Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
15-02-2023 20:21
Behavioral task
behavioral1
Sample
0x0009000000014b5d-74.exe
Resource
win7-20220812-en
General
-
Target
0x0009000000014b5d-74.exe
-
Size
3.0MB
-
MD5
fd560527411b6fc1dec327027f1b6a51
-
SHA1
056c4273219177194fa2d4c7cd308470391a4c53
-
SHA256
4b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61
-
SHA512
ca9d08e114656441a4378c8232021e570e577a2aed27fbb53f286c76910ecb8aaa5e87cf83d0b529f0b9072ac919d83b94afa64ddfde0f7d3b29213dae70b988
-
SSDEEP
49152:Jsa3PHJZKMvup/RGA1Ub/6U3bFaAypQxbzkso9JnCmaukrrzI0AilFCvxHI:JjGUu1D1Uj6UnypSbzPo9JCm
Malware Config
Extracted
orcus
Sln
193.138.195.211:10134
eaf050d367294b239fe7db992d6ea4d7
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%programfiles%\svchost.exe
-
reconnect_delay
10000
-
registry_keyname
svchost
-
taskscheduler_taskname
svc host
-
watchdog_path
AppData\svchost.exe
Signatures
-
Orcus main payload 3 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\svchost.exe family_orcus C:\Program Files (x86)\svchost.exe family_orcus C:\Program Files (x86)\svchost.exe family_orcus -
Orcurs Rat Executable 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4160-132-0x0000000000C40000-0x0000000000F48000-memory.dmp orcus C:\Program Files (x86)\svchost.exe orcus C:\Program Files (x86)\svchost.exe orcus C:\Program Files (x86)\svchost.exe orcus -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0x0009000000014b5d-74.exesvchost.exesvchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 0x0009000000014b5d-74.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation svchost.exe -
Executes dropped EXE 6 IoCs
Processes:
WindowsInput.exeWindowsInput.exesvchost.exesvchost.exesvchost.exesvchost.exepid process 1928 WindowsInput.exe 4152 WindowsInput.exe 4088 svchost.exe 1268 svchost.exe 3836 svchost.exe 4100 svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
svchost.exepid process 4088 svchost.exe 4088 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Program Files (x86)\\svchost.exe\"" svchost.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ip-api.com 27 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory 3 IoCs
Processes:
0x0009000000014b5d-74.exeWindowsInput.exedescription ioc process File created C:\Windows\SysWOW64\WindowsInput.exe 0x0009000000014b5d-74.exe File created C:\Windows\SysWOW64\WindowsInput.exe.config 0x0009000000014b5d-74.exe File created C:\Windows\SysWOW64\WindowsInput.InstallState WindowsInput.exe -
Drops file in Program Files directory 4 IoCs
Processes:
0x0009000000014b5d-74.exesvchost.exedescription ioc process File created C:\Program Files (x86)\svchost.exe 0x0009000000014b5d-74.exe File opened for modification C:\Program Files (x86)\svchost.exe 0x0009000000014b5d-74.exe File created C:\Program Files (x86)\svchost.exe.config 0x0009000000014b5d-74.exe File created C:\Program Files (x86)\Ionic.Zip.dll svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exesvchost.exepid process 4088 svchost.exe 4088 svchost.exe 4088 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe 4100 svchost.exe 4088 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
