Malware Analysis Report

2025-01-03 04:55

Sample ID 220422-tf7yaaaagl
Target Inquirypdf.exe
SHA256 6107e3ec5898ce2f80b04ee16b3a41107a0733339cded01cf8c5ade5fc105472
Tags
oski infostealer spyware stealer suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6107e3ec5898ce2f80b04ee16b3a41107a0733339cded01cf8c5ade5fc105472

Threat Level: Known bad

The file Inquirypdf.exe was found to be: Known bad.

Malicious Activity Summary

oski infostealer spyware stealer suricata

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

Oski

Reads user/profile data of web browsers

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-22 16:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-22 16:01

Reported

2022-04-22 16:03

Platform

win7-20220414-en

Max time kernel

42s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe"

Signatures

Oski

infostealer oski

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

suricata

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1052 set thread context of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1052 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1052 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1052 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1052 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1052 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 1052 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 1052 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 1052 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 1052 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 1052 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 1052 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 1052 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 1052 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 1052 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 1052 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 1052 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 1052 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 1052 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 2008 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Windows\SysWOW64\WerFault.exe
PID 2008 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Windows\SysWOW64\WerFault.exe
PID 2008 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Windows\SysWOW64\WerFault.exe
PID 2008 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe

"C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qKWjSCtpVFd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp65E5.tmp"

C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe

"{path}"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 752

Network

Country Destination Domain Proto
US 8.8.8.8:53 ndy.cloudbot.top udp
US 23.94.30.18:80 ndy.cloudbot.top tcp
US 23.94.30.18:80 ndy.cloudbot.top tcp
US 23.94.30.18:80 ndy.cloudbot.top tcp
US 23.94.30.18:80 ndy.cloudbot.top tcp
US 23.94.30.18:80 ndy.cloudbot.top tcp
US 23.94.30.18:80 ndy.cloudbot.top tcp
US 23.94.30.18:80 ndy.cloudbot.top tcp

Files

memory/1052-54-0x00000000013A0000-0x0000000001448000-memory.dmp

memory/1052-55-0x0000000000210000-0x000000000021A000-memory.dmp

memory/1052-56-0x00000000050E0000-0x0000000005166000-memory.dmp

memory/1052-57-0x0000000000520000-0x0000000000558000-memory.dmp

memory/1204-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp65E5.tmp

MD5 4034b1ce592f070c5cf24b0d09dbd215
SHA1 3e3bee38a0f488ddacd6eee78eaaef550fefdf7c
SHA256 d32e8e1d6d1f4f00b14f7072580dbecb9c8656da5bceb0ef0a00973e0ca8a637
SHA512 029534c3ac36da68e7f42166c6f9a4b2f87c7aeeebf72ecaf0279313bfb4c7738d367ae4d605b6000b867b367a114edd85d0dd182bf2b62214c43d8306a0d369

memory/2008-60-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2008-61-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2008-63-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2008-65-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2008-67-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2008-69-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2008-70-0x000000000040717B-mapping.dmp

memory/2008-72-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2008-73-0x0000000076C81000-0x0000000076C83000-memory.dmp

memory/2008-74-0x0000000000400000-0x0000000000438000-memory.dmp

memory/884-75-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-22 16:01

Reported

2022-04-22 16:03

Platform

win10v2004-20220414-en

Max time kernel

77s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe"

Signatures

Oski

infostealer oski

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

suricata

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2308 set thread context of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2308 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2308 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2308 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 2308 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 2308 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 2308 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 2308 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 2308 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 2308 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 2308 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 2308 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 2308 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 2308 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 2308 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 2308 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 2308 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe
PID 2308 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe

"C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qKWjSCtpVFd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2480.tmp"

C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\Inquirypdf.exe

"{path}"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1344

Network

Country Destination Domain Proto
US 8.8.8.8:53 ndy.cloudbot.top udp
US 23.94.30.18:80 ndy.cloudbot.top tcp
GB 51.132.193.105:443 tcp
US 23.94.30.18:80 ndy.cloudbot.top tcp
US 23.94.30.18:80 ndy.cloudbot.top tcp
US 23.94.30.18:80 ndy.cloudbot.top tcp
US 23.94.30.18:80 ndy.cloudbot.top tcp
US 23.94.30.18:80 ndy.cloudbot.top tcp
US 23.94.30.18:80 ndy.cloudbot.top tcp
US 93.184.220.29:80 tcp
US 8.253.208.112:80 tcp
US 8.253.208.112:80 tcp
US 8.253.208.112:80 tcp
FR 2.18.109.224:443 tcp
US 104.18.24.243:80 tcp

Files

memory/2308-130-0x0000000000A50000-0x0000000000AF8000-memory.dmp

memory/2308-131-0x0000000005B00000-0x00000000060A4000-memory.dmp

memory/2308-132-0x00000000054A0000-0x0000000005532000-memory.dmp

memory/2308-133-0x00000000055F0000-0x000000000568C000-memory.dmp

memory/2308-134-0x0000000005490000-0x000000000549A000-memory.dmp

memory/4428-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2480.tmp

MD5 ae9bc593c4ab1702bff222121a04d7c0
SHA1 35d07c06b0cf06ac38d079793c7dec6a3d7379cc
SHA256 f5ad32c956ef011b0a5493b7f71b78754f8c40ba3361178eaf4d6026d52f57df
SHA512 9c8adb05c665d3d235fbd0fd8eeead1520555471e4c047ecb831355f7c59182bd18f050d198878709af5fe04657d5c888fa106cfaeddd5b28f02c9ac206d5baf

memory/5052-137-0x0000000000000000-mapping.dmp

memory/2444-138-0x0000000000000000-mapping.dmp

memory/2380-139-0x0000000000000000-mapping.dmp

memory/2380-140-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2380-141-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2380-142-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2380-143-0x0000000000400000-0x0000000000438000-memory.dmp