Analysis
-
max time kernel
300s -
max time network
311s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 12:46
Behavioral task
behavioral1
Sample
Oski Cracked.exe
Resource
win10v2004-20240226-en
General
-
Target
Oski Cracked.exe
-
Size
4.7MB
-
MD5
fae4c2fc795b054c80d57ad600f8447f
-
SHA1
94ef84328a4c1c864307870d8e98cc4b6d334dd5
-
SHA256
579e9d2e534610d36fa6073b825f8caffc41f1f20dad0cfd1749ca12d202a11c
-
SHA512
35da6d3abc97cea70fb573d45f5bd528f5550d478a464f40dd1455f453c65a16283d3a5106aa9e488d3674db5d0ec7009a0cfd30d026afc4220e829f32075be9
-
SSDEEP
98304:PahEJCbuSMburCaMZh0yEKj+WRvrY1dcZ048HV/bFy8jJ7LUdVmi:PahmmMbuQZlFY7KsZPNLUdQ
Malware Config
Extracted
quasar
2.1.0.0
Windows Security
23.105.131.187:7812
VNM_MUTEX_CXpgUhDot7jvhF7S9O
-
encryption_key
1mVKopYcKhmQLOzLUk5T
-
install_name
Windows Security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Update Service
-
subdirectory
SubDir
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/1212-42-0x0000000000400000-0x000000000048C000-memory.dmp disable_win_def -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection Windows Security.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Windows Security.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Windows Security.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" Windows Security.exe -
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Quasar payload 1 IoCs
resource yara_rule behavioral1/memory/1212-42-0x0000000000400000-0x000000000048C000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Oski Cracked.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Windows Security.exe -
Executes dropped EXE 10 IoCs
pid Process 5008 Windows Security.exe 560 Oski Cracked.exe 1212 Windows Security.exe 4292 Windows Security.exe 4764 Windows Security.exe 4308 Windows Security.exe 4492 Windows Security.exe 2728 Windows Security.exe 928 Windows Security.exe 2268 Windows Security.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features Windows Security.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" Windows Security.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update Folder\\Windows Update.exe" Windows Security.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 37 ip-api.com -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 5008 set thread context of 1212 5008 Windows Security.exe 94 PID 4292 set thread context of 2728 4292 Windows Security.exe 112 PID 928 set thread context of 2268 928 Windows Security.exe 123 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4212 schtasks.exe 5004 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3656 PING.EXE -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 4292 Windows Security.exe 4292 Windows Security.exe 4292 Windows Security.exe 4292 Windows Security.exe 4292 Windows Security.exe 4292 Windows Security.exe 636 powershell.exe 636 powershell.exe 636 powershell.exe 1212 Windows Security.exe 1212 Windows Security.exe 1212 Windows Security.exe 1212 Windows Security.exe 1212 Windows Security.exe 1212 Windows Security.exe 1212 Windows Security.exe 1212 Windows Security.exe 2268 Windows Security.exe 2268 Windows Security.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1212 Windows Security.exe Token: SeDebugPrivilege 4292 Windows Security.exe Token: SeDebugPrivilege 636 powershell.exe Token: SeDebugPrivilege 2728 Windows Security.exe Token: SeDebugPrivilege 2728 Windows Security.exe Token: SeDebugPrivilege 2268 Windows Security.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2728 Windows Security.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3696 wrote to memory of 5008 3696 Oski Cracked.exe 92 PID 3696 wrote to memory of 5008 3696 Oski Cracked.exe 92 PID 3696 wrote to memory of 5008 3696 Oski Cracked.exe 92 PID 3696 wrote to memory of 560 3696 Oski Cracked.exe 93 PID 3696 wrote to memory of 560 3696 Oski Cracked.exe 93 PID 5008 wrote to memory of 1212 5008 Windows Security.exe 94 PID 5008 wrote to memory of 1212 5008 Windows Security.exe 94 PID 5008 wrote to memory of 1212 5008 Windows Security.exe 94 PID 5008 wrote to memory of 1212 5008 Windows Security.exe 94 PID 5008 wrote to memory of 1212 5008 Windows Security.exe 94 PID 5008 wrote to memory of 1212 5008 Windows Security.exe 94 PID 5008 wrote to memory of 1212 5008 Windows Security.exe 94 PID 5008 wrote to memory of 1212 5008 Windows Security.exe 94 PID 1212 wrote to memory of 4212 1212 Windows Security.exe 104 PID 1212 wrote to memory of 4212 1212 Windows Security.exe 104 PID 1212 wrote to memory of 4212 1212 Windows Security.exe 104 PID 1212 wrote to memory of 4292 1212 Windows Security.exe 106 PID 1212 wrote to memory of 4292 1212 Windows Security.exe 106 PID 1212 wrote to memory of 4292 1212 Windows Security.exe 106 PID 1212 wrote to memory of 636 1212 Windows Security.exe 107 PID 1212 wrote to memory of 636 1212 Windows Security.exe 107 PID 1212 wrote to memory of 636 1212 Windows Security.exe 107 PID 4292 wrote to memory of 4764 4292 Windows Security.exe 109 PID 4292 wrote to memory of 4764 4292 Windows Security.exe 109 PID 4292 wrote to memory of 4764 4292 Windows Security.exe 109 PID 4292 wrote to memory of 4308 