Analysis Overview
SHA256
6107e3ec5898ce2f80b04ee16b3a41107a0733339cded01cf8c5ade5fc105472
Threat Level: Known bad
The file Inquirypdf.exe was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
Oski
Reads user/profile data of web browsers
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-22 16:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-22 16:01
Reported
2022-04-22 16:03
Platform
win7-20220414-en
Max time kernel
42s
Max time network
45s
Command Line
Signatures
Oski
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1052 set thread context of 2008 | N/A | C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe | C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
"C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qKWjSCtpVFd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp65E5.tmp"
C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
"{path}"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 752
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ndy.cloudbot.top | udp |
| US | 23.94.30.18:80 | ndy.cloudbot.top | tcp |
| US | 23.94.30.18:80 | ndy.cloudbot.top | tcp |
| US | 23.94.30.18:80 | ndy.cloudbot.top | tcp |
| US | 23.94.30.18:80 | ndy.cloudbot.top | tcp |
| US | 23.94.30.18:80 | ndy.cloudbot.top | tcp |
| US | 23.94.30.18:80 | ndy.cloudbot.top | tcp |
| US | 23.94.30.18:80 | ndy.cloudbot.top | tcp |
Files
memory/1052-54-0x00000000013A0000-0x0000000001448000-memory.dmp
memory/1052-55-0x0000000000210000-0x000000000021A000-memory.dmp
memory/1052-56-0x00000000050E0000-0x0000000005166000-memory.dmp
memory/1052-57-0x0000000000520000-0x0000000000558000-memory.dmp
memory/1204-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp65E5.tmp
| MD5 | 4034b1ce592f070c5cf24b0d09dbd215 |
| SHA1 | 3e3bee38a0f488ddacd6eee78eaaef550fefdf7c |
| SHA256 | d32e8e1d6d1f4f00b14f7072580dbecb9c8656da5bceb0ef0a00973e0ca8a637 |
| SHA512 | 029534c3ac36da68e7f42166c6f9a4b2f87c7aeeebf72ecaf0279313bfb4c7738d367ae4d605b6000b867b367a114edd85d0dd182bf2b62214c43d8306a0d369 |
memory/2008-60-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2008-61-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2008-63-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2008-65-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2008-67-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2008-69-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2008-70-0x000000000040717B-mapping.dmp
memory/2008-72-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2008-73-0x0000000076C81000-0x0000000076C83000-memory.dmp
memory/2008-74-0x0000000000400000-0x0000000000438000-memory.dmp
memory/884-75-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-22 16:01
Reported
2022-04-22 16:03
Platform
win10v2004-20220414-en
Max time kernel
77s
Max time network
134s
Command Line
Signatures
Oski
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2308 set thread context of 2380 | N/A | C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe | C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
"C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qKWjSCtpVFd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2480.tmp"
C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
"{path}"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1344
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ndy.cloudbot.top | udp |
| US | 23.94.30.18:80 | ndy.cloudbot.top | tcp |
| GB | 51.132.193.105:443 | tcp | |
| US | 23.94.30.18:80 | ndy.cloudbot.top | tcp |
| US | 23.94.30.18:80 | ndy.cloudbot.top | tcp |
| US | 23.94.30.18:80 | ndy.cloudbot.top | tcp |
| US | 23.94.30.18:80 | ndy.cloudbot.top | tcp |
| US | 23.94.30.18:80 | ndy.cloudbot.top | tcp |
| US | 23.94.30.18:80 | ndy.cloudbot.top | tcp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.253.208.112:80 | tcp | |
| US | 8.253.208.112:80 | tcp | |
| US | 8.253.208.112:80 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| US | 104.18.24.243:80 | tcp |
Files
memory/2308-130-0x0000000000A50000-0x0000000000AF8000-memory.dmp
memory/2308-131-0x0000000005B00000-0x00000000060A4000-memory.dmp
memory/2308-132-0x00000000054A0000-0x0000000005532000-memory.dmp
memory/2308-133-0x00000000055F0000-0x000000000568C000-memory.dmp
memory/2308-134-0x0000000005490000-0x000000000549A000-memory.dmp
memory/4428-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp2480.tmp
| MD5 | ae9bc593c4ab1702bff222121a04d7c0 |
| SHA1 | 35d07c06b0cf06ac38d079793c7dec6a3d7379cc |
| SHA256 | f5ad32c956ef011b0a5493b7f71b78754f8c40ba3361178eaf4d6026d52f57df |
| SHA512 | 9c8adb05c665d3d235fbd0fd8eeead1520555471e4c047ecb831355f7c59182bd18f050d198878709af5fe04657d5c888fa106cfaeddd5b28f02c9ac206d5baf |
memory/5052-137-0x0000000000000000-mapping.dmp
memory/2444-138-0x0000000000000000-mapping.dmp
memory/2380-139-0x0000000000000000-mapping.dmp
memory/2380-140-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2380-141-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2380-142-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2380-143-0x0000000000400000-0x0000000000438000-memory.dmp