Overview

overview

10

Static

static

10

4b632ccdd0...cc.exe

windows7-x64

10

4b632ccdd0...cc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    15/02/2023, 20:21

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc.exe

  • Size

    3.0MB

  • MD5

    fd560527411b6fc1dec327027f1b6a51

  • SHA1

    056c4273219177194fa2d4c7cd308470391a4c53

  • SHA256

    4b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61

  • SHA512

    ca9d08e114656441a4378c8232021e570e577a2aed27fbb53f286c76910ecb8aaa5e87cf83d0b529f0b9072ac919d83b94afa64ddfde0f7d3b29213dae70b988

  • SSDEEP

    49152:Jsa3PHJZKMvup/RGA1Ub/6U3bFaAypQxbzkso9JnCmaukrrzI0AilFCvxHI:JjGUu1D1Uj6UnypSbzPo9JCm

Score
10/10
orcusstormkittyslnpersistenceratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

Sln

C2

193.138.195.211:10134

Mutex

eaf050d367294b239fe7db992d6ea4d7

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %programfiles%\svchost.exe

  • reconnect_delay

    10000

  • registry_keyname

    svchost

  • taskscheduler_taskname

    svc host

  • watchdog_path

    AppData\svchost.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus main payload 4 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Orcurs Rat Executable 6 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc.exe
    "C:\Users\Admin\AppData\Local\Temp\4b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe" --install
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:764
    • C:\Program Files (x86)\svchost.exe
      "C:\Program Files (x86)\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1568
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1516
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:320
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profile
            4⤵
              PID:700
            • C:\Windows\SysWOW64\findstr.exe
              findstr All
              4⤵
                PID:1652
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1288
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                4⤵
                  PID:1996
                • C:\Windows\SysWOW64\netsh.exe
                  netsh wlan show networks mode=bssid
                  4⤵
                    PID:1344
                • C:\Users\Admin\AppData\Roaming\svchost.exe
                  "C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Program Files (x86)\svchost.exe" 1568 /protectFile
                  3⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1628
                  • C:\Users\Admin\AppData\Roaming\svchost.exe
                    "C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Program Files (x86)\svchost.exe" 1568 "/protectFile"
                    4⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:956
            • C:\Windows\SysWOW64\WindowsInput.exe
              "C:\Windows\SysWOW64\WindowsInput.exe"
              1⤵
              • Executes dropped EXE
              PID:1780
            • C:\Windows\system32\taskeng.exe
              taskeng.exe {60F71A80-81BD-4BA8-8E59-5100FEB1EAF4} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:1084
              • C:\Program Files (x86)\svchost.exe
                "C:\Program Files (x86)\svchost.exe"
                2⤵
                • Executes dropped EXE
                PID:1928

            Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files (x86)\svchost.exe
                    Filesize

                    3.0MB

                    MD5

                    fd560527411b6fc1dec327027f1b6a51

                    SHA1

                    056c4273219177194fa2d4c7cd308470391a4c53

                    SHA256

                    4b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61

                    SHA512

                    ca9d08e114656441a4378c8232021e570e577a2aed27fbb53f286c76910ecb8aaa5e87cf83d0b529f0b9072ac919d83b94afa64ddfde0f7d3b29213dae70b988

                    Download Submit

                  • C:\Program Files (x86)\svchost.exe
                    Filesize

                    3.0MB

                    MD5

                    fd560527411b6fc1dec327027f1b6a51

                    SHA1

                    056c4273219177194fa2d4c7cd308470391a4c53

                    SHA256

                    4b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61

                    SHA512

                    ca9d08e114656441a4378c8232021e570e577a2aed27fbb53f286c76910ecb8aaa5e87cf83d0b529f0b9072ac919d83b94afa64ddfde0f7d3b29213dae70b988

                    Download Submit

                  • C:\Program Files (x86)\svchost.exe
                    Filesize

                    3.0MB

                    MD5

                    fd560527411b6fc1dec327027f1b6a51

                    SHA1

                    056c4273219177194fa2d4c7cd308470391a4c53

                    SHA256

                    4b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61

                    SHA512

                    ca9d08e114656441a4378c8232021e570e577a2aed27fbb53f286c76910ecb8aaa5e87cf83d0b529f0b9072ac919d83b94afa64ddfde0f7d3b29213dae70b988

                    Download Submit

                  • C:\Program Files (x86)\svchost.exe.config
                    Filesize

                    349B

                    MD5

                    89817519e9e0b4e703f07e8c55247861

                    SHA1

                    4636de1f6c997a25c3190f73f46a3fd056238d78

                    SHA256

                    f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

                    SHA512

                    b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\svchost.exe
                    Filesize

