Overview

overview

10

Static

static

65b3950a62...d0.exe

windows7-x64

10

65b3950a62...d0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    77s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-09-2022 10:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    65b3950a62245fbbf12576b000623feccf941ec225bceba333ebca578f5fe6d0.exe

  • Size

    7.3MB

  • MD5

    0d7a584f85880b0c8541833714af9745

  • SHA1

    def0269ccfa9518b4827e4d1bbf37c2a452f23ce

  • SHA256

    65b3950a62245fbbf12576b000623feccf941ec225bceba333ebca578f5fe6d0

  • SHA512

    649b17a838be68a244bc8ccca43fbbc259ce84472016c51c4a63f022acea0cb2cdcb05ef1db1dbe61b9c6e7091e04fe1315923cc36b92ea23d6d533c6f2a5d13

  • SSDEEP

    196608:yshVZPqIbleCIWtzM1lKmTC+3NRHgz1fL2wbp/Th:yspZpIvlKMxgxzfF

Score
10/10
oskiinfostealerspywarestealer

Malware Config

Extracted

Family

oski

C2

shivabhaiji.in

Signatures

  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65b3950a62245fbbf12576b000623feccf941ec225bceba333ebca578f5fe6d0.exe
    "C:\Users\Admin\AppData\Local\Temp\65b3950a62245fbbf12576b000623feccf941ec225bceba333ebca578f5fe6d0.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Users\Admin\AppData\Local\Temp\VIP72\crack.exe
      "C:\Users\Admin\AppData\Local\Temp\VIP72\crack.exe"
      2⤵
      • Executes dropped EXE
      PID:3520
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 1748
        3⤵
        • Program crash
        PID:4860
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3520 -ip 3520
    1⤵
      PID:2500

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\VIP72\crack.exe
      Filesize

      200KB

      MD5

      f5c3c74c09dc9797228bb5ac5020b6b9

      SHA1

      269d6eacfcd62024c3937f785e0f6ec62a91b46e

      SHA256

      9d1ef296437c72f86d3ca4faec512b5686cbee7bfe0493b3c4a378d61a7ae686

      SHA512

      3a804ff2b983266de1f8412f8a448fd655bf3c1914a2cbb46e3afcb8f7b0ab4657b397c5a074bcc9abc80e9759664b5b0abb0e8df9527906ca3bb8020ad5e868

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\VIP72\crack.exe
      Filesize

      200KB

      MD5

      f5c3c74c09dc9797228bb5ac5020b6b9

      SHA1

      269d6eacfcd62024c3937f785e0f6ec62a91b46e

      SHA256

      9d1ef296437c72f86d3ca4faec512b5686cbee7bfe0493b3c4a378d61a7ae686

      SHA512

      3a804ff2b983266de1f8412f8a448fd655bf3c1914a2cbb46e3afcb8f7b0ab4657b397c5a074bcc9abc80e9759664b5b0abb0e8df9527906ca3bb8020ad5e868

      Download Submit