Analysis Overview
SHA256
dd01ca4b5bfbe8ef00d23fd0c1227d58e7d6169a89e3f1ae9bbb4fbae46bfe21
Threat Level: Known bad
The file b146860b83e4b59ffb07dbbdff9b8e6d was found to be: Known bad.
Malicious Activity Summary
Oski
Checks computer location settings
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-03-04 04:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-04 04:59
Reported
2024-03-04 05:02
Platform
win7-20240221-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Oski
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1300 set thread context of 2640 | N/A | C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe
"C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCSSNRmkLpV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC227.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 112
Network
Files
memory/1300-0-0x0000000001070000-0x0000000001124000-memory.dmp
memory/1300-1-0x0000000074D30000-0x000000007541E000-memory.dmp
memory/1300-2-0x0000000004CF0000-0x0000000004D30000-memory.dmp
memory/1300-3-0x0000000000710000-0x0000000000718000-memory.dmp
memory/1300-4-0x0000000074D30000-0x000000007541E000-memory.dmp
memory/1300-5-0x0000000004CF0000-0x0000000004D30000-memory.dmp
memory/1300-6-0x0000000005F00000-0x0000000005F86000-memory.dmp
memory/1300-7-0x0000000000AB0000-0x0000000000AEA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC227.tmp
| MD5 | 65c4aaf36fa740c55e0bce0c04de99bf |
| SHA1 | 4bef453638098bbdae111cd05a270c7b71ce384e |
| SHA256 | 5ea3661400375db99c4288fa22efbd217b525845f31c7552b4c940e86509f73a |
| SHA512 | 1d6b05e4947123bf4f95a1c2479ee013a45cba9b816c966a2028ee551ea1b033672b42ec225518e9384e34c42ef35928af07f7820293148dbef91b32f8bc0b15 |
memory/2640-11-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2640-12-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2640-13-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2640-14-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2640-16-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2640-17-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2640-18-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1300-20-0x0000000074D30000-0x000000007541E000-memory.dmp
memory/2640-21-0x0000000000400000-0x0000000000438000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-04 04:59
Reported
2024-03-04 05:02
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Oski
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3612 set thread context of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe
"C:\Users\Admin\AppData\Local\Temp\b146860b83e4b59ffb07dbbdff9b8e6d.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nCSSNRmkLpV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF9C1.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2196 -ip 2196
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1300
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zbd.divendesign.in | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
memory/3612-0-0x0000000074BE0000-0x0000000075390000-memory.dmp
memory/3612-1-0x0000000000BA0000-0x0000000000C54000-memory.dmp
memory/3612-2-0x0000000005C80000-0x0000000006224000-memory.dmp
memory/3612-3-0x00000000056D0000-0x0000000005762000-memory.dmp
memory/3612-4-0x00000000056B0000-0x00000000056C0000-memory.dmp
memory/3612-5-0x0000000005660000-0x000000000566A000-memory.dmp
memory/3612-6-0x0000000005AE0000-0x0000000005AE8000-memory.dmp
memory/3612-7-0x00000000069D0000-0x0000000006A6C000-memory.dmp
memory/3612-8-0x0000000074BE0000-0x0000000075390000-memory.dmp
memory/3612-9-0x00000000056B0000-0x00000000056C0000-memory.dmp
memory/3612-10-0x0000000009780000-0x0000000009806000-memory.dmp
memory/3612-11-0x000000000BE60000-0x000000000BE9A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF9C1.tmp
| MD5 | 5974e67cb41ddc1d31aa9fb051d5755c |
| SHA1 | 0e507cc82d88b9590cec645c52e65ef9329c3a4d |
| SHA256 | 15e75ffbd3a9891ca88a1c6308f01ec9d52e5280e29035eee81c2f750a0e11c2 |
| SHA512 | 41d70a24c1afe788d189bb56718e5dbc15f8e562af4cbaccba89cfbc55cbe99f2a73e3e44cfba9079c716b120cc34fcd14946570dcf68abd2c2ed558df326ecd |
memory/2196-15-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2196-17-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2196-18-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3612-19-0x0000000074BE0000-0x0000000075390000-memory.dmp
memory/2196-20-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2196-23-0x0000000000400000-0x0000000000438000-memory.dmp