Analysis
-
max time kernel
29s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 17:48
Behavioral task
behavioral1
Sample
Oski Cracked.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Oski Cracked.exe
Resource
win7-20240508-en
Behavioral task
behavioral3
Sample
Oski Cracked.exe
Resource
win10v2004-20240426-en
General
-
Target
Oski Cracked.exe
-
Size
4.5MB
-
MD5
a52baa5b64635eec7c7b888bff016aac
-
SHA1
a86b895b483df3c657553f498ebcd9c97b89415f
-
SHA256
cd986b32c220cc04c9feb5e42a393fb34efc884d176e6d8d266e54ac4840cfa3
-
SHA512
bed140ed03ed4b5da82edf1139eced7c84a56fe75f5a8926002414ed0b8f25fbb6cbf9e3111ff6d9b5d942382be331a674f17cf10b2150f171f32276ad4b3980
-
SSDEEP
98304:iJCbuSMburCaMZh0yEKj+WRvrY1dcZ048HV/bFy8jJ7APB:8mMbuQZlFY7KsZPNA
Malware Config
Extracted
quasar
2.1.0.0
VILVA V3
67.213.221.18:7812
VNM_MUTEX_DR6NAzaayWgRGuLNpp
-
encryption_key
izGdDJVzqIzRDlXcooB4
-
install_name
Windows Defender Security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Service
-
subdirectory
WindowsDir
Signatures
-
Contains code to disable Windows Defender 3 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/files/0x000c00000001226d-5.dat disable_win_def behavioral2/memory/2564-20-0x0000000000F60000-0x0000000000FEC000-memory.dmp disable_win_def behavioral2/memory/2532-28-0x0000000000180000-0x000000000020C000-memory.dmp disable_win_def -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Windows Security.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Windows Security.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Windows Security.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" Windows Security.exe -
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Quasar payload 3 IoCs
resource yara_rule behavioral2/files/0x000c00000001226d-5.dat family_quasar behavioral2/memory/2564-20-0x0000000000F60000-0x0000000000FEC000-memory.dmp family_quasar behavioral2/memory/2532-28-0x0000000000180000-0x000000000020C000-memory.dmp family_quasar -
Deletes itself 1 IoCs
pid Process 2800 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 2564 Windows Security.exe 2692 Oski Cracked.exe 2532 Windows Defender Security.exe -
Loads dropped DLL 3 IoCs
pid Process 1904 Oski Cracked.exe 1904 Oski Cracked.exe 2564 Windows Security.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features Windows Security.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" Windows Security.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2472 schtasks.exe 2516 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 572 PING.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2964 powershell.exe 2564 Windows Security.exe 2564 Windows Security.exe 2564 Windows Security.exe 2564 Windows Security.exe 2564 Windows Security.exe 2564 Windows Security.exe 2564 Windows Security.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2564 Windows Security.exe Token: SeDebugPrivilege 2532 Windows Defender Security.exe Token: SeDebugPrivilege 2964 powershell.exe Token: SeDebugPrivilege 2532 Windows Defender Security.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2532 Windows Defender Security.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 1904 wrote to memory of 2564 1904 Oski Cracked.exe 28 PID 1904 wrote to memory of 2564 1904 Oski Cracked.exe 28 PID 1904 wrote to memory of 2564 1904 Oski Cracked.exe 28 PID 1904 wrote to memory of 2564 1904 Oski Cracked.exe 28 PID 1904 wrote to memory of 2692 1904 Oski Cracked.exe 29 PID 1904 wrote to memory of 2692 1904 Oski Cracked.exe 29 PID 1904 wrote to memory of 2692 1904 Oski Cracked.exe 29 PID 1904 wrote to memory of 2692 1904 Oski Cracked.exe 29 PID 2564 wrote to memory of 2472 2564 Windows Security.exe 31 PID 2564 wrote to memory of 2472 2564 Windows Security.exe 31 PID 2564 wrote to memory of 2472 2564 Windows Security.exe 31 PID 2564 wrote to memory of 2472 