svchost.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 4088 svchost.exe Token: SeDebugPrivilege 3836 svchost.exe Token: SeDebugPrivilege 4100 svchost.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
0x0009000000014b5d-74.exesvchost.execmd.execmd.exesvchost.exedescription pid process target process PID 4160 wrote to memory of 1928 4160 0x0009000000014b5d-74.exe WindowsInput.exe PID 4160 wrote to memory of 1928 4160 0x0009000000014b5d-74.exe WindowsInput.exe PID 4160 wrote to memory of 4088 4160 0x0009000000014b5d-74.exe svchost.exe PID 4160 wrote to memory of 4088 4160 0x0009000000014b5d-74.exe svchost.exe PID 4160 wrote to memory of 4088 4160 0x0009000000014b5d-74.exe svchost.exe PID 4088 wrote to memory of 4228 4088 svchost.exe cmd.exe PID 4088 wrote to memory of 4228 4088 svchost.exe cmd.exe PID 4088 wrote to memory of 4228 4088 svchost.exe cmd.exe PID 4228 wrote to memory of 3560 4228 cmd.exe chcp.com PID 4228 wrote to memory of 3560 4228 cmd.exe chcp.com PID 4228 wrote to memory of 3560 4228 cmd.exe chcp.com PID 4228 wrote to memory of 3596 4228 cmd.exe netsh.exe PID 4228 wrote to memory of 3596 4228 cmd.exe netsh.exe PID 4228 wrote to memory of 3596 4228 cmd.exe netsh.exe PID 4228 wrote to memory of 3156 4228 cmd.exe findstr.exe PID 4228 wrote to memory of 3156 4228 cmd.exe findstr.exe PID 4228 wrote to memory of 3156 4228 cmd.exe findstr.exe PID 4088 wrote to memory of 3664 4088 svchost.exe cmd.exe PID 4088 wrote to memory of 3664 4088 svchost.exe cmd.exe PID 4088 wrote to memory of 3664 4088 svchost.exe cmd.exe PID 3664 wrote to memory of 1512 3664 cmd.exe chcp.com PID 3664 wrote to memory of 1512 3664 cmd.exe chcp.com PID 3664 wrote to memory of 1512 3664 cmd.exe chcp.com PID 3664 wrote to memory of 5024 3664 cmd.exe netsh.exe PID 3664 wrote to memory of 5024 3664 cmd.exe netsh.exe PID 3664 wrote to memory of 5024 3664 cmd.exe netsh.exe PID 4088 wrote to memory of 3836 4088 svchost.exe svchost.exe PID 4088 wrote to memory of 3836 4088 svchost.exe svchost.exe PID 4088 wrote to memory of 3836 4088 svchost.exe svchost.exe PID 3836 wrote to memory of 4100 3836 svchost.exe svchost.exe PID 3836 wrote to memory of 4100 3836 svchost.exe svchost.exe PID 3836 wrote to memory of 4100 3836 svchost.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x0009000000014b5d-74.exe"C:\Users\Admin\AppData\Local\Temp\0x0009000000014b5d-74.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Program Files (x86)\svchost.exe"C:\Program Files (x86)\svchost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Program Files (x86)\svchost.exe" 4088 /protectFile3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Program Files (x86)\svchost.exe" 4088 "/protectFile"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\svchost.exe"C:\Program Files (x86)\svchost.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Ionic.Zip.dllFilesize
451KB
MD56ded8fcbf5f1d9e422b327ca51625e24
SHA18a1140cebc39f6994eef7e8de4627fb7b72a2dd9
SHA2563b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd
SHA512bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4
-
C:\Program Files (x86)\Ionic.Zip.dllFilesize
451KB
MD56ded8fcbf5f1d9e422b327ca51625e24
SHA18a1140cebc39f6994eef7e8de4627fb7b72a2dd9
SHA2563b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd
SHA512bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4
-
C:\Program Files (x86)\svchost.exeFilesize
3.0MB
MD5fd560527411b6fc1dec327027f1b6a51
SHA1056c4273219177194fa2d4c7cd308470391a4c53
SHA2564b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61
SHA512ca9d08e114656441a4378c8232021e570e577a2aed27fbb53f286c76910ecb8aaa5e87cf83d0b529f0b9072ac919d83b94afa64ddfde0f7d3b29213dae70b988
-
C:\Program Files (x86)\svchost.exeFilesize
3.0MB
MD5fd560527411b6fc1dec327027f1b6a51
SHA1056c4273219177194fa2d4c7cd308470391a4c53
SHA2564b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61
SHA512ca9d08e114656441a4378c8232021e570e577a2aed27fbb53f286c76910ecb8aaa5e87cf83d0b529f0b9072ac919d83b94afa64ddfde0f7d3b29213dae70b988
-
C:\Program Files (x86)\svchost.exeFilesize
3.0MB
MD5fd560527411b6fc1dec327027f1b6a51
SHA1056c4273219177194fa2d4c7cd308470391a4c53
SHA2564b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61
SHA512ca9d08e114656441a4378c8232021e570e577a2aed27fbb53f286c76910ecb8aaa5e87cf83d0b529f0b9072ac919d83b94afa64ddfde0f7d3b29213dae70b988
-
C:\Program Files (x86)\svchost.exe.configFilesize
349B
MD589817519e9e0b4e703f07e8c55247861
SHA14636de1f6c997a25c3190f73f46a3fd056238d78
SHA256f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13
SHA512b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.logFilesize
1KB
MD50672db2ef13237d5cb85075ff4915942
SHA1ad8b4d3eb5e40791c47d48b22e273486f25f663f
SHA2560a933408890369b5a178f9c30aa93d2c94f425650815cf8e8310de4e90a3b519
SHA51284ad10ba5b695567d33a52f786405a5544aa49d8d23631ba9edf3afa877c5dbd81570d15bcf74bce5d9fb1afad2117d0a4ef913b396c0d923afefe615619c84b
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
9KB
MD5c95012f934b8bb6e1fb1bcb11cd9f2eb
SHA1c6a565d220ff45730639cf5ec15a97a8ffa88dad
SHA256e0b4b9fb56af1bab31bb2150352fa7335fd80cde7e67a53e30d983769d4802ea
SHA512bbd86d779af8981a80a87fff9517e3546e9e62bad5a69f76bbf28e608354c91aca3659dfd7df9b9a8223b1f3700796a85de09015454ac894771e7f9e17b89c18
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
9KB
MD5c95012f934b8bb6e1fb1bcb11cd9f2eb
SHA1c6a565d220ff45730639cf5ec15a97a8ffa88dad
SHA256e0b4b9fb56af1bab31bb2150352fa7335fd80cde7e67a53e30d983769d4802ea
SHA512bbd86d779af8981a80a87fff9517e3546e9e62bad5a69f76bbf28e608354c91aca3659dfd7df9b9a8223b1f3700796a85de09015454ac894771e7f9e17b89c18
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
9KB
MD5c95012f934b8bb6e1fb1bcb11cd9f2eb
SHA1c6a565d220ff45730639cf5ec15a97a8ffa88dad
SHA256e0b4b9fb56af1bab31bb2150352fa7335fd80cde7e67a53e30d983769d4802ea
SHA512bbd86d779af8981a80a87fff9517e3546e9e62bad5a69f76bbf28e608354c91aca3659dfd7df9b9a8223b1f3700796a85de09015454ac894771e7f9e17b89c18
-
C:\Users\Admin\AppData\Roaming\svchost.exe.configFilesize
418B
MD547fb1af739ade4e938c8e6d2e504f4a4
SHA1b5c2786f406614105e488ee500858fc09365170d
SHA256552fc8db5bd09828e3d73ad68b737efc7f91980d860effd0c68f7d329cf20a92
SHA51267eb6bade5cca517ef0ba29197548e1d3df45fbad8cf2e407dbb3927c09f3da5008783348716f77311d3e2528f473651c3c8f59bb6cbea31050e39ae5fd09297
-
C:\Windows\SysWOW64\WindowsInput.exeFilesize
21KB
MD5e1e29e723b9e1e50d31e316adab71499
SHA15dbc31fb31aba92814f7c6d7d38cbeec8b17c0b2
SHA2564c4490b91bd263bce6232db74e4f86b1e5ea66b7954c4d28b694217aa871b5a3
