Malware Analysis Report

2024-09-22 21:45

Sample ID 240229-bcehfshf9y
Target ad4b527e8240812756aa003af27b9e48
SHA256 fa0ab33b2858424a74e0b8adaa205f38ebfd769701e4d05a84737d09e2cc358f
Tags
oski infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fa0ab33b2858424a74e0b8adaa205f38ebfd769701e4d05a84737d09e2cc358f

Threat Level: Known bad

The file ad4b527e8240812756aa003af27b9e48 was found to be: Known bad.

Malicious Activity Summary

oski infostealer

Oski

Uses the VBS compiler for execution

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-02-29 00:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 00:59

Reported

2024-02-29 01:02

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe"

Signatures

Oski

infostealer oski

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2112 set thread context of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\SysWOW64\schtasks.exe
PID 2112 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\SysWOW64\schtasks.exe
PID 2112 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\SysWOW64\schtasks.exe
PID 2112 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\SysWOW64\schtasks.exe
PID 2112 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2112 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2112 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2112 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2112 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2112 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2112 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2112 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2112 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2112 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2624 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\WerFault.exe
PID 2624 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\WerFault.exe
PID 2624 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\WerFault.exe
PID 2624 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe

"C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\paGCyK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC3DB.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 816

Network

Country Destination Domain Proto
US 8.8.8.8:53 fredarlessonmark.com udp

Files

memory/2112-1-0x0000000074840000-0x0000000074F2E000-memory.dmp

memory/2112-0-0x0000000001100000-0x00000000011E8000-memory.dmp

memory/2112-2-0x0000000000EF0000-0x0000000000F30000-memory.dmp

memory/2112-3-0x00000000008B0000-0x00000000008C8000-memory.dmp

memory/2112-4-0x0000000074840000-0x0000000074F2E000-memory.dmp

memory/2112-5-0x0000000000EF0000-0x0000000000F30000-memory.dmp

memory/2112-6-0x0000000005660000-0x0000000005708000-memory.dmp

memory/2112-7-0x0000000000BA0000-0x0000000000BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC3DB.tmp

MD5 b78dab0d9d37d28b47fa2023c052679a
SHA1 02852f0234c6f5dce0815ede6a7a3eec40e7e426
SHA256 9c4794a608b67fc89d794a3a95ffb977d771b5ff6bb6e1b5cc5ee95cbe6d76ff
SHA512 685712048704527539f9899318acfcce2b3e8bf59528161e4a23a6de945563285353766b767e4d3280a59ea06ff99fbbf80fab5989bac122325879ee6b27dabf

memory/2624-13-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2624-15-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2624-17-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2624-19-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2624-21-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2624-23-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2624-24-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2624-26-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2112-28-0x0000000074840000-0x0000000074F2E000-memory.dmp

memory/2624-27-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2624-30-0x0000000000400000-0x0000000000438000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 00:59

Reported

2024-02-29 01:02

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe"

Signatures

Oski

infostealer oski

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4984 set thread context of 1696 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4984 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\SysWOW64\schtasks.exe
PID 4984 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\SysWOW64\schtasks.exe
PID 4984 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\SysWOW64\schtasks.exe
PID 4984 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4984 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4984 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4984 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4984 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4984 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4984 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4984 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4984 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4984 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4984 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4984 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe

"C:\Users\Admin\AppData\Local\Temp\ad4b527e8240812756aa003af27b9e48.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\paGCyK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD7C2.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1696 -ip 1696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 1288

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 fredarlessonmark.com udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4984-0-0x0000000000CC0000-0x0000000000DA8000-memory.dmp

memory/4984-1-0x0000000074960000-0x0000000075110000-memory.dmp

memory/4984-2-0x00000000057B0000-0x000000000584C000-memory.dmp

memory/4984-3-0x0000000005E00000-0x00000000063A4000-memory.dmp

memory/4984-4-0x0000000005850000-0x00000000058E2000-memory.dmp

memory/4984-5-0x0000000005AC0000-0x0000000005AD0000-memory.dmp

memory/4984-6-0x00000000057A0000-0x00000000057AA000-memory.dmp

memory/4984-7-0x0000000005A40000-0x0000000005A96000-memory.dmp

memory/4984-8-0x0000000005A20000-0x0000000005A38000-memory.dmp

memory/4984-9-0x0000000074960000-0x0000000075110000-memory.dmp

memory/4984-10-0x0000000005AC0000-0x0000000005AD0000-memory.dmp

memory/4984-11-0x0000000009370000-0x0000000009418000-memory.dmp

memory/4984-12-0x000000000BB70000-0x000000000BBB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD7C2.tmp

MD5 e95b03b7446e070e4d5075f6d03bbf1a
SHA1 6470bc6334cf5095ca874732130e5a34c445e423
SHA256 eccae6cfcfd4c2f86320608df7d98458c0c7d83632368c7c1496ae6ba60a4e90
SHA512 04d481f37ecb00c5fb823a1ff92a19da95083cefca79105f9b9c9a4d6fac8b14649a453b06830395df9b7c3b6be6315468399874e541d592bc046826b5c0fc81

memory/1696-18-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1696-19-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1696-21-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4984-22-0x0000000074960000-0x0000000075110000-memory.dmp

memory/1696-23-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1696-26-0x0000000000400000-0x0000000000438000-memory.dmp