Analysis Overview
SHA256
e32f29fd3d764d021e15bc4d9dfa6b5eadbe466cda03b27903863e03b49efdf1
Threat Level: Known bad
The file 99bbdbd8879083ba521c9198efabe4d9 was found to be: Known bad.
Malicious Activity Summary
Oski
Reads user/profile data of web browsers
Checks computer location settings
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-02-13 17:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-13 17:32
Reported
2024-02-13 17:35
Platform
win7-20231215-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Oski
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1520 set thread context of 2780 | N/A | C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe | C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe
"C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JrkCUVwC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp274F.tmp"
C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe
"C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 756
Network
| Country | Destination | Domain | Proto |
| VN | 103.199.16.91:80 | tcp | |
| VN | 103.199.16.91:80 | tcp | |
| VN | 103.199.16.91:80 | tcp | |
| VN | 103.199.16.91:80 | tcp | |
| VN | 103.199.16.91:80 | tcp | |
| VN | 103.199.16.91:80 | tcp | |
| VN | 103.199.16.91:80 | tcp | |
| VN | 103.199.16.91:80 | tcp | |
| VN | 103.199.16.91:80 | tcp | |
| VN | 103.199.16.91:80 | tcp | |
| VN | 103.199.16.91:80 | tcp | |
| VN | 103.199.16.91:80 | tcp | |
| VN | 103.199.16.91:80 | tcp | |
| VN | 103.199.16.91:80 | tcp |
Files
memory/1520-0-0x00000000011F0000-0x00000000012C2000-memory.dmp
memory/1520-1-0x00000000741B0000-0x000000007489E000-memory.dmp
memory/1520-2-0x00000000011B0000-0x00000000011F0000-memory.dmp
memory/1520-3-0x0000000000650000-0x000000000066A000-memory.dmp
memory/1520-4-0x00000000741B0000-0x000000007489E000-memory.dmp
memory/1520-5-0x00000000011B0000-0x00000000011F0000-memory.dmp
memory/1520-6-0x0000000005980000-0x0000000005A22000-memory.dmp
memory/1520-7-0x0000000000A20000-0x0000000000A58000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp274F.tmp
| MD5 | 40775a025ceb5429e0508864c2ec6652 |
| SHA1 | e8220cc25b1562d16d4c1ee3407dc7dccc3c3470 |
| SHA256 | 72f008d8981f3e057309fddb1a52a08791727d56cfbfde9a9044fd1a02567d6d |
| SHA512 | 7600a5cdcd23e388d8b44f691bd5a7f695591efa5a32efee1cdd08b39a5bb682cc57be7b63f3cc09a1264113a6e63f4dba7a13443ca049dd68bce5718038b604 |
memory/2780-13-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2780-15-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2780-17-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2780-19-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2780-21-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2780-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2780-25-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1520-28-0x00000000741B0000-0x000000007489E000-memory.dmp
memory/2780-27-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2780-29-0x0000000000400000-0x0000000000438000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-13 17:32
Reported
2024-02-13 17:35
Platform
win10v2004-20231215-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Oski
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3988 set thread context of 1292 | N/A | C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe | C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe
"C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JrkCUVwC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9872.tmp"
C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe
"C:\Users\Admin\AppData\Local\Temp\99bbdbd8879083ba521c9198efabe4d9.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1292 -ip 1292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 1292
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| VN | 103.199.16.91:80 | tcp | |
| VN | 103.199.16.91:80 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| VN | 103.199.16.91:80 | tcp | |
| VN | 103.199.16.91:80 | tcp | |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| VN | 103.199.16.91:80 | tcp | |
| VN | 103.199.16.91:80 | tcp | |
| VN | 103.199.16.91:80 | tcp | |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
Files
memory/3988-0-0x0000000074490000-0x0000000074C40000-memory.dmp
memory/3988-1-0x0000000000830000-0x0000000000902000-memory.dmp
memory/3988-2-0x0000000005890000-0x0000000005E34000-memory.dmp
memory/3988-3-0x0000000005380000-0x0000000005412000-memory.dmp
memory/3988-4-0x00000000052C0000-0x00000000052D0000-memory.dmp
memory/3988-5-0x0000000005320000-0x000000000532A000-memory.dmp
memory/3988-6-0x0000000007CB0000-0x0000000007D4C000-memory.dmp
memory/3988-7-0x0000000005720000-0x000000000573A000-memory.dmp
memory/3988-8-0x0000000074490000-0x0000000074C40000-memory.dmp
memory/3988-9-0x00000000052C0000-0x00000000052D0000-memory.dmp
memory/3988-10-0x0000000008100000-0x00000000081A2000-memory.dmp
memory/3988-11-0x0000000007EC0000-0x0000000007EF8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp9872.tmp
| MD5 | 759ce9a2d9aa248a19ce521c8ac27499 |
| SHA1 | 5c2a1032239b50358feef84dd8b4699419e29a41 |
| SHA256 | 49e812b1f30db872c0f12a32870489434b02419aff3be9a1adf04e7ce873c348 |
| SHA512 | 3c49f7fc788680439a7d0e1490d615c9c8299001244122d7a8e134e9b9257ea25b961e467cdee4d764c54a76046cd4f94ea7cf2e2ee494a86ef888e650045d7c |
memory/1292-17-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1292-18-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1292-20-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1292-21-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3988-22-0x0000000074490000-0x0000000074C40000-memory.dmp
memory/1292-23-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1292-26-0x0000000000400000-0x0000000000438000-memory.dmp