Malware Analysis Report

2024-09-22 21:50

Sample ID 240129-ga56aacfer
Target 7f05dc92a62ddd277baaeb55ebcfa407
SHA256 06c8a1e6544aede327bad32a5732d5bcfff143da73da01d34938efbe917e3289
Tags
oski infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06c8a1e6544aede327bad32a5732d5bcfff143da73da01d34938efbe917e3289

Threat Level: Known bad

The file 7f05dc92a62ddd277baaeb55ebcfa407 was found to be: Known bad.

Malicious Activity Summary

oski infostealer spyware stealer

Oski

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-01-29 05:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-29 05:37

Reported

2024-01-29 05:39

Platform

win10v2004-20231222-en

Max time kernel

137s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe"

Signatures

Oski

infostealer oski

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1732 set thread context of 1856 N/A C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1732 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe
PID 1732 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe
PID 1732 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe
PID 1732 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe
PID 1732 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe
PID 1732 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe
PID 1732 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe
PID 1732 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe
PID 1732 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe

"C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe"

C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe

"C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1856 -ip 1856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1308

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 kckark.xyz udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/1732-0-0x0000000000E00000-0x0000000000EE2000-memory.dmp

memory/1732-1-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/1732-2-0x0000000005800000-0x000000000589C000-memory.dmp

memory/1732-3-0x0000000005E50000-0x00000000063F4000-memory.dmp

memory/1732-4-0x00000000058A0000-0x0000000005932000-memory.dmp

memory/1732-5-0x0000000005A80000-0x0000000005A90000-memory.dmp

memory/1732-6-0x0000000005790000-0x000000000579A000-memory.dmp

memory/1732-7-0x00000000059A0000-0x00000000059F6000-memory.dmp

memory/1732-8-0x0000000006DF0000-0x0000000006E06000-memory.dmp

memory/1732-9-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/1732-10-0x0000000005A80000-0x0000000005A90000-memory.dmp

memory/1732-11-0x0000000007370000-0x000000000740E000-memory.dmp

memory/1732-12-0x000000000AD70000-0x000000000ADA8000-memory.dmp

memory/1856-13-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1856-14-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1856-16-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1856-17-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1732-18-0x00000000748A0000-0x0000000075050000-memory.dmp

memory/1856-21-0x0000000000400000-0x0000000000438000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-29 05:37

Reported

2024-01-29 05:39

Platform

win7-20231215-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe"

Signatures

Oski

infostealer oski

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3068 set thread context of 868 N/A C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe
PID 3068 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe
PID 3068 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe
PID 3068 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe
PID 3068 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe
PID 3068 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe
PID 3068 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe
PID 3068 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe
PID 3068 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe
PID 3068 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe
PID 868 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe C:\Windows\SysWOW64\WerFault.exe
PID 868 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe C:\Windows\SysWOW64\WerFault.exe
PID 868 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe C:\Windows\SysWOW64\WerFault.exe
PID 868 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe

"C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe"

C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe

"C:\Users\Admin\AppData\Local\Temp\7f05dc92a62ddd277baaeb55ebcfa407.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 772

Network

Country Destination Domain Proto
US 8.8.8.8:53 kckark.xyz udp

Files

memory/3068-0-0x0000000000200000-0x00000000002E2000-memory.dmp

memory/3068-1-0x0000000073EC0000-0x00000000745AE000-memory.dmp

memory/3068-2-0x0000000004900000-0x0000000004940000-memory.dmp

memory/3068-3-0x0000000000630000-0x0000000000646000-memory.dmp

memory/3068-4-0x0000000073EC0000-0x00000000745AE000-memory.dmp

memory/3068-5-0x0000000004900000-0x0000000004940000-memory.dmp

memory/3068-6-0x0000000005E80000-0x0000000005F1E000-memory.dmp

memory/3068-7-0x0000000000810000-0x0000000000848000-memory.dmp

memory/868-8-0x0000000000400000-0x0000000000438000-memory.dmp

memory/868-9-0x0000000000400000-0x0000000000438000-memory.dmp

memory/868-10-0x0000000000400000-0x0000000000438000-memory.dmp

memory/868-11-0x0000000000400000-0x0000000000438000-memory.dmp

memory/868-12-0x0000000000400000-0x0000000000438000-memory.dmp

memory/868-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/868-17-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3068-18-0x0000000073EC0000-0x00000000745AE000-memory.dmp

memory/868-19-0x0000000000400000-0x0000000000438000-memory.dmp

memory/868-15-0x0000000000400000-0x0000000000438000-memory.dmp

memory/868-21-0x0000000000400000-0x0000000000438000-memory.dmp