Malware Analysis Report

2024-09-22 21:51

Sample ID 240213-v4rrmsea2s
Target 99bbdbd8879083ba521c9198efabe4d9
SHA256 e32f29fd3d764d021e15bc4d9dfa6b5eadbe466cda03b27903863e03b49efdf1
Tags
oski infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e32f29fd3d764d021e15bc4d9dfa6b5eadbe466cda03b27903863e03b49efdf1

Threat Level: Known bad

The file 99bbdbd8879083ba521c9198efabe4d9 was found to be: Known bad.

Malicious Activity Summary

oski infostealer spyware stealer

Oski

Reads user/profile data of web browsers

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-02-13 17:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-13 17:32

Reported

2024-02-13 17:35

Platform

win7-20231215-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe"

Signatures

Oski

infostealer oski

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1520 set thread context of 2780 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1520 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1520 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1520 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1520 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1520 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe
PID 1520 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe
PID 1520 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe
PID 1520 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe
PID 1520 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe
PID 1520 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe
PID 1520 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe
PID 1520 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe
PID 1520 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe
PID 1520 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe
PID 2780 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Windows\SysWOW64\WerFault.exe
PID 2780 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Windows\SysWOW64\WerFault.exe
PID 2780 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Windows\SysWOW64\WerFault.exe
PID 2780 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe

"C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JrkCUVwC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp274F.tmp"

C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe

"C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 756

Network

Country Destination Domain Proto
VN 103.199.16.91:80 tcp
VN 103.199.16.91:80 tcp
VN 103.199.16.91:80 tcp
VN 103.199.16.91:80 tcp
VN 103.199.16.91:80 tcp
VN 103.199.16.91:80 tcp
VN 103.199.16.91:80 tcp
VN 103.199.16.91:80 tcp
VN 103.199.16.91:80 tcp
VN 103.199.16.91:80 tcp
VN 103.199.16.91:80 tcp
VN 103.199.16.91:80 tcp
VN 103.199.16.91:80 tcp
VN 103.199.16.91:80 tcp

Files

memory/1520-0-0x00000000011F0000-0x00000000012C2000-memory.dmp

memory/1520-1-0x00000000741B0000-0x000000007489E000-memory.dmp

memory/1520-2-0x00000000011B0000-0x00000000011F0000-memory.dmp

memory/1520-3-0x0000000000650000-0x000000000066A000-memory.dmp

memory/1520-4-0x00000000741B0000-0x000000007489E000-memory.dmp

memory/1520-5-0x00000000011B0000-0x00000000011F0000-memory.dmp

memory/1520-6-0x0000000005980000-0x0000000005A22000-memory.dmp

memory/1520-7-0x0000000000A20000-0x0000000000A58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp274F.tmp

MD5 40775a025ceb5429e0508864c2ec6652
SHA1 e8220cc25b1562d16d4c1ee3407dc7dccc3c3470
SHA256 72f008d8981f3e057309fddb1a52a08791727d56cfbfde9a9044fd1a02567d6d
SHA512 7600a5cdcd23e388d8b44f691bd5a7f695591efa5a32efee1cdd08b39a5bb682cc57be7b63f3cc09a1264113a6e63f4dba7a13443ca049dd68bce5718038b604

memory/2780-13-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2780-15-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2780-17-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2780-19-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2780-21-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2780-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2780-25-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1520-28-0x00000000741B0000-0x000000007489E000-memory.dmp

memory/2780-27-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2780-29-0x0000000000400000-0x0000000000438000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-13 17:32

Reported

2024-02-13 17:35

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe"

Signatures

Oski

infostealer oski

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3988 set thread context of 1292 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3988 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Windows\SysWOW64\schtasks.exe
PID 3988 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Windows\SysWOW64\schtasks.exe
PID 3988 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Windows\SysWOW64\schtasks.exe
PID 3988 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe
PID 3988 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe
PID 3988 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe
PID 3988 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe
PID 3988 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe
PID 3988 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe
PID 3988 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe
PID 3988 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe
PID 3988 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe

Processes

C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe

"C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JrkCUVwC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9872.tmp"

C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe

"C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1292 -ip 1292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 1292

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
VN 103.199.16.91:80 tcp
VN 103.199.16.91:80 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
VN 103.199.16.91:80 tcp
VN 103.199.16.91:80 tcp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
VN 103.199.16.91:80 tcp
VN 103.199.16.91:80 tcp
VN 103.199.16.91:80 tcp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

memory/3988-0-0x0000000074490000-0x0000000074C40000-memory.dmp

memory/3988-1-0x0000000000830000-0x0000000000902000-memory.dmp

memory/3988-2-0x0000000005890000-0x0000000005E34000-memory.dmp

memory/3988-3-0x0000000005380000-0x0000000005412000-memory.dmp

memory/3988-4-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/3988-5-0x0000000005320000-0x000000000532A000-memory.dmp

memory/3988-6-0x0000000007CB0000-0x0000000007D4C000-memory.dmp

memory/3988-7-0x0000000005720000-0x000000000573A000-memory.dmp

memory/3988-8-0x0000000074490000-0x0000000074C40000-memory.dmp

memory/3988-9-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/3988-10-0x0000000008100000-0x00000000081A2000-memory.dmp

memory/3988-11-0x0000000007EC0000-0x0000000007EF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9872.tmp

MD5 759ce9a2d9aa248a19ce521c8ac27499
SHA1 5c2a1032239b50358feef84dd8b4699419e29a41
SHA256 49e812b1f30db872c0f12a32870489434b02419aff3be9a1adf04e7ce873c348
SHA512 3c49f7fc788680439a7d0e1490d615c9c8299001244122d7a8e134e9b9257ea25b961e467cdee4d764c54a76046cd4f94ea7cf2e2ee494a86ef888e650045d7c

memory/1292-17-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1292-18-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1292-20-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1292-21-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3988-22-0x0000000074490000-0x0000000074C40000-memory.dmp

memory/1292-23-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1292-26-0x0000000000400000-0x0000000000438000-memory.dmp