Overview

overview

10

Static

static

10

Oski Cracked.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    311s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-05-2024 12:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Oski Cracked.exe

  • Size

    4.7MB

  • MD5

    fae4c2fc795b054c80d57ad600f8447f

  • SHA1

    94ef84328a4c1c864307870d8e98cc4b6d334dd5

  • SHA256

    579e9d2e534610d36fa6073b825f8caffc41f1f20dad0cfd1749ca12d202a11c

  • SHA512

    35da6d3abc97cea70fb573d45f5bd528f5550d478a464f40dd1455f453c65a16283d3a5106aa9e488d3674db5d0ec7009a0cfd30d026afc4220e829f32075be9

  • SSDEEP

    98304:PahEJCbuSMburCaMZh0yEKj+WRvrY1dcZ048HV/bFy8jJ7LUdVmi:PahmmMbuQZlFY7KsZPNLUdQ

Score
10/10
oskiquasarvenomratwindows securityevasioninfostealerpersistenceratrootkitspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Security

C2

23.105.131.187:7812

Mutex

VNM_MUTEX_CXpgUhDot7jvhF7S9O

Attributes
  • encryption_key

    1mVKopYcKhmQLOzLUk5T

  • install_name

    Windows Security.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Update Service

  • subdirectory

    SubDir

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • VenomRAT

    VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    ratrootkitstealervenomrat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Oski Cracked.exe
    "C:\Users\Admin\AppData\Local\Temp\Oski Cracked.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3696
    • C:\Users\Admin\AppData\Roaming\Windows Security.exe
      "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:5008
      • C:\Users\Admin\AppData\Roaming\Windows Security.exe
        "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Checks computer location settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1212
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "Windows Update Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security.exe" /rl HIGHEST /f
          4⤵
          • Creates scheduled task(s)
          PID:4212
        • C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4292
          • C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"
            5⤵
            • Executes dropped EXE
            PID:4764
          • C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"
            5⤵
            • Executes dropped EXE
            PID:4308
          • C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"
            5⤵
            • Executes dropped EXE
            PID:4492
          • C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2728
            • C:\Windows\SysWOW64\schtasks.exe
              "schtasks" /create /tn "Windows Update Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Security.exe" /rl HIGHEST /f
              6⤵
              • Creates scheduled task(s)
              PID:5004
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Get-MpPreference -verbose
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:636
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3320
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
            5⤵
              PID:1100
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jjS45wRtqofU.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1956
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
                PID:4976
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 10 localhost
                5⤵
                • Runs ping.exe
                PID:3656
              • C:\Users\Admin\AppData\Roaming\Windows Security.exe
                "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:928
                • C:\Users\Admin\AppData\Roaming\Windows Security.exe
                  "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2268
        • C:\Users\Admin\AppData\Roaming\Oski Cracked.exe
          "C:\Users\Admin\AppData\Roaming\Oski Cracked.exe"
          2⤵
          • Executes dropped EXE
          PID:560
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3180 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:4196

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Security.exe.log
          Filesize

          507B

          MD5

          8cf94b5356be60247d331660005941ec

          SHA1

          fdedb361f40f22cb6a086c808fc0056d4e421131

          SHA256

          52a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0

          SHA512

          b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_btb5heos.qx2.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\jjS45wRtqofU.bat
          Filesize

          210B

          MD5

          ea14a539a9e6de43ecc11551eee2e693

          SHA1

          891e15d028f4fff40d37cfc161fc8de66c979806

          SHA256

          85066ebaba2b85c25b164ce143fb6e015afcf2270fcd9e48460e8cca98da1729

          SHA512

          ab6a1e1f0ffa2f2351b43f6553ca858f7c0053f20c9549678495a39cdb57b1e576e258ff315e238bcb9d9801986eff880f3a74754f89883ccb36f30cdcd5aa84

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Oski Cracked.exe
          Filesize

          3.9MB

          MD5

          2bd0e61c45d352697c5e16437d8055b0

          SHA1

          0b9b24d396a50c2dc13d73e1f2d57c1891de3f31

          SHA256

          71efc8fc1dede4f96e837043ad3cbd38a65bd530ce71ae4d44ddc29843fab70b

          SHA512

          80044d4ece73637328e9b456c3127be02ecc9cea4b12fee65a884fed0266187aec58e6906c652face3b6125d59b9fa10303f02e1d8bfa33dbccb62fd2bc2b73d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Windows Security.exe
          Filesize

