oski | 5081336887096e6b585b69e35b2b4b6fb0f2ed9154d51f96216be598e8ba5300

Analysis

max time kernel
91s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2022 16:46

Target

081b94112d9086adb69bfff00827a9bc5d59826a50e37ab7109686fc71f5db62.exe
Size

200KB
MD5

85ec820f8dda2f12dc1d56722a28f65d
SHA1

a601e4ceeca0ee0c954bc7c4f9e52b529970815d
SHA256

081b94112d9086adb69bfff00827a9bc5d59826a50e37ab7109686fc71f5db62
SHA512

384331470851d6cc8c3dc77dd707704e4d9050f1e9f0cfd67b371260849fb981ac0bde93aa2516fe8d51ba33fada63c9590d8ae20a63328bf77440a481907cf0
SSDEEP

3072:WfUomEuYm98dlSq7gt5q7Dx+XgS6aCEwhOfUbCalNT2pbB3fI71Xi6FLPo3c:WfUauY68uSWCx+XA7mg2pNC1Ljo3c

Score

10^/10

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4364	4644	WerFault.exe	80

C:\Users\Admin\AppData\Local\Temp\081b94112d9086adb69bfff00827a9bc5d59826a50e37ab7109686fc71f5db62.exe
"C:\Users\Admin\AppData\Local\Temp\081b94112d9086adb69bfff00827a9bc5d59826a50e37ab7109686fc71f5db62.exe"
1⤵
PID:4644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1324
  2⤵
  - Program crash
  PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4644 -ip 4644
1⤵
PID:1140

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact