Analysis
-
max time kernel
29s -
max time network
31s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
16-05-2024 17:48
Behavioral task
behavioral1
Sample
Oski Cracked.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Oski Cracked.exe
Resource
win7-20240508-en
Behavioral task
behavioral3
Sample
Oski Cracked.exe
Resource
win10v2004-20240426-en
General
-
Target
Oski Cracked.exe
-
Size
4.5MB
-
MD5
a52baa5b64635eec7c7b888bff016aac
-
SHA1
a86b895b483df3c657553f498ebcd9c97b89415f
-
SHA256
cd986b32c220cc04c9feb5e42a393fb34efc884d176e6d8d266e54ac4840cfa3
-
SHA512
bed140ed03ed4b5da82edf1139eced7c84a56fe75f5a8926002414ed0b8f25fbb6cbf9e3111ff6d9b5d942382be331a674f17cf10b2150f171f32276ad4b3980
-
SSDEEP
98304:iJCbuSMburCaMZh0yEKj+WRvrY1dcZ048HV/bFy8jJ7APB:8mMbuQZlFY7KsZPNA
Malware Config
Extracted
quasar
2.1.0.0
VILVA V3
67.213.221.18:7812
VNM_MUTEX_DR6NAzaayWgRGuLNpp
-
encryption_key
izGdDJVzqIzRDlXcooB4
-
install_name
Windows Defender Security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Service
-
subdirectory
WindowsDir
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral4/files/0x000600000002a8ab-7.dat disable_win_def behavioral4/memory/3908-23-0x0000000000010000-0x000000000009C000-memory.dmp disable_win_def -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Windows Security.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Windows Security.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Windows Security.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" Windows Security.exe -
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Quasar payload 2 IoCs
resource yara_rule behavioral4/files/0x000600000002a8ab-7.dat family_quasar behavioral4/memory/3908-23-0x0000000000010000-0x000000000009C000-memory.dmp family_quasar -
Executes dropped EXE 3 IoCs
pid Process 3908 Windows Security.exe 2380 Oski Cracked.exe 3700 Windows Defender Security.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features Windows Security.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" Windows Security.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2636 schtasks.exe 3600 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1444 PING.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2544 powershell.exe 2544 powershell.exe 3908 Windows Security.exe 3908 Windows Security.exe 3908 Windows Security.exe 3908 Windows Security.exe 3908 Windows Security.exe 3908 Windows Security.exe 3908 Windows Security.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3908 Windows Security.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeDebugPrivilege 3700 Windows Defender Security.exe Token: SeDebugPrivilege 3700 Windows Defender Security.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3700 Windows Defender Security.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2732 wrote to memory of 3908 2732 Oski Cracked.exe 78 PID 2732 wrote to memory of 3908 2732 Oski Cracked.exe 78 PID 2732 wrote to memory of 3908 2732 Oski Cracked.exe 78 PID 2732 wrote to memory of 2380 2732 Oski Cracked.exe 79 PID 2732 wrote to memory of 2380 2732 Oski Cracked.exe 79 PID 3908 wrote to memory of 2636 3908 Windows Security.exe 81 PID 3908 wrote to memory of 2636 3908 Windows Security.exe 81 PID 3908 wrote to memory of 2636 3908 Windows Security.exe 81 PID 3908 wrote to memory of 3700 3908 Windows Security.exe 83 PID 3908 wrote to memory of 3700 3908 Windows Security.exe 83 PID 3908 wrote to memory of 3700 3908 Windows Security.exe 83 PID 3908 wrote to memory of 2544 3908 Windows Security.exe 84 PID 3908 wrote to memory of 2544 3908 Windows Security.exe 84 PID 3908 wrote to memory of 2544 3908 Windows Security.exe 84 PID 3700 wrote to memory of 3600 3700 Windows Defender Security.exe 86 PID 3700 wrote to memory of 3600 3700 Windows Defender Security.exe 86 PID 3700 wrote to memory of 3600 3700 Windows Defender Security.exe 86 PID 3908 wrote to memory of 3336 3908 Windows Security.exe 88 PID 3908 wrote to memory of 3336 3908 Windows Security.exe 88 PID 3908 wrote to memory of 3336 3908 Windows Security.exe 88 PID 3336 wrote to memory of 3132 3336 cmd.exe 90 PID 3336 wrote to memory of 3132 3336 cmd.exe 90 PID 3336 wrote to memory of 3132 3336 cmd.exe 90 PID 3908 wrote to memory of 424 3908 Windows Security.exe 91 PID 3908 wrote to memory of 424 3908 Windows Security.exe 91 PID 3908 wrote to memory of 424 3908 Windows Security.exe 91 PID 424 wrote to memory of 1472 424 cmd.exe 93 PID 424 wrote to memory of 1472 424 cmd.exe 93 PID 424 wrote to memory of 1472 424 cmd.exe 93 PID 424 wrote to memory of 1444 424 cmd.exe 94 PID 424 wrote to memory of 1444 424 cmd.exe 94 PID 424 wrote to memory of 1444 424 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\Oski Cracked.exe"C:\Users\Admin\AppData\Local\Temp\Oski Cracked.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Roaming\Windows Security.exe"C:\Users\Admin\AppData\Roaming\Windows Security.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2636
-
-
C:\Users\Admin\AppData\Roaming\WindowsDir\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\WindowsDir\Windows Defender Security.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDir\Windows Defender Security.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:3600
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵PID:3132
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIbRP2Lt18p3.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:1472
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:1444
-
-
-
-
C:\Users\Admin\AppData\Roaming\Oski Cracked.exe"C:\Users\Admin\AppData\Roaming\Oski Cracked.exe"2⤵
- Executes dropped EXE
PID:2380
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
210B
MD5328a970a3f96203abd421155b31d6cf9
SHA1d9c26b7a9860d863878ea1523dd24dc327e1bacd
SHA2569b02ecf138bac892f91ed13d5d34355e7eb475e584827925927a6256a65c38b2
SHA51213aa5d4353fd8253fcf741f280692012b6673b8f5fcd204165c053cd9afd9194f0ee49431d3cfdaadf2092db4422f620f9cb5bc7e41b958acc797b0ed897f680
-
Filesize
3.9MB
MD52bd0e61c45d352697c5e16437d8055b0
SHA10b9b24d396a50c2dc13d73e1f2d57c1891de3f31
SHA25671efc8fc1dede4f96e837043ad3cbd38a65bd530ce71ae4d44ddc29843fab70b
SHA51280044d4ece73637328e9b456c3127be02ecc9cea4b12fee65a884fed0266187aec58e6906c652face3b6125d59b9fa10303f02e1d8bfa33dbccb62fd2bc2b73d
-
Filesize
534KB
MD5deb0b7c057e00267baf93d2be0fd5e9f
SHA10938426efa7763dde948ce903b46bc88c7f8bf04
SHA256401d7686d9400875f1ee068006e7142c1bdc1108d4ddb3113924dddb312be7d5
SHA512e9d5986b49339fb99703d34743fec5a6522e4c2d05a81a818d58c9f15a1144d338058ebdb3076f5a683cd5bf03d01ac50156f2063450d4955f7cf854b2d1869e