99eb970e991c74b627ba2a014261f25c53b8b20be13730f51d4cc71241f2af13

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2022, 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bot.exe
Size

6.1MB
MD5

e10a1e21b6963cbe61ef7319b5bedfbc
SHA1

c4c2bf98bbbb4fc4992e089a3b392e4fb866c7d5
SHA256

99eb970e991c74b627ba2a014261f25c53b8b20be13730f51d4cc71241f2af13
SHA512

6a611ad3817c6c972765d4b6cca2a0afb9e74f3bceeddbec13dd3e85256b9008d3e69a8174b096287a14c018ed8285a8247308bb6cd9720bb7b5667240620cfe
SSDEEP

196608:JyeOo5JG/XujQOpUgUBUDOT+OP+Tx+4TG/X:JyeOo5JG/ujOlzJq+B

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4448	orion.exe
4244	orion.exe
1932	orion.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
552	powershell.exe
552	powershell.exe
440	powershell.exe
440	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	552	powershell.exe
Token: SeIncreaseQuotaPrivilege	552	powershell.exe
Token: SeSecurityPrivilege	552	powershell.exe
Token: SeTakeOwnershipPrivilege	552	powershell.exe
Token: SeLoadDriverPrivilege	552	powershell.exe
Token: SeSystemProfilePrivilege	552	powershell.exe
Token: SeSystemtimePrivilege	552	powershell.exe
Token: SeProfSingleProcessPrivilege	552	powershell.exe
Token: SeIncBasePriorityPrivilege	552	powershell.exe
Token: SeCreatePagefilePrivilege	552	powershell.exe
Token: SeBackupPrivilege	552	powershell.exe
Token: SeRestorePrivilege	552	powershell.exe
Token: SeShutdownPrivilege	552	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeSystemEnvironmentPrivilege	552	powershell.exe
Token: SeRemoteShutdownPrivilege	552	powershell.exe
Token: SeUndockPrivilege	552	powershell.exe
Token: SeManageVolumePrivilege	552	powershell.exe
Token: 33	552	powershell.exe
Token: 34	552	powershell.exe
Token: 35	552	powershell.exe
Token: 36	552	powershell.exe
Token: SeIncreaseQuotaPrivilege	552	powershell.exe
Token: SeSecurityPrivilege	552	powershell.exe
Token: SeTakeOwnershipPrivilege	552	powershell.exe
Token: SeLoadDriverPrivilege	552	powershell.exe
Token: SeSystemProfilePrivilege	552	powershell.exe
Token: SeSystemtimePrivilege	552	powershell.exe
Token: SeProfSingleProcessPrivilege	552	powershell.exe
Token: SeIncBasePriorityPrivilege	552	powershell.exe
Token: SeCreatePagefilePrivilege	552	powershell.exe
Token: SeBackupPrivilege	552	powershell.exe
Token: SeRestorePrivilege	552	powershell.exe
Token: SeShutdownPrivilege	552	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeSystemEnvironmentPrivilege	552	powershell.exe
Token: SeRemoteShutdownPrivilege	552	powershell.exe
Token: SeUndockPrivilege	552	powershell.exe
Token: SeManageVolumePrivilege	552	powershell.exe
Token: 33	552	powershell.exe
Token: 34	552	powershell.exe
Token: 35	552	powershell.exe
Token: 36	552	powershell.exe
Token: SeDebugPrivilege	440	powershell.exe
Token: SeIncreaseQuotaPrivilege	440	powershell.exe
Token: SeSecurityPrivilege	440	powershell.exe
Token: SeTakeOwnershipPrivilege	440	powershell.exe
Token: SeLoadDriverPrivilege	440	powershell.exe
Token: SeSystemProfilePrivilege	440	powershell.exe
Token: SeSystemtimePrivilege	440	powershell.exe
Token: SeProfSingleProcessPrivilege	440	powershell.exe
Token: SeIncBasePriorityPrivilege	440	powershell.exe
Token: SeCreatePagefilePrivilege	440	powershell.exe
Token: SeBackupPrivilege	440	powershell.exe
Token: SeRestorePrivilege	440	powershell.exe
Token: SeShutdownPrivilege	440	powershell.exe
Token: SeDebugPrivilege	440	powershell.exe
Token: SeSystemEnvironmentPrivilege	440	powershell.exe
Token: SeRemoteShutdownPrivilege	440	powershell.exe
Token: SeUndockPrivilege	440	powershell.exe
Token: SeManageVolumePrivilege	440	powershell.exe
Token: 33	440	powershell.exe
Token: 34	440	powershell.exe
Token: 35	440	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 552	2400	Bot.exe	82
PID 2400 wrote to memory of 552	2400	Bot.exe	82
PID 2400 wrote to memory of 552	2400	Bot.exe	82
PID 2400 wrote to memory of 440	2400	Bot.exe	85
PID 2400 wrote to memory of 440	2400	Bot.exe	85
PID 2400 wrote to memory of 440	2400	Bot.exe	85
PID 2400 wrote to memory of 4448	2400	Bot.exe	87
PID 2400 wrote to memory of 4448	2400	Bot.exe	87
PID 2400 wrote to memory of 4448	2400	Bot.exe	87

