293KB
-
MD5
a0d0319e501904cd74e51782e1ab74f9
-
SHA1
b8f7c45ecf8aaabccff860356f03ef02b65f12f6
-
SHA256
caf1bf6339d21c8bf3451420e78097bf7c8fa0a6baad42afa9a4f32981864120
-
SHA512
3cc308094f4dbacd5f9aabc45d074e0b0af08676a694cb2e2898d1880646b22a0b64bbc0211ebf53fea7e6de34c631df6d5632c834298e432f804f7b8f593f10
Malware Config
Extracted
oski
ivchenkosvetlana.online
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 576 2024 WerFault.exe caf1bf6339d21c8bf3451420e78097bf7c8fa0a6baad42afa9a4f32981864120.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
caf1bf6339d21c8bf3451420e78097bf7c8fa0a6baad42afa9a4f32981864120.exedescription pid process target process PID 2024 wrote to memory of 576 2024 caf1bf6339d21c8bf3451420e78097bf7c8fa0a6baad42afa9a4f32981864120.exe WerFault.exe PID 2024 wrote to memory of 576 2024 caf1bf6339d21c8bf3451420e78097bf7c8fa0a6baad42afa9a4f32981864120.exe WerFault.exe PID 2024 wrote to memory of 576 2024 caf1bf6339d21c8bf3451420e78097bf7c8fa0a6baad42afa9a4f32981864120.exe WerFault.exe PID 2024 wrote to memory of 576 2024 caf1bf6339d21c8bf3451420e78097bf7c8fa0a6baad42afa9a4f32981864120.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\caf1bf6339d21c8bf3451420e78097bf7c8fa0a6baad42afa9a4f32981864120.exe"C:\Users\Admin\AppData\Local\Temp\caf1bf6339d21c8bf3451420e78097bf7c8fa0a6baad42afa9a4f32981864120.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 8602⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/576-58-0x0000000000000000-mapping.dmp
-
memory/2024-54-0x0000000075B71000-0x0000000075B73000-memory.dmpFilesize
8KB
-
memory/2024-55-0x000000000028B000-0x00000000002A6000-memory.dmpFilesize
108KB
-
memory/2024-56-0x0000000000480000-0x00000000004B0000-memory.dmpFilesize
192KB
-
memory/2024-57-0x0000000000400000-0x000000000047A000-memory.dmpFilesize
488KB