          657KB

          MD5

          afdef9702262982ab384060d18d03b62

          SHA1

          118816cd69ca66a736fb12857e9566c491ec4c45

          SHA256

          e7a0e4fd18d08ffe77220d4fdc01598fb6b04f4cfdc8ee20875bd3b106f13be3

          SHA512

          e17f3a54e698546b9e07831dec8dbdc02cf925b282451825e0d9bb3fa8644e45a2405849f17ff0a9b60c0dc5d856420fce4de24edbade5b950a74b4ef4f8611a

          Download Submit

        • memory/560-52-0x000000001B460000-0x000000001B470000-memory.dmp

          Filesize

          64KB

          Download

        • memory/560-37-0x000000001B5B0000-0x000000001B9CC000-memory.dmp

          Filesize

          4.1MB

          Download

        • memory/560-30-0x0000000000450000-0x0000000000846000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/560-31-0x00007FFA05C00000-0x00007FFA066C1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/560-49-0x00007FFA05C00000-0x00007FFA066C1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/560-48-0x00007FFA05C03000-0x00007FFA05C05000-memory.dmp

          Filesize

          8KB

          Download

        • memory/560-47-0x000000001B460000-0x000000001B470000-memory.dmp

          Filesize

          64KB

          Download

        • memory/560-28-0x00007FFA05C03000-0x00007FFA05C05000-memory.dmp

          Filesize

          8KB

          Download

        • memory/636-95-0x0000000007BD0000-0x000000000824A000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/636-100-0x00000000078A0000-0x00000000078AE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/636-96-0x0000000006630000-0x000000000664A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/636-78-0x0000000005DB0000-0x0000000006104000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/636-94-0x00000000072A0000-0x0000000007343000-memory.dmp

          Filesize

          652KB

          Download

        • memory/636-93-0x0000000006810000-0x000000000682E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/636-98-0x00000000077C0000-0x0000000007856000-memory.dmp

          Filesize

          600KB

          Download

        • memory/636-83-0x0000000070C90000-0x0000000070CDC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/636-99-0x0000000007740000-0x0000000007751000-memory.dmp

          Filesize

          68KB

          Download

        • memory/636-97-0x00000000075B0000-0x00000000075BA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/636-101-0x00000000078B0000-0x00000000078C4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/636-82-0x00000000067D0000-0x0000000006802000-memory.dmp

          Filesize

          200KB

          Download

        • memory/636-81-0x0000000006300000-0x000000000634C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/636-102-0x00000000078F0000-0x000000000790A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/636-80-0x0000000006110000-0x000000000612E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/636-59-0x00000000028D0000-0x0000000002906000-memory.dmp

          Filesize

          216KB

          Download

        • memory/636-65-0x00000000054A0000-0x0000000005AC8000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/636-66-0x0000000005270000-0x0000000005292000-memory.dmp

          Filesize

          136KB

          Download

        • memory/636-67-0x0000000005350000-0x00000000053B6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/636-103-0x00000000078E0000-0x00000000078E8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1212-50-0x0000000005060000-0x00000000050C6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1212-53-0x0000000006600000-0x000000000663C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/1212-51-0x0000000006080000-0x0000000006092000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1212-42-0x0000000000400000-0x000000000048C000-memory.dmp

          Filesize

          560KB

          Download

        • memory/2728-79-0x0000000007130000-0x000000000713A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3696-0-0x00000000750F2000-0x00000000750F3000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3696-1-0x00000000750F0000-0x00000000756A1000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3696-2-0x00000000750F0000-0x00000000756A1000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3696-29-0x00000000750F0000-0x00000000756A1000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/5008-38-0x0000000005480000-0x0000000005512000-memory.dmp

          Filesize

          584KB

          Download

        • memory/5008-36-0x0000000005A30000-0x0000000005FD4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/5008-35-0x0000000002CC0000-0x0000000002CCA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/5008-34-0x00000000722C0000-0x0000000072A70000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/5008-33-0x0000000000940000-0x00000000009EA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/5008-32-0x00000000722CE000-0x00000000722CF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5008-39-0x0000000005520000-0x00000000055BC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/5008-41-0x00000000053F0000-0x00000000053FA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/5008-46-0x00000000722C0000-0x0000000072A70000-memory.dmp

          Filesize

          7.7MB

          Download