Analysis Overview
SHA256
e0654cd7e7028ee40cd105e89f67608b68c9c4d0b92471d88996bb2508db5e42
Threat Level: Known bad
The file e0654cd7e7028ee40cd105e89f67608b68c9c4d0b92471d88996bb2508db5e42 was found to be: Known bad.
Malicious Activity Summary
Oski
Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-04-18 10:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-18 10:52
Reported
2022-04-18 16:46
Platform
win7-20220414-en
Max time kernel
148s
Max time network
157s
Command Line
Signatures
Oski
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1460 set thread context of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\e0654cd7e7028ee40cd105e89f67608b68c9c4d0b92471d88996bb2508db5e42.exe | C:\Users\Admin\AppData\Local\Temp\e0654cd7e7028ee40cd105e89f67608b68c9c4d0b92471d88996bb2508db5e42.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e0654cd7e7028ee40cd105e89f67608b68c9c4d0b92471d88996bb2508db5e42.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e0654cd7e7028ee40cd105e89f67608b68c9c4d0b92471d88996bb2508db5e42.exe
"C:\Users\Admin\AppData\Local\Temp\e0654cd7e7028ee40cd105e89f67608b68c9c4d0b92471d88996bb2508db5e42.exe"
C:\Users\Admin\AppData\Local\Temp\e0654cd7e7028ee40cd105e89f67608b68c9c4d0b92471d88996bb2508db5e42.exe
"C:\Users\Admin\AppData\Local\Temp\e0654cd7e7028ee40cd105e89f67608b68c9c4d0b92471d88996bb2508db5e42.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 185.206.214.130:80 | tcp | |
| NL | 185.206.214.130:80 | tcp | |
| NL | 185.206.214.130:80 | tcp | |
| NL | 185.206.214.130:80 | tcp |
Files
memory/1460-54-0x0000000000B30000-0x0000000000BC8000-memory.dmp
memory/1460-55-0x00000000001D0000-0x00000000001F8000-memory.dmp
memory/1460-56-0x0000000000200000-0x0000000000212000-memory.dmp
memory/1212-57-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1212-58-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1212-60-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1212-62-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1212-64-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1212-66-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1212-67-0x000000000040717B-mapping.dmp
memory/1212-69-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1212-70-0x00000000769D1000-0x00000000769D3000-memory.dmp
memory/1212-71-0x0000000000400000-0x0000000000438000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-18 10:52
Reported
2022-04-18 16:47
Platform
win10v2004-20220414-en
Max time kernel
181s
Max time network
187s
Command Line
Signatures
Oski
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4224 set thread context of 4408 | N/A | C:\Users\Admin\AppData\Local\Temp\e0654cd7e7028ee40cd105e89f67608b68c9c4d0b92471d88996bb2508db5e42.exe | C:\Users\Admin\AppData\Local\Temp\e0654cd7e7028ee40cd105e89f67608b68c9c4d0b92471d88996bb2508db5e42.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e0654cd7e7028ee40cd105e89f67608b68c9c4d0b92471d88996bb2508db5e42.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e0654cd7e7028ee40cd105e89f67608b68c9c4d0b92471d88996bb2508db5e42.exe
"C:\Users\Admin\AppData\Local\Temp\e0654cd7e7028ee40cd105e89f67608b68c9c4d0b92471d88996bb2508db5e42.exe"
C:\Users\Admin\AppData\Local\Temp\e0654cd7e7028ee40cd105e89f67608b68c9c4d0b92471d88996bb2508db5e42.exe
"C:\Users\Admin\AppData\Local\Temp\e0654cd7e7028ee40cd105e89f67608b68c9c4d0b92471d88996bb2508db5e42.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.247.211.126:80 | tcp | |
| US | 8.247.211.126:80 | tcp | |
| US | 52.242.97.97:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| GB | 51.104.15.253:443 | tcp | |
| US | 8.247.211.126:80 | tcp | |
| US | 8.247.211.126:80 | tcp | |
| US | 8.247.211.126:80 | tcp | |
| US | 8.8.8.8:53 | 15.89.54.20.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| NL | 185.206.214.130:80 | tcp | |
| NL | 8.248.3.254:80 | tcp | |
| BE | 67.27.154.126:80 | tcp | |
| NL | 185.206.214.130:80 | tcp | |
| NL | 185.206.214.130:80 | tcp | |
| NL | 185.206.214.130:80 | tcp |
Files
memory/4224-130-0x0000000000940000-0x00000000009D8000-memory.dmp
memory/4408-131-0x0000000000000000-mapping.dmp
memory/4408-132-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4408-133-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4408-134-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4408-135-0x0000000000400000-0x0000000000438000-memory.dmp