Malware Analysis Report

2025-01-03 04:58

Sample ID 220420-cm2w6sdbgm
Target c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53
SHA256 c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53
Tags
oski infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53

Threat Level: Known bad

The file c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53 was found to be: Known bad.

Malicious Activity Summary

oski infostealer

Oski

Suspicious use of SetThreadContext

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-04-20 02:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-20 02:12

Reported

2022-04-20 02:16

Platform

win7-20220414-en

Max time kernel

150s

Max time network

176s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe"

Signatures

Oski

infostealer oski

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1784 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe
PID 1784 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe
PID 1784 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe
PID 1784 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe
PID 1784 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe
PID 1784 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe
PID 1784 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe
PID 1784 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe
PID 1784 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe
PID 1784 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe

"C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe"

C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe

"C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe"

Network

Country Destination Domain Proto
NL 80.89.230.198:80 tcp
NL 80.89.230.198:80 tcp
NL 80.89.230.198:80 tcp
NL 80.89.230.198:80 tcp
NL 80.89.230.198:80 tcp

Files

memory/1784-54-0x0000000001030000-0x0000000001148000-memory.dmp

memory/1784-55-0x00000000009F0000-0x0000000000A00000-memory.dmp

memory/1784-56-0x0000000005020000-0x0000000005088000-memory.dmp

memory/1784-57-0x0000000000D90000-0x0000000000DCA000-memory.dmp

memory/948-59-0x0000000000400000-0x0000000000438000-memory.dmp

memory/948-58-0x0000000000400000-0x0000000000438000-memory.dmp

memory/948-61-0x0000000000400000-0x0000000000438000-memory.dmp

memory/948-63-0x0000000000400000-0x0000000000438000-memory.dmp

memory/948-65-0x0000000000400000-0x0000000000438000-memory.dmp

memory/948-67-0x0000000000400000-0x0000000000438000-memory.dmp

memory/948-68-0x000000000040717B-mapping.dmp

memory/948-70-0x0000000000400000-0x0000000000438000-memory.dmp

memory/948-71-0x00000000755A1000-0x00000000755A3000-memory.dmp

memory/948-72-0x0000000000400000-0x0000000000438000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-20 02:12

Reported

2022-04-20 02:16

Platform

win10v2004-20220414-en

Max time kernel

152s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe"

Signatures

Oski

infostealer oski

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3164 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe
PID 3164 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe
PID 3164 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe
PID 3164 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe
PID 3164 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe
PID 3164 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe
PID 3164 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe
PID 3164 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe
PID 3164 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe
PID 3164 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe
PID 3164 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe
PID 3164 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe

"C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe"

C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe

"C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe"

C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe

"C:\Users\Admin\AppData\Local\Temp\c35017a11527be5a9c1829d3aa6b97959793d3f594af7d19655f71dc41b33e53.exe"

Network

Country Destination Domain Proto
US 8.248.21.254:80 tcp
US 8.248.21.254:80 tcp
IE 13.69.239.72:443 tcp
US 8.248.21.254:80 tcp
US 8.248.21.254:80 tcp
US 8.248.21.254:80 tcp
NL 80.89.230.198:80 tcp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
NL 80.89.230.198:80 tcp
NL 80.89.230.198:80 tcp
NL 104.110.191.140:80 tcp
NL 80.89.230.198:80 tcp
NL 80.89.230.198:80 tcp

Files

memory/3164-130-0x0000000000FD0000-0x00000000010E8000-memory.dmp

memory/3164-131-0x0000000005930000-0x00000000059CC000-memory.dmp

memory/3164-132-0x0000000005F80000-0x0000000006524000-memory.dmp

memory/3164-133-0x0000000005A70000-0x0000000005B02000-memory.dmp

memory/3164-134-0x00000000059F0000-0x00000000059FA000-memory.dmp

memory/3164-135-0x0000000005C00000-0x0000000005C56000-memory.dmp

memory/2124-136-0x0000000000000000-mapping.dmp

memory/908-137-0x0000000000000000-mapping.dmp

memory/908-138-0x0000000000400000-0x0000000000438000-memory.dmp

memory/908-139-0x0000000000400000-0x0000000000438000-memory.dmp

memory/908-140-0x0000000000400000-0x0000000000438000-memory.dmp

memory/908-141-0x0000000000400000-0x0000000000438000-memory.dmp