a414cc326daca6def7eaada6cdb8c71be4823b7fba11025d6c81b79bfe65b261

Analysis

max time kernel
153s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

orochi_z_tc.exe
Size

1.2MB
MD5

e23af09fed6f9f9f4ec56745c0efaf8f
SHA1

d46ee9d475cba5a2fbac953c6cf912ff3ddb92b0
SHA256

42d20add87d1953f29779cf38bcba3e6f8efe43c8f39668ff6e0de5d88de9e0d
SHA512

e7ed47575ae7bfe0570e0c3a17b9194fbc10a820647f0c63ed2a92879c76208a5475e142e8d1cbfc5edd4764162b7e92c7665c8d932d1f72ba96a79fd479ef3a
SSDEEP

24576:2WnjPwxVCwvO6q0yj+pyy0+OGZnOX91hYgGlVc+SWtoRRmW9GBSLur6:2ojIxVTmtxj+AGROnhBS++SWtoRR70Sd

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exesvchost.exesvchost.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 7 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "3"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "4"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\LastTelemetryChangeStamp = "5"	svchost.exe

Modifies registry class 1 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4246620582-653642754-1174164128-1000\{3F51D70D-5AF8-48F5-87E4-05FD072EB61F}	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

orochi_z_tc.exe

pid process

4012 orochi_z_tc.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

orochi_z_tc.exeOpenWith.exe

pid process

4012 orochi_z_tc.exe
2040 OpenWith.exe

pid	process
4012	orochi_z_tc.exe

pid	process
4012	orochi_z_tc.exe
2040	OpenWith.exe

C:\Users\Admin\AppData\Local\Temp\orochi_z_tc.exe
"C:\Users\Admin\AppData\Local\Temp\orochi_z_tc.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4012

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:1360

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc
1⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:5036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc
1⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:1360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4012-133-0x0000000000400000-0x000000000154D000-memory.dmp

Filesize
17.3MB

Download
memory/4012-132-0x0000000000400000-0x000000000154D000-memory.dmp

Filesize
17.3MB

Download
memory/4012-134-0x0000000000400000-0x000000000154D000-memory.dmp

Filesize
17.3MB

Download
memory/4012-135-0x0000000001632000-0x0000000001637000-memory.dmp

Filesize
20KB

Download
memory/4012-138-0x0000000001632000-0x0000000001637000-memory.dmp

Filesize
20KB

Download
memory/4012-137-0x0000000001632000-0x0000000001637000-memory.dmp

Filesize
20KB

Download
memory/4012-136-0x0000000001632000-0x0000000001637000-memory.dmp

Filesize
20KB

Download
memory/4012-139-0x0000000001690000-0x00000000016AE000-memory.dmp

Filesize
120KB

Download
memory/4012-140-0x0000000001690000-0x00000000016AE000-memory.dmp

Filesize
120KB

Download
memory/4012-141-0x0000000001690000-0x00000000016AE000-memory.dmp

Filesize
120KB

Download
memory/4012-142-0x0000000001690000-0x00000000016AE000-memory.dmp

Filesize
120KB

Download
memory/4012-143-0x0000000000400000-0x000000000154D000-memory.dmp

Filesize
17.3MB

Download