Malware Analysis Report

2024-10-18 21:03

Sample ID 231222-c1x55sade5
Target 537dafbf2acf47786823913fcb138634
SHA256 3a7ddba50c414ef70d1796f1e3eef20b1684811f03a0c400d5388a0079ef4ce5
Tags
oski infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a7ddba50c414ef70d1796f1e3eef20b1684811f03a0c400d5388a0079ef4ce5

Threat Level: Known bad

The file 537dafbf2acf47786823913fcb138634 was found to be: Known bad.

Malicious Activity Summary

oski infostealer

Oski

Suspicious use of SetThreadContext

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-22 02:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 02:33

Reported

2023-12-23 05:47

Platform

win7-20231129-en

Max time kernel

118s

Max time network

119s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\537dafbf2acf47786823913fcb138634.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\537dafbf2acf47786823913fcb138634.ps1

Network

N/A

Files

memory/824-4-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

memory/824-7-0x0000000002D30000-0x0000000002DB0000-memory.dmp

memory/824-10-0x0000000002D30000-0x0000000002DB0000-memory.dmp

memory/824-9-0x0000000002D30000-0x0000000002DB0000-memory.dmp

memory/824-8-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

memory/824-6-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

memory/824-5-0x0000000002240000-0x0000000002248000-memory.dmp

memory/824-11-0x0000000002D30000-0x0000000002DB0000-memory.dmp

memory/824-12-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 02:33

Reported

2023-12-23 05:47

Platform

win10v2004-20231215-en

Max time kernel

2s

Max time network

151s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\537dafbf2acf47786823913fcb138634.ps1

Signatures

Oski

infostealer oski

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3292 set thread context of 4200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3292 wrote to memory of 4200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3292 wrote to memory of 4200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3292 wrote to memory of 4200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3292 wrote to memory of 4200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3292 wrote to memory of 4200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3292 wrote to memory of 4200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3292 wrote to memory of 4200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3292 wrote to memory of 4200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3292 wrote to memory of 4200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\537dafbf2acf47786823913fcb138634.ps1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

#cmd

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4200 -ip 4200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 1120

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

memory/3292-0-0x000002AC5F650000-0x000002AC5F672000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5bdlv4md.p1k.ps1

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3292-12-0x000002AC5F640000-0x000002AC5F650000-memory.dmp

memory/3292-13-0x000002AC5F640000-0x000002AC5F650000-memory.dmp

memory/3292-11-0x000002AC5F640000-0x000002AC5F650000-memory.dmp

memory/3292-10-0x00007FFE9C7B0000-0x00007FFE9D271000-memory.dmp

memory/3292-14-0x000002AC5F680000-0x000002AC5F6A6000-memory.dmp

memory/3292-26-0x000002AC5F680000-0x000002AC5F6A0000-memory.dmp

memory/3292-50-0x000002AC5F680000-0x000002AC5F6A0000-memory.dmp

memory/3292-54-0x000002AC5F680000-0x000002AC5F6A0000-memory.dmp

memory/4200-56-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3292-60-0x00007FFE9C7B0000-0x00007FFE9D271000-memory.dmp

memory/4200-61-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4200-62-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4200-59-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3292-55-0x000002AC5F6A0000-0x000002AC5F6A1000-memory.dmp

memory/3292-52-0x000002AC5F680000-0x000002AC5F6A0000-memory.dmp

memory/3292-48-0x000002AC5F680000-0x000002AC5F6A0000-memory.dmp

memory/3292-46-0x000002AC5F680000-0x000002AC5F6A0000-memory.dmp

memory/3292-44-0x000002AC5F680000-0x000002AC5F6A0000-memory.dmp

memory/3292-42-0x000002AC5F680000-0x000002AC5F6A0000-memory.dmp

memory/3292-40-0x000002AC5F680000-0x000002AC5F6A0000-memory.dmp

memory/3292-38-0x000002AC5F680000-0x000002AC5F6A0000-memory.dmp

memory/3292-36-0x000002AC5F680000-0x000002AC5F6A0000-memory.dmp

memory/3292-34-0x000002AC5F680000-0x000002AC5F6A0000-memory.dmp

memory/3292-32-0x000002AC5F680000-0x000002AC5F6A0000-memory.dmp

memory/3292-30-0x000002AC5F680000-0x000002AC5F6A0000-memory.dmp

memory/3292-28-0x000002AC5F680000-0x000002AC5F6A0000-memory.dmp

memory/3292-24-0x000002AC5F680000-0x000002AC5F6A0000-memory.dmp

memory/3292-22-0x000002AC5F680000-0x000002AC5F6A0000-memory.dmp

memory/3292-20-0x000002AC5F680000-0x000002AC5F6A0000-memory.dmp

memory/3292-18-0x000002AC5F680000-0x000002AC5F6A0000-memory.dmp

memory/3292-15-0x000002AC5F680000-0x000002AC5F6A0000-memory.dmp

memory/3292-16-0x000002AC5F680000-0x000002AC5F6A0000-memory.dmp

memory/4200-65-0x0000000000400000-0x0000000000438000-memory.dmp