2564 Windows Security.exe 31 PID 2564 wrote to memory of 2532 2564 Windows Security.exe 33 PID 2564 wrote to memory of 2532 2564 Windows Security.exe 33 PID 2564 wrote to memory of 2532 2564 Windows Security.exe 33 PID 2564 wrote to memory of 2532 2564 Windows Security.exe 33 PID 2564 wrote to memory of 2964 2564 Windows Security.exe 34 PID 2564 wrote to memory of 2964 2564 Windows Security.exe 34 PID 2564 wrote to memory of 2964 2564 Windows Security.exe 34 PID 2564 wrote to memory of 2964 2564 Windows Security.exe 34 PID 2532 wrote to memory of 2516 2532 Windows Defender Security.exe 36 PID 2532 wrote to memory of 2516 2532 Windows Defender Security.exe 36 PID 2532 wrote to memory of 2516 2532 Windows Defender Security.exe 36 PID 2532 wrote to memory of 2516 2532 Windows Defender Security.exe 36 PID 2564 wrote to memory of 1220 2564 Windows Security.exe 38 PID 2564 wrote to memory of 1220 2564 Windows Security.exe 38 PID 2564 wrote to memory of 1220 2564 Windows Security.exe 38 PID 2564 wrote to memory of 1220 2564 Windows Security.exe 38 PID 1220 wrote to memory of 2800 1220 cmd.exe 40 PID 1220 wrote to memory of 2800 1220 cmd.exe 40 PID 1220 wrote to memory of 2800 1220 cmd.exe 40 PID 1220 wrote to memory of 2800 1220 cmd.exe 40 PID 2564 wrote to memory of 320 2564 Windows Security.exe 41 PID 2564 wrote to memory of 320 2564 Windows Security.exe 41 PID 2564 wrote to memory of 320 2564 Windows Security.exe 41 PID 2564 wrote to memory of 320 2564 Windows Security.exe 41 PID 320 wrote to memory of 688 320 cmd.exe 43 PID 320 wrote to memory of 688 320 cmd.exe 43 PID 320 wrote to memory of 688 320 cmd.exe 43 PID 320 wrote to memory of 688 320 cmd.exe 43 PID 320 wrote to memory of 572 320 cmd.exe 44 PID 320 wrote to memory of 572 320 cmd.exe 44 PID 320 wrote to memory of 572 320 cmd.exe 44 PID 320 wrote to memory of 572 320 cmd.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\Oski Cracked.exe"C:\Users\Admin\AppData\Local\Temp\Oski Cracked.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\AppData\Roaming\Windows Security.exe"C:\Users\Admin\AppData\Roaming\Windows Security.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2472
-
-
C:\Users\Admin\AppData\Roaming\WindowsDir\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\WindowsDir\Windows Defender Security.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDir\Windows Defender Security.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:2516
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵
- Deletes itself
PID:2800
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\2VL5Nhgo6D4j.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:688
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:572
-
-
-
-
C:\Users\Admin\AppData\Roaming\Oski Cracked.exe"C:\Users\Admin\AppData\Roaming\Oski Cracked.exe"2⤵
- Executes dropped EXE
PID:2692
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210B
MD5522b6ee74dcb8828f10179e87aa4d360
SHA1c5dca1b0814ea055451ef929e24a5a42ed22551c
SHA25686b2a93cc0e03973315d3afb3bc930e20389620503a625d3e62a2d2b3c3cccee
SHA51291207797bafa6b92cb27afc9eb1bb4756e5f1a83ed5de67c80c9f95a0934534f20efd49ba934f02d2eaa3d7c8569e80e704dbaeec4d042d01b5a5fbbf03dbfd3
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
3.9MB
MD52bd0e61c45d352697c5e16437d8055b0
SHA10b9b24d396a50c2dc13d73e1f2d57c1891de3f31
SHA25671efc8fc1dede4f96e837043ad3cbd38a65bd530ce71ae4d44ddc29843fab70b
SHA51280044d4ece73637328e9b456c3127be02ecc9cea4b12fee65a884fed0266187aec58e6906c652face3b6125d59b9fa10303f02e1d8bfa33dbccb62fd2bc2b73d
-
Filesize
534KB
MD5deb0b7c057e00267baf93d2be0fd5e9f
SHA10938426efa7763dde948ce903b46bc88c7f8bf04
SHA256401d7686d9400875f1ee068006e7142c1bdc1108d4ddb3113924dddb312be7d5
SHA512e9d5986b49339fb99703d34743fec5a6522e4c2d05a81a818d58c9f15a1144d338058ebdb3076f5a683cd5bf03d01ac50156f2063450d4955f7cf854b2d1869e