Malware Analysis Report

2025-01-03 04:58

Sample ID 220414-q94aeaegf8
Target add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac
SHA256 add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac
Tags
oski infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac

Threat Level: Known bad

The file add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac was found to be: Known bad.

Malicious Activity Summary

oski infostealer

Oski

Suspicious use of SetThreadContext

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-04-14 13:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-14 13:58

Reported

2022-04-14 15:32

Platform

win7-20220310-en

Max time kernel

4294207s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe"

Signatures

Oski

infostealer oski

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1080 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe
PID 1080 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe
PID 1080 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe
PID 1080 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe
PID 1080 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe
PID 1080 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe
PID 1080 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe
PID 1080 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe
PID 1080 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe
PID 1080 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe

Processes

C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe

"C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe"

C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe

"C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe"

Network

Country Destination Domain Proto
NL 80.89.230.198:80 tcp
NL 80.89.230.198:80 tcp
NL 80.89.230.198:80 tcp

Files

memory/1080-54-0x0000000000ED0000-0x0000000000FC6000-memory.dmp

memory/1080-55-0x0000000000D00000-0x0000000000D58000-memory.dmp

memory/1080-56-0x0000000000430000-0x000000000044C000-memory.dmp

memory/908-57-0x0000000000400000-0x0000000000438000-memory.dmp

memory/908-58-0x0000000000400000-0x0000000000438000-memory.dmp

memory/908-60-0x0000000000400000-0x0000000000438000-memory.dmp

memory/908-62-0x0000000000400000-0x0000000000438000-memory.dmp

memory/908-64-0x0000000000400000-0x0000000000438000-memory.dmp

memory/908-67-0x000000000040717B-mapping.dmp

memory/908-66-0x0000000000400000-0x0000000000438000-memory.dmp

memory/908-69-0x0000000000400000-0x0000000000438000-memory.dmp

memory/908-70-0x0000000000400000-0x0000000000438000-memory.dmp

memory/908-71-0x00000000768A1000-0x00000000768A3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-14 13:58

Reported

2022-04-14 15:33

Platform

win10v2004-20220331-en

Max time kernel

148s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe"

Signatures

Oski

infostealer oski

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3212 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe
PID 3212 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe
PID 3212 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe
PID 3212 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe
PID 3212 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe
PID 3212 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe
PID 3212 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe
PID 3212 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe
PID 3212 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe

Processes

C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe

"C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe"

C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe

"C:\Users\Admin\AppData\Local\Temp\add219d5aa50133ae767e3adbc531ddd39dc042921d5a2c99f20e101f5496cac.exe"

Network

Country Destination Domain Proto
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
NL 20.190.160.130:443 tcp
NL 20.190.160.130:443 tcp
FI 62.115.252.112:80 tcp
US 52.168.117.169:443 tcp
FI 62.115.252.81:80 tcp
FI 62.115.252.81:80 tcp
FI 62.115.252.81:80 tcp
NL 20.190.160.70:443 tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
NL 80.89.230.198:80 tcp

Files

memory/3212-124-0x00000000003B0000-0x00000000004A6000-memory.dmp

memory/3212-125-0x0000000004CD0000-0x0000000004D46000-memory.dmp

memory/3212-126-0x0000000005300000-0x00000000058A4000-memory.dmp

memory/3212-127-0x0000000000D60000-0x0000000000D7E000-memory.dmp

memory/3496-128-0x0000000000000000-mapping.dmp

memory/3496-129-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3496-130-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3496-131-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3496-132-0x0000000000400000-0x0000000000438000-memory.dmp