C:\Users\Admin\AppData\Local\Temp\Bot.exe
"C:\Users\Admin\AppData\Local\Temp\Bot.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Orion\orion.exe' -Argument '/startup' -WorkingDirectory 'C:\Users\Admin\AppData\Roaming\Orion\'; $Trigger = New-ScheduledTaskTrigger -Logon; $Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -Hidden -StartWhenAvailable; Register-ScheduledTask -TaskName 'JavaInvoker' -Action $Action -Trigger $Trigger -Settings $Settings -Description 'Java Interface Invoker'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:552
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Orion\orion.exe' -Argument '/persistence' -WorkingDirectory 'C:\Users\Admin\AppData\Roaming\Orion\'; $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 1); $Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -Hidden -StartWhenAvailable; Register-ScheduledTask -TaskName 'JDebug' -Action $Action -Trigger $Trigger -Settings $Settings -Description 'Java Interface Invoker'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:440
- C:\Users\Admin\AppData\Roaming\Orion\orion.exe
  C:\Users\Admin\AppData\Roaming\Orion\orion.exe /wait
  2⤵
  - Executes dropped EXE
  PID:4448

C:\Users\Admin\AppData\Roaming\Orion\orion.exe
C:\Users\Admin\AppData\Roaming\Orion\orion.exe /persistence
1⤵
- Executes dropped EXE
PID:4244

C:\Users\Admin\AppData\Roaming\Orion\orion.exe
C:\Users\Admin\AppData\Roaming\Orion\orion.exe /persistence
1⤵
- Executes dropped EXE
PID:1932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9751fcb3d8dc82d33d50eebe53abe314

SHA1
7a680212700a5d9f3ca67c81e0e243834387c20c

SHA256
ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

SHA512
54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
5f808fb0989208ed7881de8c0c2c0f04

SHA1
a97918b503c454e3891614a312c878e252c9f648

SHA256
ab7e746162e07b8fd410aa2e17044c1b69e6b2f9f277fda0913ed50443465de1

SHA512
75f1a0bdf34d0347c036c65939b0ab230af397ec790947fabbb89a8091a5d8ff79a251fbeb1ef13523b3920ef66e9e068eb3e0b7ad25c4deab8ee5d1f8fdcdbc

Download Submit
C:\Users\Admin\AppData\Roaming\Orion\Config.ini

Filesize
435B

MD5
794c0116caaf8d83087ef038c12851ab

SHA1
49c7108ee033927a24bc248a5f9ff208f096333c

SHA256
d276ed3531fb044fc88d057f64d2c838a88215e57526a12ac0dc266054c17424

SHA512
9c273f7d8d56b7c1c0888bf80f152c2a49258358020491458abe443a1f4041cd909a7238d4a2dc0477e512f4be703252b16c1091ef02fdb88ba4ca5f6848494c

