oski | db348dc69788f96c6ccdaedb34b150fa21ac9d275a523e063b794c463d1f93a6

Analysis

max time kernel
42s
max time network
72s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-10-2022 18:51

Target

DB348DC69788F96C6CCDAEDB34B150FA21AC9D275A523.exe
Size

200KB
MD5

092557d071b1aed5fc6340068e5dbfba
SHA1

6742f81d03cbd4fa5c2263e1711fa1cf10ca2aa9
SHA256

db348dc69788f96c6ccdaedb34b150fa21ac9d275a523e063b794c463d1f93a6
SHA512

f06c1d075bd863deb6a4eb9d41f58db42398caf5122a96028d7fd0ba84e0636719b53a9ca4b6282d1355ff335255cf90acd2f0315c16942296fc6c8c2cf894d6
SSDEEP

3072:WfUomEuYm98dlSq7gt5q7Dx+XgS6aCEwhOfUbCalNT2pbB3fIb1Xi6FLPo3c:WfUauY68uSWCx+XA7mg2pNW1Ljo3c

Score

10^/10

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1256 1960 WerFault.exe DB348DC69788F96C6CCDAEDB34B150FA21AC9D275A523.exe

pid	pid_target	process	target process
1256	1960	WerFault.exe	DB348DC69788F96C6CCDAEDB34B150FA21AC9D275A523.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

DB348DC69788F96C6CCDAEDB34B150FA21AC9D275A523.exe

description	pid	process	target process
PID 1960 wrote to memory of 1256	1960	DB348DC69788F96C6CCDAEDB34B150FA21AC9D275A523.exe	WerFault.exe
PID 1960 wrote to memory of 1256	1960	DB348DC69788F96C6CCDAEDB34B150FA21AC9D275A523.exe	WerFault.exe
PID 1960 wrote to memory of 1256	1960	DB348DC69788F96C6CCDAEDB34B150FA21AC9D275A523.exe	WerFault.exe
PID 1960 wrote to memory of 1256	1960	DB348DC69788F96C6CCDAEDB34B150FA21AC9D275A523.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\DB348DC69788F96C6CCDAEDB34B150FA21AC9D275A523.exe
"C:\Users\Admin\AppData\Local\Temp\DB348DC69788F96C6CCDAEDB34B150FA21AC9D275A523.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 780
2⤵
- Program crash
PID:1256

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

memory/1256-55-0x0000000000000000-mapping.dmp

Download
memory/1960-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download