f65ae8f2b7540ff93010945ecba328569fa0d193545b422d02145cb92e811f9c

Analysis

max time kernel
77s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2023 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267.exe
Size

945KB
MD5

8c954b7b1b63e226c6997b1e0260ba69
SHA1

47676b03a41c3711842091156984754b25a4771c
SHA256

540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267
SHA512

c449ef2778e286c5add39c5bae7c9a0fd3fce23f034f68d4f49e9c0ac5373289d7d82d475253dbf984aaf4140023ba396556194de66182bcf3ab3fb71f4cbe2e
SSDEEP

12288:ZV+mzTiV2KQ4p2+fk104bYOgTY3+0dXHjVqouwYnb3pENT4a/gFDV3MzQHmVbb:Z858F+81XYHTm+GoouwCZENVgH88HmVX

Score

9^/10

Malware Config

Signatures

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\0rin.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\0rin.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\0rin.exe	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\0rin.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\0rin.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\0rin.exe	WebBrowserPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\0rin.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\0rin.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\0rin.exe	Nirsoft

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267.exeorimi.sfx.exeorimi.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	orimi.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	orimi.exe

Executes dropped EXE 3 IoCs

Processes:

orimi.sfx.exeorimi.exe0rin.exe

pid process

1404 orimi.sfx.exe
3376 orimi.exe
4300 0rin.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

39 whatismyipaddress.com
43 whatismyipaddress.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

orimi.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings orimi.exe

pid	process
1404	orimi.sfx.exe
3376	orimi.exe
4300	0rin.exe

flow	ioc
39	whatismyipaddress.com
43	whatismyipaddress.com

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	orimi.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267.execmd.exeorimi.sfx.exeorimi.exejavaw.exe

description	pid	process	target process
PID 4596 wrote to memory of 3564	4596	540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267.exe	cmd.exe
PID 4596 wrote to memory of 3564	4596	540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267.exe	cmd.exe
PID 4596 wrote to memory of 3564	4596	540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267.exe	cmd.exe
PID 3564 wrote to memory of 1404	3564	cmd.exe	orimi.sfx.exe
PID 3564 wrote to memory of 1404	3564	cmd.exe	orimi.sfx.exe
PID 3564 wrote to memory of 1404	3564	cmd.exe	orimi.sfx.exe
PID 1404 wrote to memory of 3376	1404	orimi.sfx.exe	orimi.exe
PID 1404 wrote to memory of 3376	1404	orimi.sfx.exe	orimi.exe
PID 1404 wrote to memory of 3376	1404	orimi.sfx.exe	orimi.exe
PID 3376 wrote to memory of 4300	3376	orimi.exe	0rin.exe
PID 3376 wrote to memory of 4300	3376	orimi.exe	0rin.exe
PID 3376 wrote to memory of 4300	3376	orimi.exe	0rin.exe
PID 3376 wrote to memory of 4292	3376	orimi.exe	javaw.exe
PID 3376 wrote to memory of 4292	3376	orimi.exe	javaw.exe
PID 4292 wrote to memory of 2224	4292	javaw.exe	java.exe
PID 4292 wrote to memory of 2224	4292	javaw.exe	java.exe

C:\Users\Admin\AppData\Local\Temp\540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267.exe
"C:\Users\Admin\AppData\Local\Temp\540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\eisde33w7t54e0bbgi.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3564

C:\Users\Admin\AppData\Local\Temp\RarSFX0\orimi.sfx.exe
orimi.sfx.exe -piodfse34w882dfsi -dC:\Users\Admin\AppData\Local\Temp
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404

C:\Users\Admin\AppData\Local\Temp\RarSFX1\orimi.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\orimi.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3376

C:\Users\Admin\AppData\Local\Temp\0rin.exe
"C:\Users\Admin\AppData\Local\Temp\0rin.exe"
5⤵
- Executes dropped EXE
PID:4300

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\orim.jar"
5⤵
- Suspicious use of WriteProcessMemory
PID:4292

C:\Program Files\Java\jre1.8.0_66\bin\java.exe
"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.73911316443715019033628210444898505.class
6⤵
PID:2224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
Filesize
50B

MD5
fe25cf267c3ff8732f81a438a195ce7e

SHA1
131e654b56ea9e39abd0b0231f869d6fa4a84b58

SHA256
b6b5ab4cbe9ae8fcdba3377cd5a70254caeb5f7a22ba78ee09eef6d412196bf4

SHA512
49edffd82d8c50f4dbcbcb17e56901acb57ca35213791304387065811ec250b328ae133c6a27c67e8394212ab197f1dd342c968a11493a98887759595671cf1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0rin.exe
Filesize
502KB

MD5
32a5395bd5e6c5fd25704000077aea8b

SHA1
e96ebe86c955756f0be6ffbe993269651949bfc8

SHA256
e51d61462bf93a5dedd37a71332e61c003fc46cf40b328233364891ad47b6f41

SHA512
56987571b6a735a43ae80f20c948a77595b07fc7286a1da9bc25c320f8cb907140ac0bf78521977e496d1af25c8d37022fd9ccab1863d7cabca2a2cb5cae95c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\0rin.exe
Filesize
502KB

MD5
32a5395bd5e6c5fd25704000077aea8b

SHA1
e96ebe86c955756f0be6ffbe993269651949bfc8

SHA256
e51d61462bf93a5dedd37a71332e61c003fc46cf40b328233364891ad47b6f41

SHA512
56987571b6a735a43ae80f20c948a77595b07fc7286a1da9bc25c320f8cb907140ac0bf78521977e496d1af25c8d37022fd9ccab1863d7cabca2a2cb5cae95c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\0rin.exe
Filesize
502KB

MD5
32a5395bd5e6c5fd25704000077aea8b

SHA1
e96ebe86c955756f0be6ffbe993269651949bfc8

SHA256
e51d61462bf93a5dedd37a71332e61c003fc46cf40b328233364891ad47b6f41

SHA512
56987571b6a735a43ae80f20c948a77595b07fc7286a1da9bc25c320f8cb907140ac0bf78521977e496d1af25c8d37022fd9ccab1863d7cabca2a2cb5cae95c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\eisde33w7t54e0bbgi.bat
Filesize
41B

MD5
acba6e1cd59b8530089cd5bc0e4fa3f5

SHA1
72acc3eeded8af656a52fff77cf25d9546767864

SHA256
c2bda0b74b66e35822281059f43bd31ca7c3f1d885fc0bdc92372da01793695b

SHA512
60c24e2231a4ccb573a5f37e0736e6513f622997ba461f00978ed1be561139676b71f352d3d8d9bf16ecf4b03cc232704e3e3877936e9048a738057fd90a07f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\orimi.sfx.exe
Filesize
894KB

MD5
dcb154f08779bceee91d88abdf29fe98

SHA1
8251e71f8518d7b8913e8ab5ce283de194aa7eff

SHA256
0b366060e0189a9b85ea6efb29bbb8142a168be3fabca60c67c3fd6a20a6193e

SHA512
ca8d9c9165900c9282d368516aa7aad3e603d71d37c4b40b192db0317b5222c9672fe29fb5c89d01941c253ce51b0360d94b0dcb7942cb14fd72e90ae5989da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\orimi.sfx.exe
Filesize
894KB

MD5
dcb154f08779bceee91d88abdf29fe98

SHA1
8251e71f8518d7b8913e8ab5ce283de194aa7eff

SHA256
0b366060e0189a9b85ea6efb29bbb8142a168be3fabca60c67c3fd6a20a6193e

SHA512
ca8d9c9165900c9282d368516aa7aad3e603d71d37c4b40b192db0317b5222c9672fe29fb5c89d01941c253ce51b0360d94b0dcb7942cb14fd72e90ae5989da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\orimi.exe
Filesize
802KB

MD5
ba16b0741b90153284a324fac53f8a91

SHA1
ef4d0855352cfe8aa5675e1cecb4d87298a84098

SHA256
9c4324bf614dd4edf60abad7c7d97c6e67ee37977dc7c4d00be096ea22efac74

SHA512
351b829ee345bf8ce06d714f5e1e0ce734ff2bd8816bb1c14480d34517226417019a38eed78303af2c3cd7c668b1eada26430004d643b32bfec6ac50aec7c8b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\orimi.exe
Filesize
802KB

MD5
ba16b0741b90153284a324fac53f8a91

SHA1
ef4d0855352cfe8aa5675e1cecb4d87298a84098

SHA256
9c4324bf614dd4edf60abad7c7d97c6e67ee37977dc7c4d00be096ea22efac74

SHA512
351b829ee345bf8ce06d714f5e1e0ce734ff2bd8816bb1c14480d34517226417019a38eed78303af2c3cd7c668b1eada26430004d643b32bfec6ac50aec7c8b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\orimi.exe
Filesize
802KB

MD5
ba16b0741b90153284a324fac53f8a91

SHA1
ef4d0855352cfe8aa5675e1cecb4d87298a84098

SHA256
9c4324bf614dd4edf60abad7c7d97c6e67ee37977dc7c4d00be096ea22efac74

SHA512
351b829ee345bf8ce06d714f5e1e0ce734ff2bd8816bb1c14480d34517226417019a38eed78303af2c3cd7c668b1eada26430004d643b32bfec6ac50aec7c8b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.73911316443715019033628210444898505.class
Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\orim.jar
Filesize
479KB

MD5
6a8979d38cd1d99c33eaa74aa7775143

SHA1
efa1b842a8c66c2800e870f090eaeddca0bacdb6

SHA256
50fb5acf95563164b7c3e5a922641cfefbfec4abb6d31439dc69fba075ca4b56

SHA512
4e529d575800446246c7011c907c5dd7169892680d3a8fc126b22d0996e6a1819e013da41133090bc1f287d4358b059d3d5f1c48f57d02a0a148cdd0e0150acb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2275444769-3691835758-4097679484-1000\83aa4cc77f591dfc2374580bbd95f6ba_6d187d53-139c-415c-b71c-a4b59992e636
Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
memory/1404-170-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2224-238-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/2224-205-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/2224-207-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/2224-255-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/3376-152-0x0000000000400000-0x00000000004CA1BF-memory.dmp

Filesize
808KB

Download
memory/3376-167-0x0000000000400000-0x00000000004CA1BF-memory.dmp

Filesize
808KB

Download
memory/4292-258-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/4292-188-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/4292-236-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/4292-256-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/4300-218-0x0000000000FB0000-0x0000000000FC0000-memory.dmp

Filesize
64KB

Download
memory/4300-225-0x0000000000FB0000-0x0000000000FC0000-memory.dmp

Filesize
64KB

Download
memory/4300-169-0x0000000000FB0000-0x0000000000FC0000-memory.dmp

Filesize
64KB

Download
memory/4300-239-0x0000000000FB0000-0x0000000000FC0000-memory.dmp

Filesize
64KB

Download
memory/4596-203-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4596-189-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4596-201-0x0000000074E20000-0x0000000074E37000-memory.dmp

Filesize
92KB

Download
memory/4596-196-0x0000000074EC0000-0x0000000074EC6000-memory.dmp

Filesize
24KB

Download
memory/4596-192-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download