Analysis
-
max time kernel
166s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
23-11-2022 15:40
General
-
Target
newResultprot.exe
-
Size
3.3MB
-
MD5
3ee4cc4a7fe52761e3cb486a6c2d8e3e
-
SHA1
c96c9bcdcc57cfc497f4b831398145b307c42b73
-
SHA256
ece849a1ae5c71db8aaac5ad98d2022e05448083120ff3f1f758c2c020d1d03e
-
SHA512
848e1a6dde72c3e3bdecdfb9bbe8e8e9d126fed1996a95b0294f18aee19f23c61a0d8a8947294a3a01f587edf37a59df11ce249611effd54832cbad940398515
-
SSDEEP
98304:F49p/IqTL48s8QLbr4jYgc3TZyd2H+L05kJj9878I:Fm5xzgLQjYg6NsvrGQ
Malware Config
Extracted
orcus
Isehaaa
graphics-absorption.at.ply.gg:34218
0dae1eed35bd43dc93a1d73544aa5ccf
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
C:\Program Files\Java\jdk-19\lib\javaw.exe
-
reconnect_delay
10000
-
registry_keyname
javaww
-
taskscheduler_taskname
javawww
-
watchdog_path
Temp\Runtime Broker.exe
Signatures
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus main payload 5 IoCs
-
Orcurs Rat Executable 7 IoCs
-
Executes dropped EXE 8 IoCs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\newResultprot.exe"C:\Users\Admin\AppData\Local\Temp\newResultprot.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\javaw.exe"C:\Users\Admin\AppData\Local\Temp\javaw.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jk1bengw.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC365.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC364.tmp"4⤵
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install3⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Program Files\Java\jdk-19\lib\javaw.exe"C:\Program Files\Java\jdk-19\lib\javaw.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /launchSelfAndExit "C:\Program Files\Java\jdk-19\lib\javaw.exe" 544 /protectFile4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" /watchProcess "C:\Program Files\Java\jdk-19\lib\javaw.exe" 544 "/protectFile"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
-
C:\Program Files\Java\jdk-19\lib\javaw.exe"C:\Program Files\Java\jdk-19\lib\javaw.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
938KB
MD563e784f82ebd4a7daa66c3478970f36b
SHA1f319bcf48e9f647fc79aa084de027228444966e6
SHA256282679b3e43b8c5be4671268eb8808c72f987e1977ef685a21ff7b230dab9b51
SHA512d3ab5b2699c2fb955bda21de2e7715478ea5498c650c3219585ab623bec957da7e5398cb0d9a52a8fe021053e157a615e1d5e575ce514a140e10b565bb72a9df
-
Filesize
938KB
MD563e784f82ebd4a7daa66c3478970f36b
SHA1f319bcf48e9f647fc79aa084de027228444966e6
SHA256282679b3e43b8c5be4671268eb8808c72f987e1977ef685a21ff7b230dab9b51
SHA512d3ab5b2699c2fb955bda21de2e7715478ea5498c650c3219585ab623bec957da7e5398cb0d9a52a8fe021053e157a615e1d5e575ce514a140e10b565bb72a9df
-
Filesize
938KB
MD563e784f82ebd4a7daa66c3478970f36b
SHA1f319bcf48e9f647fc79aa084de027228444966e6
SHA256282679b3e43b8c5be4671268eb8808c72f987e1977ef685a21ff7b230dab9b51
SHA512d3ab5b2699c2fb955bda21de2e7715478ea5498c650c3219585ab623bec957da7e5398cb0d9a52a8fe021053e157a615e1d5e575ce514a140e10b565bb72a9df
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
1KB
MD530f4e9d46684863ee55f45af63e128dd
SHA14cc7d6bb3409349e88c4503392f8ac04e5b5d9ca
SHA256ca1f21445440280ef4c3ba5c36df81fa978a8d7ec42165cf081314a70e60b24a
SHA512b41fd184d188b013a7257eedc15ea29d6bbf1ca1823c0d6f21b13f9ca0827d46997c4c0edf10a9ef8140428e65dba716cb339e042dd1959318eb09be28d4ffdf
-
Filesize
9KB
MD5913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
Filesize
9KB
