Overview

overview

9

Static

static

1

ORIONCHECKER.exe

windows7-x64

9

ORIONCHECKER.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    30s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    28/03/2023, 12:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORIONCHECKER.exe

  • Size

    28.3MB

  • MD5

    2c60470a964906d0655a1e47339e2ad3

  • SHA1

    eb6f907abb0eec689beea6c5c370143e06dbd032

  • SHA256

    f45909b2a34a28b31be60d7c83bc9744d8c97649ab1995a2e499978f4f79ad8a

  • SHA512

    7ac0f4d85312e0025c3796bed3602459f57ddaf4f8ad1d416208757e4926197b06ce2e8e6b5f9047410a842af7bc2bf669e9bc5776c0be4826dc10a32138b650

  • SSDEEP

    786432:JvLh4zHT0a+vVgigVJvEM3oPjpkVJiKUhW52RgjmGJa6ATQ:B1CT9+vYbknKeWsRhGJa6

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 1 IoCs
  • Themida packer 7 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ORIONCHECKER.exe
    "C:\Users\Admin\AppData\Local\Temp\ORIONCHECKER.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1484

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\DN00000000640A4EB2\Runtime64.dll
    Filesize

    8.8MB

    MD5

    88f4ac51195111fe39c98424e414aff5

    SHA1

    d865e4dd640b06e1d123fb7e178da4d9c24277b7

    SHA256

    bce8862e418dae0499377aac92b31f7ad6bd4c76482ee3545babc031cd69bfa7

    SHA512

    373df43489c04a4722694d88a7413ee1ccdfb0069973581fea80b6bf5a6e2b1529cd5f76f149bb643389fab0ffdd8d3d7f3e495abfa8faadc72aff5efc3ed3c9

    Download Submit

  • memory/1484-54-0x0000000000130000-0x0000000001D8A000-memory.dmp

    Filesize

    28.4MB

    Download

  • memory/1484-59-0x000007FFFFD50000-0x000007FFFFEF7000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1484-60-0x0000000180000000-0x00000001811C3000-memory.dmp

    Filesize

    17.8MB

    Download

  • memory/1484-61-0x000000001C940000-0x000000001CA90000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1484-63-0x0000000180000000-0x00000001811C3000-memory.dmp

    Filesize

    17.8MB

    Download

  • memory/1484-64-0x0000000180000000-0x00000001811C3000-memory.dmp

    Filesize

    17.8MB

    Download

  • memory/1484-65-0x0000000180000000-0x00000001811C3000-memory.dmp

    Filesize

    17.8MB

    Download

  • memory/1484-66-0x0000000180000000-0x00000001811C3000-memory.dmp

    Filesize

    17.8MB

    Download

  • memory/1484-67-0x000007FEF61A0000-0x000007FEF62CC000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1484-68-0x0000000180000000-0x00000001811C3000-memory.dmp

    Filesize

    17.8MB

    Download

  • memory/1484-69-0x000000001C940000-0x000000001CA90000-memory.dmp

    Filesize

    1.3MB

    Download