                    9KB

                    MD5

                    c95012f934b8bb6e1fb1bcb11cd9f2eb

                    SHA1

                    c6a565d220ff45730639cf5ec15a97a8ffa88dad

                    SHA256

                    e0b4b9fb56af1bab31bb2150352fa7335fd80cde7e67a53e30d983769d4802ea

                    SHA512

                    bbd86d779af8981a80a87fff9517e3546e9e62bad5a69f76bbf28e608354c91aca3659dfd7df9b9a8223b1f3700796a85de09015454ac894771e7f9e17b89c18

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\svchost.exe
                    Filesize

                    9KB

                    MD5

                    c95012f934b8bb6e1fb1bcb11cd9f2eb

                    SHA1

                    c6a565d220ff45730639cf5ec15a97a8ffa88dad

                    SHA256

                    e0b4b9fb56af1bab31bb2150352fa7335fd80cde7e67a53e30d983769d4802ea

                    SHA512

                    bbd86d779af8981a80a87fff9517e3546e9e62bad5a69f76bbf28e608354c91aca3659dfd7df9b9a8223b1f3700796a85de09015454ac894771e7f9e17b89c18

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\svchost.exe
                    Filesize

                    9KB

                    MD5

                    c95012f934b8bb6e1fb1bcb11cd9f2eb

                    SHA1

                    c6a565d220ff45730639cf5ec15a97a8ffa88dad

                    SHA256

                    e0b4b9fb56af1bab31bb2150352fa7335fd80cde7e67a53e30d983769d4802ea

                    SHA512

                    bbd86d779af8981a80a87fff9517e3546e9e62bad5a69f76bbf28e608354c91aca3659dfd7df9b9a8223b1f3700796a85de09015454ac894771e7f9e17b89c18

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\svchost.exe.config
                    Filesize

                    418B

                    MD5

                    47fb1af739ade4e938c8e6d2e504f4a4

                    SHA1

                    b5c2786f406614105e488ee500858fc09365170d

                    SHA256

                    552fc8db5bd09828e3d73ad68b737efc7f91980d860effd0c68f7d329cf20a92

                    SHA512

                    67eb6bade5cca517ef0ba29197548e1d3df45fbad8cf2e407dbb3927c09f3da5008783348716f77311d3e2528f473651c3c8f59bb6cbea31050e39ae5fd09297

                    Download Submit

                  • C:\Windows\SysWOW64\WindowsInput.exe
                    Filesize

                    21KB

                    MD5

                    e1e29e723b9e1e50d31e316adab71499

                    SHA1

                    5dbc31fb31aba92814f7c6d7d38cbeec8b17c0b2

                    SHA256

                    4c4490b91bd263bce6232db74e4f86b1e5ea66b7954c4d28b694217aa871b5a3

                    SHA512

                    de0f1c54b7b38e45e7194f35bf668a5387aed04b4d665affc4f0eeb18fa43f527c7f8b9eb57d175bd0418722e83caa188fa65fc6cebf2bec0a74435d1db3f7f3

                    Download Submit

                  • C:\Windows\SysWOW64\WindowsInput.exe
                    Filesize

                    21KB

                    MD5

                    e1e29e723b9e1e50d31e316adab71499

                    SHA1

                    5dbc31fb31aba92814f7c6d7d38cbeec8b17c0b2

                    SHA256

                    4c4490b91bd263bce6232db74e4f86b1e5ea66b7954c4d28b694217aa871b5a3

                    SHA512

                    de0f1c54b7b38e45e7194f35bf668a5387aed04b4d665affc4f0eeb18fa43f527c7f8b9eb57d175bd0418722e83caa188fa65fc6cebf2bec0a74435d1db3f7f3

                    Download Submit

                  • C:\Windows\SysWOW64\WindowsInput.exe
                    Filesize

                    21KB

                    MD5

                    e1e29e723b9e1e50d31e316adab71499

                    SHA1

                    5dbc31fb31aba92814f7c6d7d38cbeec8b17c0b2

                    SHA256

                    4c4490b91bd263bce6232db74e4f86b1e5ea66b7954c4d28b694217aa871b5a3

                    SHA512

                    de0f1c54b7b38e45e7194f35bf668a5387aed04b4d665affc4f0eeb18fa43f527c7f8b9eb57d175bd0418722e83caa188fa65fc6cebf2bec0a74435d1db3f7f3

