Malware Analysis Report

2025-01-03 04:55

Sample ID 220420-clvfpsdbbp
Target 75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c
SHA256 75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c
Tags
oski infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c

Threat Level: Known bad

The file 75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c was found to be: Known bad.

Malicious Activity Summary

oski infostealer

Oski

Suspicious use of SetThreadContext

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-04-20 02:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-20 02:10

Reported

2022-04-20 02:13

Platform

win7-20220414-en

Max time kernel

138s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe"

Signatures

Oski

infostealer oski

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe
PID 1964 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe
PID 1964 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe
PID 1964 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe
PID 1964 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe
PID 1964 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe
PID 1964 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe
PID 1964 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe
PID 1964 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe
PID 1964 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe

"C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe"

C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe

"C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe"

Network

Country Destination Domain Proto
NL 80.89.230.198:80 tcp

Files

memory/1964-54-0x0000000001390000-0x000000000141E000-memory.dmp

memory/1964-55-0x0000000000290000-0x00000000002DE000-memory.dmp

memory/1964-56-0x00000000002E0000-0x00000000002FC000-memory.dmp

memory/1944-57-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1944-58-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1944-60-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1944-62-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1944-64-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1944-67-0x000000000040717B-mapping.dmp

memory/1944-66-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1944-69-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1944-70-0x00000000756E1000-0x00000000756E3000-memory.dmp

memory/1944-71-0x0000000000400000-0x0000000000438000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-20 02:10

Reported

2022-04-20 02:13

Platform

win10v2004-20220414-en

Max time kernel

144s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe"

Signatures

Oski

infostealer oski

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4248 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe
PID 4248 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe
PID 4248 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe
PID 4248 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe
PID 4248 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe
PID 4248 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe
PID 4248 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe
PID 4248 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe
PID 4248 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe
PID 4248 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe
PID 4248 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe
PID 4248 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe

"C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe"

C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe

"C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe"

C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe

"C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe"

Network

Country Destination Domain Proto
NL 13.69.116.104:443 tcp
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
NL 80.89.230.198:80 tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp

Files

memory/4248-130-0x0000000000800000-0x000000000088E000-memory.dmp

memory/3396-131-0x0000000000000000-mapping.dmp

memory/5028-132-0x0000000000000000-mapping.dmp

memory/5028-133-0x0000000000400000-0x0000000000438000-memory.dmp

memory/5028-134-0x0000000000400000-0x0000000000438000-memory.dmp

memory/5028-135-0x0000000000400000-0x0000000000438000-memory.dmp

memory/5028-136-0x0000000000400000-0x0000000000438000-memory.dmp