oski | dfe5049756f130f2559746da26d1a7dce785b0099a715b55d3cc6f31361c96c0

Analysis

max time kernel
27s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
31-01-2023 17:35

Target

DFE5049756F130F2559746DA26D1A7DCE785B0099A715.exe
Size

200KB
MD5

28682416fd765969c4d42c76d8f59d69
SHA1

723de57b27d0b285ea5003907eb2c44159ecef31
SHA256

dfe5049756f130f2559746da26d1a7dce785b0099a715b55d3cc6f31361c96c0
SHA512

acaa3ffdb154d55137de75c5005d9467a8fc0e02662240b80d6cd5546a03a59e49db85cf41e1dae33f606620058a2a043d1c7966394a5f86e98b8d90143c2fca
SSDEEP

3072:WfUomEuYm98dlSq7gt5q7Dx+XgS6aCEwhOfUbCalNT2pbB3fIM1Xi6FLPo3c:WfUauY68uSWCx+XA7mg2pN51Ljo3c

Score

10^/10

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1276 2040 WerFault.exe DFE5049756F130F2559746DA26D1A7DCE785B0099A715.exe

pid	pid_target	process	target process
1276	2040	WerFault.exe	DFE5049756F130F2559746DA26D1A7DCE785B0099A715.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

DFE5049756F130F2559746DA26D1A7DCE785B0099A715.exe

description	pid	process	target process
PID 2040 wrote to memory of 1276	2040	DFE5049756F130F2559746DA26D1A7DCE785B0099A715.exe	WerFault.exe
PID 2040 wrote to memory of 1276	2040	DFE5049756F130F2559746DA26D1A7DCE785B0099A715.exe	WerFault.exe
PID 2040 wrote to memory of 1276	2040	DFE5049756F130F2559746DA26D1A7DCE785B0099A715.exe	WerFault.exe
PID 2040 wrote to memory of 1276	2040	DFE5049756F130F2559746DA26D1A7DCE785B0099A715.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\DFE5049756F130F2559746DA26D1A7DCE785B0099A715.exe
"C:\Users\Admin\AppData\Local\Temp\DFE5049756F130F2559746DA26D1A7DCE785B0099A715.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 1000
2⤵
- Program crash
PID:1276

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

memory/1276-55-0x0000000000000000-mapping.dmp

Download
memory/2040-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download