                    Download Submit

                  • C:\Windows\SysWOW64\WindowsInput.exe.config
                    Filesize

                    349B

                    MD5

                    89817519e9e0b4e703f07e8c55247861

                    SHA1

                    4636de1f6c997a25c3190f73f46a3fd056238d78

                    SHA256

                    f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

                    SHA512

                    b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

                    Download Submit

                  • \Program Files (x86)\Ionic.Zip.dll
                    Filesize

                    451KB

                    MD5

                    6ded8fcbf5f1d9e422b327ca51625e24

                    SHA1

                    8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

                    SHA256

                    3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

                    SHA512

                    bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

                    Download Submit

                  • \Program Files (x86)\Ionic.Zip.dll
                    Filesize

                    451KB

                    MD5

                    6ded8fcbf5f1d9e422b327ca51625e24

                    SHA1

                    8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

                    SHA256

                    3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

                    SHA512

                    bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

                    Download Submit

                  • \Program Files (x86)\Ionic.Zip.dll
                    Filesize

                    451KB

                    MD5

                    6ded8fcbf5f1d9e422b327ca51625e24

                    SHA1

                    8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

                    SHA256

                    3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

                    SHA512

                    bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

                    Download Submit

                  • \Program Files (x86)\Ionic.Zip.dll
                    Filesize

                    451KB

                    MD5

                    6ded8fcbf5f1d9e422b327ca51625e24

                    SHA1

                    8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

                    SHA256

                    3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

                    SHA512

                    bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

                    Download Submit

                  • \Program Files (x86)\svchost.exe
                    Filesize

                    3.0MB

                    MD5

                    fd560527411b6fc1dec327027f1b6a51

                    SHA1

                    056c4273219177194fa2d4c7cd308470391a4c53

                    SHA256

                    4b632ccdd041def4ecbaf20f41033ebcd8317ad696ccc66de1544868f1d7fb61

                    SHA512

                    ca9d08e114656441a4378c8232021e570e577a2aed27fbb53f286c76910ecb8aaa5e87cf83d0b529f0b9072ac919d83b94afa64ddfde0f7d3b29213dae70b988

                    Download Submit

                  • \Users\Admin\AppData\Roaming\svchost.exe
                    Filesize

                    9KB

                    MD5

                    c95012f934b8bb6e1fb1bcb11cd9f2eb

                    SHA1

                    c6a565d220ff45730639cf5ec15a97a8ffa88dad

                    SHA256

                    e0b4b9fb56af1bab31bb2150352fa7335fd80cde7e67a53e30d983769d4802ea

                    SHA512

                    bbd86d779af8981a80a87fff9517e3546e9e62bad5a69f76bbf28e608354c91aca3659dfd7df9b9a8223b1f3700796a85de09015454ac894771e7f9e17b89c18

                    Download Submit

                  • \Windows\SysWOW64\WindowsInput.exe
                    Filesize

                    21KB

                    MD5

                    e1e29e723b9e1e50d31e316adab71499

                    SHA1

                    5dbc31fb31aba92814f7c6d7d38cbeec8b17c0b2

                    SHA256

                    4c4490b91bd263bce6232db74e4f86b1e5ea66b7954c4d28b694217aa871b5a3

                    SHA512

                    de0f1c54b7b38e45e7194f35bf668a5387aed04b4d665affc4f0eeb18fa43f527c7f8b9eb57d175bd0418722e83caa188fa65fc6cebf2bec0a74435d1db3f7f3

                    Download Submit

                  • memory/764-65-0x0000000000330000-0x000000000033C000-memory.dmp

                    Filesize

                    48KB

                    Download

                  • memory/1568-92-0x0000000005920000-0x0000000005998000-memory.dmp

                    Filesize

                    480KB

                    Download

                  • memory/1568-76-0x0000000000A70000-0x0000000000A88000-memory.dmp

                    Filesize

                    96KB

                    Download

                  • memory/1568-73-0x0000000000C00000-0x0000000000F08000-memory.dmp

                    Filesize

                    3.0MB

                    Download

                  • memory/1568-75-0x00000000025C0000-0x000000000260E000-memory.dmp

                    Filesize

                    312KB

                    Download

                  • memory/1568-77-0x0000000000A90000-0x0000000000AA0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/1628-101-0x0000000000FE0000-0x0000000000FE8000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/1780-67-0x0000000000320000-0x000000000032C000-memory.dmp

                    Filesize

                    48KB

                    Download

                  • memory/1996-54-0x0000000000970000-0x0000000000C78000-memory.dmp

                    Filesize

                    3.0MB

                    Download

                  • memory/1996-59-0x0000000000770000-0x000000000078E000-memory.dmp

                    Filesize

                    120KB

                    Download

                  • memory/1996-58-0x0000000000690000-0x00000000006A2000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/1996-57-0x00000000760E1000-0x00000000760E3000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/1996-56-0x00000000005B0000-0x000000000060C000-memory.dmp

                    Filesize

                    368KB

                    Download

                  • memory/1996-55-0x00000000003F0000-0x00000000003FE000-memory.dmp

                    Filesize

                    56KB

                    Download