4292 Windows Security.exe 110 PID 4292 wrote to memory of 4308 4292 Windows Security.exe 110 PID 4292 wrote to memory of 4308 4292 Windows Security.exe 110 PID 4292 wrote to memory of 4492 4292 Windows Security.exe 111 PID 4292 wrote to memory of 4492 4292 Windows Security.exe 111 PID 4292 wrote to memory of 4492 4292 Windows Security.exe 111 PID 4292 wrote to memory of 2728 4292 Windows Security.exe 112 PID 4292 wrote to memory of 2728 4292 Windows Security.exe 112 PID 4292 wrote to memory of 2728 4292 Windows Security.exe 112 PID 4292 wrote to memory of 2728 4292 Windows Security.exe 112 PID 4292 wrote to memory of 2728 4292 Windows Security.exe 112 PID 4292 wrote to memory of 2728 4292 Windows Security.exe 112 PID 4292 wrote to memory of 2728 4292 Windows Security.exe 112 PID 4292 wrote to memory of 2728 4292 Windows Security.exe 112 PID 2728 wrote to memory of 5004 2728 Windows Security.exe 113 PID 2728 wrote to memory of 5004 2728 Windows Security.exe 113 PID 2728 wrote to memory of 5004 2728 Windows Security.exe 113 PID 1212 wrote to memory of 3320 1212 Windows Security.exe 115 PID 1212 wrote to memory of 3320 1212 Windows Security.exe 115 PID 1212 wrote to memory of 3320 1212 Windows Security.exe 115 PID 3320 wrote to memory of 1100 3320 cmd.exe 117 PID 3320 wrote to memory of 1100 3320 cmd.exe 117 PID 3320 wrote to memory of 1100 3320 cmd.exe 117 PID 1212 wrote to memory of 1956 1212 Windows Security.exe 118 PID 1212 wrote to memory of 1956 1212 Windows Security.exe 118 PID 1212 wrote to memory of 1956 1212 Windows Security.exe 118 PID 1956 wrote to memory of 4976 1956 cmd.exe 120 PID 1956 wrote to memory of 4976 1956 cmd.exe 120 PID 1956 wrote to memory of 4976 1956 cmd.exe 120 PID 1956 wrote to memory of 3656 1956 cmd.exe 121 PID 1956 wrote to memory of 3656 1956 cmd.exe 121 PID 1956 wrote to memory of 3656 1956 cmd.exe 121 PID 1956 wrote to memory of 928 1956 cmd.exe 122 PID 1956 wrote to memory of 928 1956 cmd.exe 122 PID 1956 wrote to memory of 928 1956 cmd.exe 122 PID 928 wrote to memory of 2268 928 Windows Security.exe 123 PID 928 wrote to memory of 2268 928 Windows Security.exe 123 PID 928 wrote to memory of 2268 928 Windows Security.exe 123 PID 928 wrote to memory of 2268 928 Windows Security.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\Oski Cracked.exe"C:\Users\Admin\AppData\Local\Temp\Oski Cracked.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Users\Admin\AppData\Roaming\Windows Security.exe"C:\Users\Admin\AppData\Roaming\Windows Security.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Roaming\Windows Security.exe"C:\Users\Admin\AppData\Roaming\Windows Security.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:4212
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"5⤵
- Executes dropped EXE
PID:4764
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"5⤵
- Executes dropped EXE
PID:4308
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"5⤵
- Executes dropped EXE
PID:4492
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Update Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
PID:5004
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:636
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit4⤵
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*5⤵PID:1100
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jjS45wRtqofU.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:4976
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- Runs ping.exe
PID:3656
-
-
C:\Users\Admin\AppData\Roaming\Windows Security.exe"C:\Users\Admin\AppData\Roaming\Windows Security.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Users\Admin\AppData\Roaming\Windows Security.exe"C:\Users\Admin\AppData\Roaming\Windows Security.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Oski Cracked.exe"C:\Users\Admin\AppData\Roaming\Oski Cracked.exe"2⤵
- Executes dropped EXE
PID:560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3180 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:4196
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
507B
MD58cf94b5356be60247d331660005941ec
SHA1fdedb361f40f22cb6a086c808fc0056d4e421131
SHA25652a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0
SHA512b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
210B
MD5ea14a539a9e6de43ecc11551eee2e693
SHA1891e15d028f4fff40d37cfc161fc8de66c979806
SHA25685066ebaba2b85c25b164ce143fb6e015afcf2270fcd9e48460e8cca98da1729
SHA512ab6a1e1f0ffa2f2351b43f6553ca858f7c0053f20c9549678495a39cdb57b1e576e258ff315e238bcb9d9801986eff880f3a74754f89883ccb36f30cdcd5aa84
-
Filesize
3.9MB
MD52bd0e61c45d352697c5e16437d8055b0
SHA10b9b24d396a50c2dc13d73e1f2d57c1891de3f31
SHA25671efc8fc1dede4f96e837043ad3cbd38a65bd530ce71ae4d44ddc29843fab70b
SHA51280044d4ece73637328e9b456c3127be02ecc9cea4b12fee65a884fed0266187aec58e6906c652face3b6125d59b9fa10303f02e1d8bfa33dbccb62fd2bc2b73d
-
Filesize
657KB
MD5afdef9702262982ab384060d18d03b62
SHA1118816cd69ca66a736fb12857e9566c491ec4c45
SHA256e7a0e4fd18d08ffe77220d4fdc01598fb6b04f4cfdc8ee20875bd3b106f13be3
SHA512e17f3a54e698546b9e07831dec8dbdc02cf925b282451825e0d9bb3fa8644e45a2405849f17ff0a9b60c0dc5d856420fce4de24edbade5b950a74b4ef4f8611a