Analysis
-
max time kernel
29s -
max time network
31s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
-
submitted
16-05-2024 17:48
General
-
Target
Oski Cracked.exe
-
Size
4.5MB
-
MD5
a52baa5b64635eec7c7b888bff016aac
-
SHA1
a86b895b483df3c657553f498ebcd9c97b89415f
-
SHA256
cd986b32c220cc04c9feb5e42a393fb34efc884d176e6d8d266e54ac4840cfa3
-
SHA512
bed140ed03ed4b5da82edf1139eced7c84a56fe75f5a8926002414ed0b8f25fbb6cbf9e3111ff6d9b5d942382be331a674f17cf10b2150f171f32276ad4b3980
-
SSDEEP
98304:iJCbuSMburCaMZh0yEKj+WRvrY1dcZ048HV/bFy8jJ7APB:8mMbuQZlFY7KsZPNA
Malware Config
Extracted
quasar
2.1.0.0
VILVA V3
67.213.221.18:7812
VNM_MUTEX_DR6NAzaayWgRGuLNpp
-
encryption_key
izGdDJVzqIzRDlXcooB4
-
install_name
Windows Defender Security.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Service
-
subdirectory
WindowsDir
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Oski Cracked.exe"C:\Users\Admin\AppData\Local\Temp\Oski Cracked.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Security.exe"C:\Users\Admin\AppData\Roaming\Windows Security.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\WindowsDir\Windows Defender Security.exe"C:\Users\Admin\AppData\Roaming\WindowsDir\Windows Defender Security.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsDir\Windows Defender Security.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIbRP2Lt18p3.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Oski Cracked.exe"C:\Users\Admin\AppData\Roaming\Oski Cracked.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
210B
MD5328a970a3f96203abd421155b31d6cf9
SHA1d9c26b7a9860d863878ea1523dd24dc327e1bacd
SHA2569b02ecf138bac892f91ed13d5d34355e7eb475e584827925927a6256a65c38b2
SHA51213aa5d4353fd8253fcf741f280692012b6673b8f5fcd204165c053cd9afd9194f0ee49431d3cfdaadf2092db4422f620f9cb5bc7e41b958acc797b0ed897f680
-
Filesize
3.9MB
MD52bd0e61c45d352697c5e16437d8055b0
SHA10b9b24d396a50c2dc13d73e1f2d57c1891de3f31
SHA25671efc8fc1dede4f96e837043ad3cbd38a65bd530ce71ae4d44ddc29843fab70b
SHA51280044d4ece73637328e9b456c3127be02ecc9cea4b12fee65a884fed0266187aec58e6906c652face3b6125d59b9fa10303f02e1d8bfa33dbccb62fd2bc2b73d
-
Filesize
534KB
MD5deb0b7c057e00267baf93d2be0fd5e9f
SHA10938426efa7763dde948ce903b46bc88c7f8bf04
SHA256401d7686d9400875f1ee068006e7142c1bdc1108d4ddb3113924dddb312be7d5
SHA512e9d5986b49339fb99703d34743fec5a6522e4c2d05a81a818d58c9f15a1144d338058ebdb3076f5a683cd5bf03d01ac50156f2063450d4955f7cf854b2d1869e
-
Filesize
756KB
-
Filesize
4.0MB
-
Filesize
756KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4.1MB
-
Filesize
600KB
-
Filesize
656KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
84KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
56KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
68KB
-
Filesize
304KB
-
Filesize
40KB
-
Filesize
208KB
-
Filesize
120KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
408KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
560KB