Analysis Overview
SHA256
17eec24f99a3eb9493e635ade92d45b788eacb5a658de978531b7c33bf4b196b
Threat Level: Known bad
The file F072-01953382-ESERMUL.IMG was found to be: Known bad.
Malicious Activity Summary
Oski
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-08 15:09
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-08 15:09
Reported
2022-04-08 15:12
Platform
win10v2004-20220331-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Oski
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4564 set thread context of 100 | N/A | C:\Users\Admin\AppData\Local\Temp\F072_019.exe | C:\Users\Admin\AppData\Local\Temp\F072_019.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\F072_019.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\F072_019.exe
"C:\Users\Admin\AppData\Local\Temp\F072_019.exe"
C:\Users\Admin\AppData\Local\Temp\F072_019.exe
"C:\Users\Admin\AppData\Local\Temp\F072_019.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 100 -ip 100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 236
Network
| Country | Destination | Domain | Proto |
| RU | 23.196.236.146:80 | tcp | |
| NL | 20.50.201.200:443 | tcp | |
| FI | 62.115.252.112:80 | tcp | |
| FI | 62.115.252.112:80 | tcp | |
| FI | 62.115.252.112:80 | tcp | |
| US | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
Files
memory/4564-124-0x0000000000850000-0x00000000008D6000-memory.dmp
memory/4564-125-0x00000000058F0000-0x0000000005E94000-memory.dmp
memory/4564-126-0x0000000005270000-0x0000000005302000-memory.dmp
memory/4564-127-0x0000000005480000-0x000000000551C000-memory.dmp
memory/4564-128-0x0000000005320000-0x000000000532A000-memory.dmp
memory/4564-129-0x0000000007980000-0x00000000079E6000-memory.dmp
memory/100-130-0x0000000000000000-mapping.dmp
memory/100-131-0x0000000000400000-0x0000000000438000-memory.dmp
memory/100-132-0x0000000000400000-0x0000000000438000-memory.dmp
memory/100-133-0x0000000000400000-0x0000000000438000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-08 15:09
Reported
2022-04-08 15:12
Platform
win7-20220310-en
Max time kernel
4294185s
Max time network
123s
Command Line
Signatures
Oski
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1040 set thread context of 272 | N/A | C:\Users\Admin\AppData\Local\Temp\F072_019.exe | C:\Users\Admin\AppData\Local\Temp\F072_019.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\F072_019.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\F072_019.exe
"C:\Users\Admin\AppData\Local\Temp\F072_019.exe"
C:\Users\Admin\AppData\Local\Temp\F072_019.exe
"C:\Users\Admin\AppData\Local\Temp\F072_019.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 272 -s 776
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | friktomb.cf | udp |
Files
memory/1040-54-0x0000000001190000-0x0000000001216000-memory.dmp
memory/1040-55-0x0000000000340000-0x000000000034A000-memory.dmp
memory/1040-56-0x00000000052E0000-0x000000000535A000-memory.dmp
memory/1040-57-0x0000000000CE0000-0x0000000000D18000-memory.dmp
memory/272-58-0x0000000000400000-0x0000000000438000-memory.dmp
memory/272-59-0x0000000000400000-0x0000000000438000-memory.dmp
memory/272-61-0x0000000000400000-0x0000000000438000-memory.dmp
memory/272-63-0x0000000000400000-0x0000000000438000-memory.dmp
memory/272-65-0x0000000000400000-0x0000000000438000-memory.dmp
memory/272-68-0x000000000040717B-mapping.dmp
memory/272-67-0x0000000000400000-0x0000000000438000-memory.dmp
memory/272-70-0x0000000000400000-0x0000000000438000-memory.dmp
memory/272-71-0x0000000000400000-0x0000000000438000-memory.dmp
memory/272-72-0x0000000075691000-0x0000000075693000-memory.dmp
memory/1008-73-0x0000000000000000-mapping.dmp