Malware Analysis Report

2024-09-22 21:54

Sample ID 240304-fmnakabd27
Target b146860b83e4b59ffb07dbbdff9b8e6d
SHA256 dd01ca4b5bfbe8ef00d23fd0c1227d58e7d6169a89e3f1ae9bbb4fbae46bfe21
Tags
oski infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dd01ca4b5bfbe8ef00d23fd0c1227d58e7d6169a89e3f1ae9bbb4fbae46bfe21

Threat Level: Known bad

The file b146860b83e4b59ffb07dbbdff9b8e6d was found to be: Known bad.

Malicious Activity Summary

oski infostealer

Oski

Checks computer location settings

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-03-04 04:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-04 04:59

Reported

2024-03-04 05:02

Platform

win7-20240221-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe"

Signatures

Oski

infostealer oski

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1300 set thread context of 2640 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1300 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\SysWOW64\schtasks.exe
PID 1300 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\SysWOW64\schtasks.exe
PID 1300 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\SysWOW64\schtasks.exe
PID 1300 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\SysWOW64\schtasks.exe
PID 1300 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1300 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1300 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1300 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1300 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1300 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1300 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1300 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1300 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 1300 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2640 wrote to memory of 2496 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\WerFault.exe
PID 2640 wrote to memory of 2496 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\WerFault.exe
PID 2640 wrote to memory of 2496 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\WerFault.exe
PID 2640 wrote to memory of 2496 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe

"C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCSSNRmkLpV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC227.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"{path}"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 112

Network

N/A

Files

memory/1300-0-0x0000000001070000-0x0000000001124000-memory.dmp

memory/1300-1-0x0000000074D30000-0x000000007541E000-memory.dmp

memory/1300-2-0x0000000004CF0000-0x0000000004D30000-memory.dmp

memory/1300-3-0x0000000000710000-0x0000000000718000-memory.dmp

memory/1300-4-0x0000000074D30000-0x000000007541E000-memory.dmp

memory/1300-5-0x0000000004CF0000-0x0000000004D30000-memory.dmp

memory/1300-6-0x0000000005F00000-0x0000000005F86000-memory.dmp

memory/1300-7-0x0000000000AB0000-0x0000000000AEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC227.tmp

MD5 65c4aaf36fa740c55e0bce0c04de99bf
SHA1 4bef453638098bbdae111cd05a270c7b71ce384e
SHA256 5ea3661400375db99c4288fa22efbd217b525845f31c7552b4c940e86509f73a
SHA512 1d6b05e4947123bf4f95a1c2479ee013a45cba9b816c966a2028ee551ea1b033672b42ec225518e9384e34c42ef35928af07f7820293148dbef91b32f8bc0b15

memory/2640-11-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2640-12-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2640-13-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2640-14-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2640-16-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2640-17-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2640-18-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1300-20-0x0000000074D30000-0x000000007541E000-memory.dmp

memory/2640-21-0x0000000000400000-0x0000000000438000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-04 04:59

Reported

2024-03-04 05:02

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe"

Signatures

Oski

infostealer oski

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3612 set thread context of 2196 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3612 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\SysWOW64\schtasks.exe
PID 3612 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\SysWOW64\schtasks.exe
PID 3612 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\SysWOW64\schtasks.exe
PID 3612 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3612 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3612 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3612 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3612 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3612 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3612 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3612 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3612 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3612 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3612 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3612 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe

"C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCSSNRmkLpV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF9C1.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"{path}"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"{path}"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2196 -ip 2196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1300

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 zbd.divendesign.in udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

memory/3612-0-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/3612-1-0x0000000000BA0000-0x0000000000C54000-memory.dmp

memory/3612-2-0x0000000005C80000-0x0000000006224000-memory.dmp

memory/3612-3-0x00000000056D0000-0x0000000005762000-memory.dmp

memory/3612-4-0x00000000056B0000-0x00000000056C0000-memory.dmp

memory/3612-5-0x0000000005660000-0x000000000566A000-memory.dmp

memory/3612-6-0x0000000005AE0000-0x0000000005AE8000-memory.dmp

memory/3612-7-0x00000000069D0000-0x0000000006A6C000-memory.dmp

memory/3612-8-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/3612-9-0x00000000056B0000-0x00000000056C0000-memory.dmp

memory/3612-10-0x0000000009780000-0x0000000009806000-memory.dmp

memory/3612-11-0x000000000BE60000-0x000000000BE9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF9C1.tmp

MD5 5974e67cb41ddc1d31aa9fb051d5755c
SHA1 0e507cc82d88b9590cec645c52e65ef9329c3a4d
SHA256 15e75ffbd3a9891ca88a1c6308f01ec9d52e5280e29035eee81c2f750a0e11c2
SHA512 41d70a24c1afe788d189bb56718e5dbc15f8e562af4cbaccba89cfbc55cbe99f2a73e3e44cfba9079c716b120cc34fcd14946570dcf68abd2c2ed558df326ecd

memory/2196-15-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2196-17-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2196-18-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3612-19-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/2196-20-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2196-23-0x0000000000400000-0x0000000000438000-memory.dmp