Analysis Overview
SHA256
75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c
Threat Level: Known bad
The file 75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c was found to be: Known bad.
Malicious Activity Summary
Oski
Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-04-20 02:10
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-20 02:10
Reported
2022-04-20 02:13
Platform
win7-20220414-en
Max time kernel
138s
Max time network
153s
Command Line
Signatures
Oski
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1964 set thread context of 1944 | N/A | C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe | C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe
"C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe"
C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe
"C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 80.89.230.198:80 | tcp |
Files
memory/1964-54-0x0000000001390000-0x000000000141E000-memory.dmp
memory/1964-55-0x0000000000290000-0x00000000002DE000-memory.dmp
memory/1964-56-0x00000000002E0000-0x00000000002FC000-memory.dmp
memory/1944-57-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1944-58-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1944-60-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1944-62-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1944-64-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1944-67-0x000000000040717B-mapping.dmp
memory/1944-66-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1944-69-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1944-70-0x00000000756E1000-0x00000000756E3000-memory.dmp
memory/1944-71-0x0000000000400000-0x0000000000438000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-20 02:10
Reported
2022-04-20 02:13
Platform
win10v2004-20220414-en
Max time kernel
144s
Max time network
152s
Command Line
Signatures
Oski
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4248 set thread context of 5028 | N/A | C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe | C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe
"C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe"
C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe
"C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe"
C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe
"C:\Users\Admin\AppData\Local\Temp\75fb1862a9e86d1c8d00c49d9c9de761b1f2f108982780cdafc4c80f06a6bc5c.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 13.69.116.104:443 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| NL | 80.89.230.198:80 | tcp | |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| FR | 2.18.109.224:443 | storesdk.dsx.mp.microsoft.com | tcp |
Files
memory/4248-130-0x0000000000800000-0x000000000088E000-memory.dmp
memory/3396-131-0x0000000000000000-mapping.dmp
memory/5028-132-0x0000000000000000-mapping.dmp
memory/5028-133-0x0000000000400000-0x0000000000438000-memory.dmp
memory/5028-134-0x0000000000400000-0x0000000000438000-memory.dmp
memory/5028-135-0x0000000000400000-0x0000000000438000-memory.dmp
memory/5028-136-0x0000000000400000-0x0000000000438000-memory.dmp