oski | dfe5049756f130f2559746da26d1a7dce785b0099a715b55d3cc6f31361c96c0

Analysis

max time kernel
112s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2023 17:37

Target

DFE5049756F130F2559746DA26D1A7DCE785B0099A715.exe
Size

200KB
MD5

28682416fd765969c4d42c76d8f59d69
SHA1

723de57b27d0b285ea5003907eb2c44159ecef31
SHA256

dfe5049756f130f2559746da26d1a7dce785b0099a715b55d3cc6f31361c96c0
SHA512

acaa3ffdb154d55137de75c5005d9467a8fc0e02662240b80d6cd5546a03a59e49db85cf41e1dae33f606620058a2a043d1c7966394a5f86e98b8d90143c2fca
SSDEEP

3072:WfUomEuYm98dlSq7gt5q7Dx+XgS6aCEwhOfUbCalNT2pbB3fIM1Xi6FLPo3c:WfUauY68uSWCx+XA7mg2pN51Ljo3c

Score

10^/10

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3472	1208	WerFault.exe	78

C:\Users\Admin\AppData\Local\Temp\DFE5049756F130F2559746DA26D1A7DCE785B0099A715.exe
"C:\Users\Admin\AppData\Local\Temp\DFE5049756F130F2559746DA26D1A7DCE785B0099A715.exe"
1⤵
PID:1208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 1948
  2⤵
  - Program crash
  PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1208 -ip 1208
1⤵
PID:4720

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact