Analysis Overview
SHA256
06c8a1e6544aede327bad32a5732d5bcfff143da73da01d34938efbe917e3289
Threat Level: Known bad
The file 7f05dc92a62ddd277baaeb55ebcfa407 was found to be: Known bad.
Malicious Activity Summary
Oski
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-01-29 05:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-29 05:37
Reported
2024-01-29 05:39
Platform
win10v2004-20231222-en
Max time kernel
137s
Max time network
149s
Command Line
Signatures
Oski
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1732 set thread context of 1856 | N/A | C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe | C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe
"C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe"
C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe
"C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1856 -ip 1856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1308
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kckark.xyz | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/1732-0-0x0000000000E00000-0x0000000000EE2000-memory.dmp
memory/1732-1-0x00000000748A0000-0x0000000075050000-memory.dmp
memory/1732-2-0x0000000005800000-0x000000000589C000-memory.dmp
memory/1732-3-0x0000000005E50000-0x00000000063F4000-memory.dmp
memory/1732-4-0x00000000058A0000-0x0000000005932000-memory.dmp
memory/1732-5-0x0000000005A80000-0x0000000005A90000-memory.dmp
memory/1732-6-0x0000000005790000-0x000000000579A000-memory.dmp
memory/1732-7-0x00000000059A0000-0x00000000059F6000-memory.dmp
memory/1732-8-0x0000000006DF0000-0x0000000006E06000-memory.dmp
memory/1732-9-0x00000000748A0000-0x0000000075050000-memory.dmp
memory/1732-10-0x0000000005A80000-0x0000000005A90000-memory.dmp
memory/1732-11-0x0000000007370000-0x000000000740E000-memory.dmp
memory/1732-12-0x000000000AD70000-0x000000000ADA8000-memory.dmp
memory/1856-13-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1856-14-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1856-16-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1856-17-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1732-18-0x00000000748A0000-0x0000000075050000-memory.dmp
memory/1856-21-0x0000000000400000-0x0000000000438000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-29 05:37
Reported
2024-01-29 05:39
Platform
win7-20231215-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Oski
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3068 set thread context of 868 | N/A | C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe | C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe
"C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe"
C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe
"C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 772
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kckark.xyz | udp |
Files
memory/3068-0-0x0000000000200000-0x00000000002E2000-memory.dmp
memory/3068-1-0x0000000073EC0000-0x00000000745AE000-memory.dmp
memory/3068-2-0x0000000004900000-0x0000000004940000-memory.dmp
memory/3068-3-0x0000000000630000-0x0000000000646000-memory.dmp
memory/3068-4-0x0000000073EC0000-0x00000000745AE000-memory.dmp
memory/3068-5-0x0000000004900000-0x0000000004940000-memory.dmp
memory/3068-6-0x0000000005E80000-0x0000000005F1E000-memory.dmp
memory/3068-7-0x0000000000810000-0x0000000000848000-memory.dmp
memory/868-8-0x0000000000400000-0x0000000000438000-memory.dmp
memory/868-9-0x0000000000400000-0x0000000000438000-memory.dmp
memory/868-10-0x0000000000400000-0x0000000000438000-memory.dmp
memory/868-11-0x0000000000400000-0x0000000000438000-memory.dmp
memory/868-12-0x0000000000400000-0x0000000000438000-memory.dmp
memory/868-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/868-17-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3068-18-0x0000000073EC0000-0x00000000745AE000-memory.dmp
memory/868-19-0x0000000000400000-0x0000000000438000-memory.dmp
memory/868-15-0x0000000000400000-0x0000000000438000-memory.dmp
memory/868-21-0x0000000000400000-0x0000000000438000-memory.dmp