oski | 872da01aaf57efa2f1cdd7f39da1f903294e62e7641debe90c0c45a6b2bb90dd

Analysis

max time kernel
38s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-02-2023 08:20

Target

dfe5049756f130f2559746da26d1a7dce785b0099a715b55d3cc6f31361c96c0.exe
Size

200KB
MD5

28682416fd765969c4d42c76d8f59d69
SHA1

723de57b27d0b285ea5003907eb2c44159ecef31
SHA256

dfe5049756f130f2559746da26d1a7dce785b0099a715b55d3cc6f31361c96c0
SHA512

acaa3ffdb154d55137de75c5005d9467a8fc0e02662240b80d6cd5546a03a59e49db85cf41e1dae33f606620058a2a043d1c7966394a5f86e98b8d90143c2fca
SSDEEP

3072:WfUomEuYm98dlSq7gt5q7Dx+XgS6aCEwhOfUbCalNT2pbB3fIM1Xi6FLPo3c:WfUauY68uSWCx+XA7mg2pN51Ljo3c

Score

10^/10

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

588 1096 WerFault.exe dfe5049756f130f2559746da26d1a7dce785b0099a715b55d3cc6f31361c96c0.exe

pid	pid_target	process	target process
588	1096	WerFault.exe	dfe5049756f130f2559746da26d1a7dce785b0099a715b55d3cc6f31361c96c0.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

dfe5049756f130f2559746da26d1a7dce785b0099a715b55d3cc6f31361c96c0.exe

description	pid	process	target process
PID 1096 wrote to memory of 588	1096	dfe5049756f130f2559746da26d1a7dce785b0099a715b55d3cc6f31361c96c0.exe	WerFault.exe
PID 1096 wrote to memory of 588	1096	dfe5049756f130f2559746da26d1a7dce785b0099a715b55d3cc6f31361c96c0.exe	WerFault.exe
PID 1096 wrote to memory of 588	1096	dfe5049756f130f2559746da26d1a7dce785b0099a715b55d3cc6f31361c96c0.exe	WerFault.exe
PID 1096 wrote to memory of 588	1096	dfe5049756f130f2559746da26d1a7dce785b0099a715b55d3cc6f31361c96c0.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\dfe5049756f130f2559746da26d1a7dce785b0099a715b55d3cc6f31361c96c0.exe
"C:\Users\Admin\AppData\Local\Temp\dfe5049756f130f2559746da26d1a7dce785b0099a715b55d3cc6f31361c96c0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1000
2⤵
- Program crash
PID:588

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

memory/588-55-0x0000000000000000-mapping.dmp

Download
memory/1096-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download