Analysis
-
max time kernel
0s -
max time network
28s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 17:48
Behavioral task
behavioral1
Sample
Oski Cracked.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Oski Cracked.exe
Resource
win7-20240508-en
Behavioral task
behavioral3
Sample
Oski Cracked.exe
Resource
win10v2004-20240426-en
General
-
Target
Oski Cracked.exe
-
Size
4.5MB
-
MD5
a52baa5b64635eec7c7b888bff016aac
-
SHA1
a86b895b483df3c657553f498ebcd9c97b89415f
-
SHA256
cd986b32c220cc04c9feb5e42a393fb34efc884d176e6d8d266e54ac4840cfa3
-
SHA512
bed140ed03ed4b5da82edf1139eced7c84a56fe75f5a8926002414ed0b8f25fbb6cbf9e3111ff6d9b5d942382be331a674f17cf10b2150f171f32276ad4b3980
-
SSDEEP
98304:iJCbuSMburCaMZh0yEKj+WRvrY1dcZ048HV/bFy8jJ7APB:8mMbuQZlFY7KsZPNA
Malware Config
Extracted
quasar
2.1.0.0
VILVA V3
67.213.221.18:7812
VNM_MUTEX_DR6NAzaayWgRGuLNpp
-
encryption_key
izGdDJVzqIzRDlXcooB4
-
install_name
Windows Defender Security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Service
-
subdirectory
WindowsDir
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral3/files/0x0006000000023288-13.dat disable_win_def behavioral3/memory/1948-27-0x0000000000F60000-0x0000000000FEC000-memory.dmp disable_win_def -
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Quasar payload 2 IoCs
resource yara_rule behavioral3/files/0x0006000000023288-13.dat family_quasar behavioral3/memory/1948-27-0x0000000000F60000-0x0000000000FEC000-memory.dmp family_quasar -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1996 schtasks.exe 5772 schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Oski Cracked.exe"C:\Users\Admin\AppData\Local\Temp\Oski Cracked.exe"1⤵PID:664
-
C:\Users\Admin\AppData\Roaming\Windows Security.exe"C:\Users\Admin\AppData\Roaming\Windows Security.exe"2⤵PID:1948
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:1996
-
-
C:\Users\Admin\AppData\Roaming\WindowsDir\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\WindowsDir\Windows Defender Security.exe"3⤵PID:2512
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDir\Windows Defender Security.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:5772
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵PID:4520
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵PID:5336
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵PID:3220
-
-
-
-
C:\Users\Admin\AppData\Roaming\Oski Cracked.exe"C:\Users\Admin\AppData\Roaming\Oski Cracked.exe"2⤵PID:2676
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.3MB
MD5ff1d737b2fc98d95286ff7b3a60398ac
SHA16b0534f50e7ff18dd560d63577ce6d3b4aeef920
SHA2566c164f752c05a9ecfd49bb1ee95d41a32506b55598968fe2049f9f98d76ab342
SHA5127dff7ddbab978504383dea55e79206bf81ae64a52863351925af306f13ea0d95e4acd9f7ff295747d82d4e6e7c6f9a062bc2864cb90f71a71c45a067fdf62456
-
Filesize
448KB
MD5d6f3aa7f5a5a24108b03aa05f63c5b45
SHA1598fa1c97916171f354a5b1b282205d9deeb7bf5
SHA25618aacee9707f468ec55101a81e2acd7886c14ec52144839472f5cf8c4d409134
SHA5127e009f48c26c9b0b1b03531d232041392164fee64025692f173f648d02fc511dcf05a8c91c69ac38f1b3e35a12b7fad98c2284d163d469c436b7947016e76738
-
Filesize
1.5MB
MD57c05cfbc906e9a9233cc02699f98f69f
SHA105715bf9dc07eea578e330b084b900f118d799de
SHA2567f0a68f3c73c980b16e04ac8ae43524ab8d83aabc0486b0a8335bb2224b13053
SHA512ba243ba1a00accaacfbbbf63b317fd938b7c24399d2cea8c2a5546ff53eb29b1ba183a21f4cd36062fc901474d15265b658d97f1efabd49fd239bbd2722b5fa2
-
Filesize
534KB
MD5deb0b7c057e00267baf93d2be0fd5e9f
SHA10938426efa7763dde948ce903b46bc88c7f8bf04
SHA256401d7686d9400875f1ee068006e7142c1bdc1108d4ddb3113924dddb312be7d5
SHA512e9d5986b49339fb99703d34743fec5a6522e4c2d05a81a818d58c9f15a1144d338058ebdb3076f5a683cd5bf03d01ac50156f2063450d4955f7cf854b2d1869e