Malware Analysis Report

2024-09-22 21:46

Sample ID 240116-frlmjaddhq
Target 5f0969cdd00801051ff7f2afd2343ff3
SHA256 43460a1724b2521dd5e97c68c16edfce9caf22d49452efd956a64db91b5935a7
Tags
oski infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

43460a1724b2521dd5e97c68c16edfce9caf22d49452efd956a64db91b5935a7

Threat Level: Known bad

The file 5f0969cdd00801051ff7f2afd2343ff3 was found to be: Known bad.

Malicious Activity Summary

oski infostealer spyware stealer

Oski

Reads user/profile data of web browsers

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-01-16 05:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-16 05:06

Reported

2024-01-16 05:09

Platform

win7-20231215-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe"

Signatures

Oski

infostealer oski

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2880 set thread context of 3044 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2880 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2880 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2880 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2880 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Windows\SysWOW64\schtasks.exe
PID 2880 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe
PID 2880 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe
PID 2880 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe
PID 2880 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe
PID 2880 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe
PID 2880 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe
PID 2880 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe
PID 2880 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe
PID 2880 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe
PID 2880 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe
PID 2880 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe
PID 2880 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe
PID 2880 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe
PID 2880 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe
PID 3044 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Windows\SysWOW64\WerFault.exe
PID 3044 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Windows\SysWOW64\WerFault.exe
PID 3044 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Windows\SysWOW64\WerFault.exe
PID 3044 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe

"C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vTKyEeK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1BEA.tmp"

C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe

"C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe"

C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe

"C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 112

Network

N/A

Files

memory/2880-0-0x0000000001340000-0x000000000140A000-memory.dmp

memory/2880-1-0x00000000747D0000-0x0000000074EBE000-memory.dmp

memory/2880-2-0x0000000000B30000-0x0000000000BC0000-memory.dmp

memory/2880-3-0x0000000001260000-0x00000000012A0000-memory.dmp

memory/2880-4-0x00000000003F0000-0x0000000000406000-memory.dmp

memory/2880-5-0x00000000747D0000-0x0000000074EBE000-memory.dmp

memory/2880-6-0x0000000001260000-0x00000000012A0000-memory.dmp

memory/2880-7-0x000000000D270000-0x000000000D30C000-memory.dmp

memory/2880-8-0x0000000000AA0000-0x0000000000AD8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1BEA.tmp

MD5 e770a473ca84fe3e9e922c7225948c42
SHA1 161a556c636e4073fcde9e75df3a0100441597e3
SHA256 a3547a65c1d5f47e841c514c438cfc33ce6ce70468810fc35490205a7acbcfa3
SHA512 f3b33ac3b69eb229bcf4f325f01c1ec6ea3526beea4fe3e15c305b05571146114ab851f8f91f56668429f35d0e9e889f8af06223e1fb47a744171324ddfe7ef5

memory/3044-14-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3044-16-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3044-19-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3044-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3044-25-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3044-21-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3044-17-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3044-27-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2880-28-0x00000000747D0000-0x0000000074EBE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-16 05:06

Reported

2024-01-16 05:08

Platform

win10v2004-20231222-en

Max time kernel

137s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe"

Signatures

Oski

infostealer oski

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1708 set thread context of 232 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Windows\SysWOW64\schtasks.exe
PID 1708 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Windows\SysWOW64\schtasks.exe
PID 1708 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Windows\SysWOW64\schtasks.exe
PID 1708 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe
PID 1708 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe
PID 1708 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe
PID 1708 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe
PID 1708 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe
PID 1708 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe
PID 1708 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe
PID 1708 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe
PID 1708 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe

"C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vTKyEeK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp270B.tmp"

C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe

"C:\Users\Admin\AppData\Local\Temp\5f0969cdd00801051ff7f2afd2343ff3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 232 -ip 232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 1300

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 68.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 tunqyuindia.com udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/1708-1-0x0000000074A50000-0x0000000075200000-memory.dmp

memory/1708-0-0x0000000000D60000-0x0000000000E2A000-memory.dmp

memory/1708-3-0x0000000009D10000-0x0000000009DAC000-memory.dmp

memory/1708-2-0x00000000058C0000-0x0000000005950000-memory.dmp

memory/1708-4-0x000000000A360000-0x000000000A904000-memory.dmp

memory/1708-5-0x0000000005A30000-0x0000000005AC2000-memory.dmp

memory/1708-6-0x0000000005980000-0x0000000005990000-memory.dmp

memory/1708-8-0x0000000005BC0000-0x0000000005C16000-memory.dmp

memory/1708-7-0x0000000005960000-0x000000000596A000-memory.dmp

memory/1708-9-0x0000000007050000-0x0000000007066000-memory.dmp

memory/1708-10-0x0000000074A50000-0x0000000075200000-memory.dmp

memory/1708-11-0x0000000005980000-0x0000000005990000-memory.dmp

memory/1708-12-0x0000000007070000-0x000000000710C000-memory.dmp

memory/1708-13-0x00000000069D0000-0x0000000006A08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp270B.tmp

MD5 508cf3d7b010c06348cdad05f3c77034
SHA1 c32c9d7209ca4413623ddf7ee46e29c01927aef8
SHA256 27462574074d4b63c57e7cd300b7f8403ba1166d9ef4037153cb1f4eca142624
SHA512 5cbb9eddb7e51f65e4874377ba8cd87cabcc86884a8ba0a82b46bd6cbfa7237d7abae96f729abb934cbef73d9cf8640d1923d2445e8530e6c6325c326e7ecb43

memory/232-19-0x0000000000400000-0x0000000000438000-memory.dmp

memory/232-21-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1708-23-0x0000000074A50000-0x0000000075200000-memory.dmp

memory/232-22-0x0000000000400000-0x0000000000438000-memory.dmp

memory/232-24-0x0000000000400000-0x0000000000438000-memory.dmp

memory/232-27-0x0000000000400000-0x0000000000438000-memory.dmp