Malware Analysis Report

2024-09-22 21:54

Sample ID 240319-t6xj8shd4x
Target d69b90af0812b7634f0214cd46f54ae0
SHA256 acaa6723efbef5d53904d2d8e69d3c3e3f09a9e08cb17e1e79b00583316609c6
Tags
oski infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

acaa6723efbef5d53904d2d8e69d3c3e3f09a9e08cb17e1e79b00583316609c6

Threat Level: Known bad

The file d69b90af0812b7634f0214cd46f54ae0 was found to be: Known bad.

Malicious Activity Summary

oski infostealer

Oski

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-03-19 16:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-19 16:40

Reported

2024-03-19 16:43

Platform

win7-20240221-en

Max time kernel

158s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe"

Signatures

Oski

infostealer oski

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1712 set thread context of 588 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe
PID 1712 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe
PID 1712 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe
PID 1712 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe
PID 1712 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe
PID 1712 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe
PID 1712 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe
PID 1712 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe
PID 1712 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe
PID 1712 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe

"C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cdgPKOcGVD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBCE9.tmp"

C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe

"C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe"

Network

Country Destination Domain Proto
RO 193.142.58.164:80 tcp
RO 193.142.58.164:80 tcp
RO 193.142.58.164:80 tcp
RO 193.142.58.164:80 tcp

Files

memory/1712-0-0x0000000001100000-0x00000000011D8000-memory.dmp

memory/1712-1-0x0000000074110000-0x00000000747FE000-memory.dmp

memory/1712-2-0x0000000004D10000-0x0000000004D50000-memory.dmp

memory/1712-3-0x00000000004E0000-0x00000000004FA000-memory.dmp

memory/1712-4-0x0000000074110000-0x00000000747FE000-memory.dmp

memory/1712-5-0x0000000004D10000-0x0000000004D50000-memory.dmp

memory/1712-6-0x00000000059D0000-0x0000000005A74000-memory.dmp

memory/1712-7-0x0000000000600000-0x0000000000638000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBCE9.tmp

MD5 cf6cd92f4239b85d22329df182f1cadc
SHA1 c61233a859f2b56c9951ffd089e256a5fcc060b5
SHA256 02ad419cf8f0bad9cba16857120a8391f41b3adf60ef152d0247a4183b00afb3
SHA512 6eeb80be92284e56c2f41c4ac72571cf4f4004c16325e5b5b359f67f588cf0a42a2cbc3ceae86847b1e2d62a52e3b90b2fce6b45777f40d47f448be1db053a1c

memory/588-13-0x0000000000400000-0x0000000000438000-memory.dmp

memory/588-16-0x0000000000400000-0x0000000000438000-memory.dmp

memory/588-15-0x0000000000400000-0x0000000000438000-memory.dmp

memory/588-17-0x0000000000400000-0x0000000000438000-memory.dmp

memory/588-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/588-14-0x0000000000400000-0x0000000000438000-memory.dmp

memory/588-20-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1712-23-0x0000000074110000-0x00000000747FE000-memory.dmp

memory/588-22-0x0000000000400000-0x0000000000438000-memory.dmp

memory/588-24-0x0000000000400000-0x0000000000438000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-19 16:40

Reported

2024-03-19 16:43

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe"

Signatures

Oski

infostealer oski

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1788 set thread context of 928 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1788 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Windows\SysWOW64\schtasks.exe
PID 1788 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Windows\SysWOW64\schtasks.exe
PID 1788 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Windows\SysWOW64\schtasks.exe
PID 1788 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe
PID 1788 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe
PID 1788 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe
PID 1788 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe
PID 1788 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe
PID 1788 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe
PID 1788 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe
PID 1788 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe
PID 1788 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe

"C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4488 --field-trial-handle=2432,i,12161922670941700748,3348345705955601576,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cdgPKOcGVD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEDD6.tmp"

C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe

"C:\Users\Admin\AppData\Local\Temp\d69b90af0812b7634f0214cd46f54ae0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
RO 193.142.58.164:80 tcp
RO 193.142.58.164:80 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 37.179.17.96.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RO 193.142.58.164:80 tcp
US 8.8.8.8:53 58.179.17.96.in-addr.arpa udp
RO 193.142.58.164:80 tcp

Files

memory/1788-1-0x0000000000D30000-0x0000000000E08000-memory.dmp

memory/1788-0-0x0000000075050000-0x0000000075800000-memory.dmp

memory/1788-2-0x0000000005E10000-0x00000000063B4000-memory.dmp

memory/1788-3-0x0000000005860000-0x00000000058F2000-memory.dmp

memory/1788-4-0x0000000005A70000-0x0000000005A80000-memory.dmp

memory/1788-5-0x0000000005800000-0x000000000580A000-memory.dmp

memory/1788-6-0x0000000008130000-0x00000000081CC000-memory.dmp

memory/1788-7-0x00000000080B0000-0x00000000080CA000-memory.dmp

memory/1788-8-0x0000000075050000-0x0000000075800000-memory.dmp

memory/1788-9-0x0000000005A70000-0x0000000005A80000-memory.dmp

memory/1788-10-0x0000000006E30000-0x0000000006ED4000-memory.dmp

memory/1788-11-0x00000000080D0000-0x0000000008108000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpEDD6.tmp

MD5 68adfa6c76bfda417a520d5c0216e9ba
SHA1 94d155877cc088d436b990b7dc9fa70d0c91080e
SHA256 05aebe0997d1e7676ee7c219cedf3cbe9d445b78b75ee6f734d5e719ab198d4b
SHA512 89882914e8d61b4e4e2fcf50baa1eac02e792064afcf0ef2db2cfe8d3492608a17ea9cd3a66d4d4154d489aa40fed8a91ba9380bfbca0ca0c1c75f895cf950eb

memory/928-17-0x0000000000400000-0x0000000000438000-memory.dmp

memory/928-19-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1788-21-0x0000000075050000-0x0000000075800000-memory.dmp

memory/928-22-0x0000000000400000-0x0000000000438000-memory.dmp

memory/928-20-0x0000000000400000-0x0000000000438000-memory.dmp

memory/928-23-0x0000000000400000-0x0000000000438000-memory.dmp