oski | 926feeef2021947033247905285c46a97964d6894551136915c3b46f55992cb4

Analysis

max time kernel
44s
max time network
72s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-11-2022 04:16

Target

926FEEEF2021947033247905285C46A97964D68945511.exe
Size

200KB
MD5

db21611c14e6b5c000fe1bf415d562a7
SHA1

4e2d2865fe8c6d2a32c6f1b25e4781682c88e6c7
SHA256

926feeef2021947033247905285c46a97964d6894551136915c3b46f55992cb4
SHA512

90a09804394048ae4f237b98126426e0cb6710c660f3eef1ed4a4050bb92d55179a90bddec23af01819e8180fcd674aea3ec886fa2a153350619e129c83accfc
SSDEEP

3072:WfUomEuYm98dlSq7gt5q7Dx+XgS6aCEwhOfUbCalNT2pbB3fI/1Xi6FLPo3c:WfUauY68uSWCx+XA7mg2pNK1Ljo3c

Score

10^/10

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1100 2016 WerFault.exe 926FEEEF2021947033247905285C46A97964D68945511.exe

pid	pid_target	process	target process
1100	2016	WerFault.exe	926FEEEF2021947033247905285C46A97964D68945511.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

926FEEEF2021947033247905285C46A97964D68945511.exe

description	pid	process	target process
PID 2016 wrote to memory of 1100	2016	926FEEEF2021947033247905285C46A97964D68945511.exe	WerFault.exe
PID 2016 wrote to memory of 1100	2016	926FEEEF2021947033247905285C46A97964D68945511.exe	WerFault.exe
PID 2016 wrote to memory of 1100	2016	926FEEEF2021947033247905285C46A97964D68945511.exe	WerFault.exe
PID 2016 wrote to memory of 1100	2016	926FEEEF2021947033247905285C46A97964D68945511.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\926FEEEF2021947033247905285C46A97964D68945511.exe
"C:\Users\Admin\AppData\Local\Temp\926FEEEF2021947033247905285C46A97964D68945511.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 780
2⤵
- Program crash
PID:1100

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

memory/1100-55-0x0000000000000000-mapping.dmp

Download
memory/2016-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download