Download Submit
C:\Users\Admin\AppData\Roaming\Orion\orion.exe

Filesize
6.1MB

MD5
e10a1e21b6963cbe61ef7319b5bedfbc

SHA1
c4c2bf98bbbb4fc4992e089a3b392e4fb866c7d5

SHA256
99eb970e991c74b627ba2a014261f25c53b8b20be13730f51d4cc71241f2af13

SHA512
6a611ad3817c6c972765d4b6cca2a0afb9e74f3bceeddbec13dd3e85256b9008d3e69a8174b096287a14c018ed8285a8247308bb6cd9720bb7b5667240620cfe

Download Submit
C:\Users\Admin\AppData\Roaming\Orion\orion.exe

Filesize
6.1MB

MD5
e10a1e21b6963cbe61ef7319b5bedfbc

SHA1
c4c2bf98bbbb4fc4992e089a3b392e4fb866c7d5

SHA256
99eb970e991c74b627ba2a014261f25c53b8b20be13730f51d4cc71241f2af13

SHA512
6a611ad3817c6c972765d4b6cca2a0afb9e74f3bceeddbec13dd3e85256b9008d3e69a8174b096287a14c018ed8285a8247308bb6cd9720bb7b5667240620cfe

Download Submit
C:\Users\Admin\AppData\Roaming\Orion\orion.exe

Filesize
6.1MB

MD5
e10a1e21b6963cbe61ef7319b5bedfbc

SHA1
c4c2bf98bbbb4fc4992e089a3b392e4fb866c7d5

SHA256
99eb970e991c74b627ba2a014261f25c53b8b20be13730f51d4cc71241f2af13

SHA512
6a611ad3817c6c972765d4b6cca2a0afb9e74f3bceeddbec13dd3e85256b9008d3e69a8174b096287a14c018ed8285a8247308bb6cd9720bb7b5667240620cfe

Download Submit
C:\Users\Admin\AppData\Roaming\Orion\orion.exe

Filesize
6.1MB

MD5
e10a1e21b6963cbe61ef7319b5bedfbc

SHA1
c4c2bf98bbbb4fc4992e089a3b392e4fb866c7d5

SHA256
99eb970e991c74b627ba2a014261f25c53b8b20be13730f51d4cc71241f2af13

SHA512
6a611ad3817c6c972765d4b6cca2a0afb9e74f3bceeddbec13dd3e85256b9008d3e69a8174b096287a14c018ed8285a8247308bb6cd9720bb7b5667240620cfe

Download Submit
memory/440-149-0x0000000070530000-0x000000007057C000-memory.dmp

Filesize
304KB

Download
memory/552-144-0x0000000007B10000-0x0000000007B1A000-memory.dmp

Filesize
40KB

Download
memory/552-139-0x0000000007970000-0x00000000079A2000-memory.dmp

Filesize
200KB

Download
memory/552-143-0x0000000007AA0000-0x0000000007ABA000-memory.dmp

Filesize
104KB

Download
memory/552-145-0x0000000007D40000-0x0000000007DD6000-memory.dmp

Filesize
600KB

Download
memory/552-141-0x0000000006D20000-0x0000000006D3E000-memory.dmp

Filesize
120KB

Download
memory/552-140-0x0000000070530000-0x000000007057C000-memory.dmp

Filesize
304KB

Download
memory/552-142-0x00000000080E0000-0x000000000875A000-memory.dmp

Filesize
6.5MB

Download
memory/552-138-0x0000000006780000-0x000000000679E000-memory.dmp

Filesize
120KB

Download
memory/552-133-0x00000000031A0000-0x00000000031D6000-memory.dmp

Filesize
216KB

Download
memory/552-137-0x0000000006150000-0x00000000061B6000-memory.dmp

Filesize
408KB

Download
memory/552-136-0x0000000005950000-0x00000000059B6000-memory.dmp

Filesize
408KB

Download
memory/552-135-0x00000000058B0000-0x00000000058D2000-memory.dmp

Filesize
136KB

Download
memory/552-134-0x0000000005B20000-0x0000000006148000-memory.dmp

Filesize
6.2MB

Download