MD5913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
Filesize
9KB
MD5913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
1.5MB
MD5e9124859247c5c5cae6190c03fa36cb7
SHA1c2d39eee48cb315cae5e3d038b1db2a6ec909bd6
SHA2560106f2d291f51aabb8f97cb63bf1be337616018c7788faefc64b609dff3a5a33
SHA51253fee718152c51c276ea468943eeea9b61c1f14c420b054af914b3500375998cfc556b29eec518a14556e0cc77bfd4221ef7448bbbcedacce4f8cce5949a8683
-
Filesize
1.5MB
MD5e9124859247c5c5cae6190c03fa36cb7
SHA1c2d39eee48cb315cae5e3d038b1db2a6ec909bd6
SHA2560106f2d291f51aabb8f97cb63bf1be337616018c7788faefc64b609dff3a5a33
SHA51253fee718152c51c276ea468943eeea9b61c1f14c420b054af914b3500375998cfc556b29eec518a14556e0cc77bfd4221ef7448bbbcedacce4f8cce5949a8683
-
Filesize
1KB
MD5f62f19b74508ea7b9c88c5bf77d9ed59
SHA1a3095d07f2c0aea0b37ec89bedccd2110c924f07
SHA2565f5271b88cb08c109c1160acb43485aa5b504b759c8b924fd8ef864bdac7a832
SHA5120dc0765825df4e73430ae5762e3e49bfbe80dbe24705499fa56581422105fa4979e6e17ad12e49e5b15a5bab1a53ada258f2d0e12902c8807d545c933cbcbdf5
-
Filesize
938KB
MD563e784f82ebd4a7daa66c3478970f36b
SHA1f319bcf48e9f647fc79aa084de027228444966e6
SHA256282679b3e43b8c5be4671268eb8808c72f987e1977ef685a21ff7b230dab9b51
SHA512d3ab5b2699c2fb955bda21de2e7715478ea5498c650c3219585ab623bec957da7e5398cb0d9a52a8fe021053e157a615e1d5e575ce514a140e10b565bb72a9df
-
Filesize
938KB
MD563e784f82ebd4a7daa66c3478970f36b
SHA1f319bcf48e9f647fc79aa084de027228444966e6
SHA256282679b3e43b8c5be4671268eb8808c72f987e1977ef685a21ff7b230dab9b51
SHA512d3ab5b2699c2fb955bda21de2e7715478ea5498c650c3219585ab623bec957da7e5398cb0d9a52a8fe021053e157a615e1d5e575ce514a140e10b565bb72a9df
-
Filesize
76KB
MD5242ca9a3abd478d45c0164a5733c7db3
SHA1bdb110fff50ef50869a4aa097fc727f7d893ef2f
SHA256dde792457bb429082e4b60665f06bbfe29cdd1bf8d63053a905d8926143eb3eb
SHA512c50787bfec380627f764ad025b7c6d4e6eadbd8daae1c9e013f7470bd05c48c536be2928a70caa125c79bdb500ed79367f567af53a45a4fd9f8fbf923255d285
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
676B
MD593178636a24d9a855a8cbdddc874fbed
SHA104c55aca5ea32a25e1adda89b1e230d07c1942fc
SHA256c88e096fc0a27d1c817227739fba67f43df2fbc1283bceb335b0feaeecbdcb2b
SHA512d0fa32dd5d2fd77ad16472dcf2241991d6ffb8351b15e306fe5a9e98980a8d84b7ae258d43624253a91b5fe80c106929e5b72d0aecaad095dee4feb64933eea1
-
Filesize
208KB
MD5492e06e3f1bfa5fa2239724b5a337c8b
SHA1a83dff9bbf8b0cbe4d1b6360e70f69d1df385dfa
SHA2564495a3d45e6a24836a9da8142e431b9cc3600cd6b3aedf328eb4ffea27e84340
SHA512faa25d3e5d8cb93fac955447b670bc1b905e3d2132039e92c18394cbafa718b5a162b612ccc7c4c4124d3950bfa0706f925e9ab1bda1e0c318f2d85527955d53
-
Filesize
349B
MD50f02ca4f74bfb6c6fe4a96906c535de8
SHA170295356b3d5f39613a2e23b7dc19a3b80db7360
SHA256270c9e9f9998f37b2b52a18df1d299e73853dd90c66840b4dfbf86476eb36cbd
SHA512db1e76096693e45d4cd4b163923de2d456d621af201ae61a9430517289395c66a5975830552dd914c20d7c392f6da3b99ccf470c016b9e9b38a7bb1e79b0a689
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
960KB
-
Filesize
10.8MB
-
-
Filesize
10.8MB
-
Filesize
1.8MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
-
-
-
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
1.0MB
-
Filesize
32KB
-
-
-
-
-
-
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
10.8MB
-
Filesize
48KB
-
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
1.5MB
-
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
40KB
-
Filesize
20KB
-
Filesize
20KB
-
-
Filesize
10.2MB
-