Malware Analysis Report

2025-01-03 04:56

Sample ID 220407-3mpjysbaal
Target F072-01953382-ESERMUL.exe
SHA256 48d338ba06ada3da080eeeddb8a267b1b677dc9c3670f13e333ec8c73ff1b02c
Tags
oski infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

48d338ba06ada3da080eeeddb8a267b1b677dc9c3670f13e333ec8c73ff1b02c

Threat Level: Known bad

The file F072-01953382-ESERMUL.exe was found to be: Known bad.

Malicious Activity Summary

oski infostealer

Oski

Suspicious use of SetThreadContext

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-04-07 23:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-07 23:38

Reported

2022-04-07 23:40

Platform

win7-20220310-en

Max time kernel

4294183s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe"

Signatures

Oski

infostealer oski

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1904 set thread context of 1008 N/A C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe
PID 1904 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe
PID 1904 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe
PID 1904 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe
PID 1904 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe
PID 1904 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe
PID 1904 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe
PID 1904 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe
PID 1904 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe
PID 1904 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe
PID 1904 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe
PID 1904 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe
PID 1904 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe
PID 1904 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe
PID 1008 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe C:\Windows\SysWOW64\WerFault.exe
PID 1008 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe C:\Windows\SysWOW64\WerFault.exe
PID 1008 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe C:\Windows\SysWOW64\WerFault.exe
PID 1008 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe

"C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe"

C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe

"C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe"

C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe

"C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 112

Network

N/A

Files

memory/1904-54-0x0000000000B30000-0x0000000000BB6000-memory.dmp

memory/1904-55-0x0000000000540000-0x000000000054A000-memory.dmp

memory/1904-56-0x0000000005120000-0x000000000519A000-memory.dmp

memory/1904-57-0x00000000021E0000-0x0000000002218000-memory.dmp

memory/1008-58-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1008-59-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1008-61-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1008-63-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1008-65-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1008-68-0x000000000040717B-mapping.dmp

memory/1008-67-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1008-70-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1640-71-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-07 23:38

Reported

2022-04-07 23:40

Platform

win10v2004-20220331-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe"

Signatures

Oski

infostealer oski

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1012 set thread context of 3840 N/A C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe

Processes

C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe

"C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe"

C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe

"C:\Users\Admin\AppData\Local\Temp\F072-01953382-ESERMUL.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3840 -ip 3840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 236

Network

Country Destination Domain Proto
FI 62.115.252.81:80 tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp

Files

memory/1012-124-0x0000000000CE0000-0x0000000000D66000-memory.dmp

memory/1012-125-0x0000000005BB0000-0x0000000006154000-memory.dmp

memory/1012-126-0x0000000005700000-0x0000000005792000-memory.dmp

memory/1012-127-0x0000000005840000-0x00000000058DC000-memory.dmp

memory/1012-128-0x00000000057B0000-0x00000000057BA000-memory.dmp

memory/1012-129-0x0000000007F00000-0x0000000007F66000-memory.dmp

memory/3840-130-0x0000000000000000-mapping.dmp

memory/3840-131-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3840-132-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3840-133-0x0000000000400000-0x0000000000438000-memory.dmp