SHA512de0f1c54b7b38e45e7194f35bf668a5387aed04b4d665affc4f0eeb18fa43f527c7f8b9eb57d175bd0418722e83caa188fa65fc6cebf2bec0a74435d1db3f7f3
-
C:\Windows\SysWOW64\WindowsInput.exeFilesize
21KB
MD5e1e29e723b9e1e50d31e316adab71499
SHA15dbc31fb31aba92814f7c6d7d38cbeec8b17c0b2
SHA2564c4490b91bd263bce6232db74e4f86b1e5ea66b7954c4d28b694217aa871b5a3
SHA512de0f1c54b7b38e45e7194f35bf668a5387aed04b4d665affc4f0eeb18fa43f527c7f8b9eb57d175bd0418722e83caa188fa65fc6cebf2bec0a74435d1db3f7f3
-
C:\Windows\SysWOW64\WindowsInput.exeFilesize
21KB
MD5e1e29e723b9e1e50d31e316adab71499
SHA15dbc31fb31aba92814f7c6d7d38cbeec8b17c0b2
SHA2564c4490b91bd263bce6232db74e4f86b1e5ea66b7954c4d28b694217aa871b5a3
SHA512de0f1c54b7b38e45e7194f35bf668a5387aed04b4d665affc4f0eeb18fa43f527c7f8b9eb57d175bd0418722e83caa188fa65fc6cebf2bec0a74435d1db3f7f3
-
C:\Windows\SysWOW64\WindowsInput.exe.configFilesize
349B
MD589817519e9e0b4e703f07e8c55247861
SHA14636de1f6c997a25c3190f73f46a3fd056238d78
SHA256f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13
SHA512b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3
-
memory/1512-163-0x0000000000000000-mapping.dmp
-
memory/1928-143-0x00007FF83BBB0000-0x00007FF83C671000-memory.dmpFilesize
10.8MB
-
memory/1928-136-0x0000000000000000-mapping.dmp
-
memory/1928-140-0x0000000000AB0000-0x0000000000ABC000-memory.dmpFilesize
48KB
-
memory/1928-141-0x0000000001200000-0x0000000001212000-memory.dmpFilesize
72KB
-
memory/1928-142-0x0000000002B30000-0x0000000002B6C000-memory.dmpFilesize
240KB
-
memory/3156-161-0x0000000000000000-mapping.dmp
-
memory/3560-159-0x0000000000000000-mapping.dmp
-
memory/3596-160-0x0000000000000000-mapping.dmp
-
memory/3664-162-0x0000000000000000-mapping.dmp
-
memory/3836-175-0x0000000000A60000-0x0000000000A68000-memory.dmpFilesize
32KB
-
memory/3836-170-0x0000000000000000-mapping.dmp
-
memory/4088-156-0x0000000007F10000-0x000000000801A000-memory.dmpFilesize
1.0MB
-
memory/4088-169-0x0000000006AE0000-0x0000000006AEA000-memory.dmpFilesize
40KB
-
memory/4088-157-0x00000000081F0000-0x00000000083B2000-memory.dmpFilesize
1.8MB
-
memory/4088-147-0x0000000000000000-mapping.dmp
-
memory/4088-152-0x00000000076F0000-0x0000000007756000-memory.dmpFilesize
408KB
-
memory/4088-155-0x0000000007680000-0x00000000076BC000-memory.dmpFilesize
240KB
-
memory/4088-154-0x00000000070F0000-0x0000000007102000-memory.dmpFilesize
72KB
-
memory/4088-167-0x0000000006A60000-0x0000000006AD8000-memory.dmpFilesize
480KB
-
memory/4088-153-0x0000000008420000-0x0000000008A38000-memory.dmpFilesize
6.1MB
-
memory/4100-176-0x0000000000000000-mapping.dmp
-
memory/4152-145-0x00007FF83BBB0000-0x00007FF83C671000-memory.dmpFilesize
10.8MB
-
memory/4152-168-0x00007FF83BBB0000-0x00007FF83C671000-memory.dmpFilesize
10.8MB
-
memory/4152-146-0x000000001C2A0000-0x000000001C3AA000-memory.dmpFilesize
1.0MB
-
memory/4160-135-0x0000000006060000-0x0000000006082000-memory.dmpFilesize
136KB
-
memory/4160-134-0x0000000005B00000-0x0000000005B92000-memory.dmpFilesize
584KB
-
memory/4160-132-0x0000000000C40000-0x0000000000F48000-memory.dmpFilesize
3.0MB
-
memory/4160-133-0x00000000060B0000-0x0000000006654000-memory.dmpFilesize
5.6MB
-
memory/4228-158-0x0000000000000000-mapping.dmp
-
memory/5024-164-0x0000000000000000-mapping.dmp