f65ae8f2b7540ff93010945ecba328569fa0d193545b422d02145cb92e811f9c

Analysis

max time kernel
77s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2023, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267.exe
Size

945KB
MD5

8c954b7b1b63e226c6997b1e0260ba69
SHA1

47676b03a41c3711842091156984754b25a4771c
SHA256

540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267
SHA512

c449ef2778e286c5add39c5bae7c9a0fd3fce23f034f68d4f49e9c0ac5373289d7d82d475253dbf984aaf4140023ba396556194de66182bcf3ab3fb71f4cbe2e
SSDEEP

12288:ZV+mzTiV2KQ4p2+fk104bYOgTY3+0dXHjVqouwYnb3pENT4a/gFDV3MzQHmVbb:Z858F+81XYHTm+GoouwCZENVgH88HmVX

Score

9^/10

Malware Config

Signatures

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral12/files/0x000400000000073b-157.dat	MailPassView
behavioral12/files/0x000400000000073b-163.dat	MailPassView
behavioral12/files/0x000400000000073b-164.dat	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral12/files/0x000400000000073b-157.dat	WebBrowserPassView
behavioral12/files/0x000400000000073b-163.dat	WebBrowserPassView
behavioral12/files/0x000400000000073b-164.dat	WebBrowserPassView

Nirsoft 3 IoCs

resource	yara_rule
behavioral12/files/0x000400000000073b-157.dat	Nirsoft
behavioral12/files/0x000400000000073b-163.dat	Nirsoft
behavioral12/files/0x000400000000073b-164.dat	Nirsoft

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	orimi.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	orimi.exe

Executes dropped EXE 3 IoCs

pid	Process
1404	orimi.sfx.exe
3376	orimi.exe
4300	0rin.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
39	whatismyipaddress.com
43	whatismyipaddress.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	orimi.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 3564	4596	540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267.exe	85
PID 4596 wrote to memory of 3564	4596	540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267.exe	85
PID 4596 wrote to memory of 3564	4596	540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267.exe	85
PID 3564 wrote to memory of 1404	3564	cmd.exe	87
PID 3564 wrote to memory of 1404	3564	cmd.exe	87
PID 3564 wrote to memory of 1404	3564	cmd.exe	87
PID 1404 wrote to memory of 3376	1404	orimi.sfx.exe	88
PID 1404 wrote to memory of 3376	1404	orimi.sfx.exe	88
PID 1404 wrote to memory of 3376	1404	orimi.sfx.exe	88
PID 3376 wrote to memory of 4300	3376	orimi.exe	89
PID 3376 wrote to memory of 4300	3376	orimi.exe	89
PID 3376 wrote to memory of 4300	3376	orimi.exe	89
PID 3376 wrote to memory of 4292	3376	orimi.exe	91
PID 3376 wrote to memory of 4292	3376	orimi.exe	91
PID 4292 wrote to memory of 2224	4292	javaw.exe	92
PID 4292 wrote to memory of 2224	4292	javaw.exe	92

C:\Users\Admin\AppData\Local\Temp\540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267.exe
"C:\Users\Admin\AppData\Local\Temp\540eb4eb6d4b81ba016cea7899b4aa104a38d0a539bf018140fb552de00ee267.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\eisde33w7t54e0bbgi.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\orimi.sfx.exe
    orimi.sfx.exe -piodfse34w882dfsi -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\orimi.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\orimi.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3376
    - - C:\Users\Admin\AppData\Local\Temp\0rin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0rin.exe"
        5⤵
        Executes dropped EXE
        
        PID:4300
    - - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\orim.jar"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4292
      - C:\Program Files\Java\jre1.8.0_66\bin\java.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.73911316443715019033628210444898505.class
        6⤵
        
        PID:2224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
fe25cf267c3ff8732f81a438a195ce7e

SHA1
131e654b56ea9e39abd0b0231f869d6fa4a84b58

SHA256
b6b5ab4cbe9ae8fcdba3377cd5a70254caeb5f7a22ba78ee09eef6d412196bf4

SHA512
49edffd82d8c50f4dbcbcb17e56901acb57ca35213791304387065811ec250b328ae133c6a27c67e8394212ab197f1dd342c968a11493a98887759595671cf1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0rin.exe

Filesize
502KB

MD5
32a5395bd5e6c5fd25704000077aea8b

SHA1
e96ebe86c955756f0be6ffbe993269651949bfc8

SHA256
e51d61462bf93a5dedd37a71332e61c003fc46cf40b328233364891ad47b6f41

SHA512
56987571b6a735a43ae80f20c948a77595b07fc7286a1da9bc25c320f8cb907140ac0bf78521977e496d1af25c8d37022fd9ccab1863d7cabca2a2cb5cae95c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\0rin.exe

Filesize
502KB

MD5
32a5395bd5e6c5fd25704000077aea8b

SHA1
e96ebe86c955756f0be6ffbe993269651949bfc8

SHA256
e51d61462bf93a5dedd37a71332e61c003fc46cf40b328233364891ad47b6f41

SHA512
56987571b6a735a43ae80f20c948a77595b07fc7286a1da9bc25c320f8cb907140ac0bf78521977e496d1af25c8d37022fd9ccab1863d7cabca2a2cb5cae95c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\0rin.exe

Filesize
502KB

MD5
32a5395bd5e6c5fd25704000077aea8b

SHA1
e96ebe86c955756f0be6ffbe993269651949bfc8

SHA256
e51d61462bf93a5dedd37a71332e61c003fc46cf40b328233364891ad47b6f41

SHA512
56987571b6a735a43ae80f20c948a77595b07fc7286a1da9bc25c320f8cb907140ac0bf78521977e496d1af25c8d37022fd9ccab1863d7cabca2a2cb5cae95c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\eisde33w7t54e0bbgi.bat

Filesize
41B

MD5
acba6e1cd59b8530089cd5bc0e4fa3f5

SHA1
72acc3eeded8af656a52fff77cf25d9546767864

SHA256
c2bda0b74b66e35822281059f43bd31ca7c3f1d885fc0bdc92372da01793695b

SHA512
60c24e2231a4ccb573a5f37e0736e6513f622997ba461f00978ed1be561139676b71f352d3d8d9bf16ecf4b03cc232704e3e3877936e9048a738057fd90a07f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\orimi.sfx.exe

Filesize
894KB

MD5
dcb154f08779bceee91d88abdf29fe98

SHA1
8251e71f8518d7b8913e8ab5ce283de194aa7eff

SHA256
0b366060e0189a9b85ea6efb29bbb8142a168be3fabca60c67c3fd6a20a6193e

SHA512
ca8d9c9165900c9282d368516aa7aad3e603d71d37c4b40b192db0317b5222c9672fe29fb5c89d01941c253ce51b0360d94b0dcb7942cb14fd72e90ae5989da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\orimi.sfx.exe

Filesize
894KB

MD5
dcb154f08779bceee91d88abdf29fe98

SHA1
8251e71f8518d7b8913e8ab5ce283de194aa7eff

SHA256
0b366060e0189a9b85ea6efb29bbb8142a168be3fabca60c67c3fd6a20a6193e

SHA512
ca8d9c9165900c9282d368516aa7aad3e603d71d37c4b40b192db0317b5222c9672fe29fb5c89d01941c253ce51b0360d94b0dcb7942cb14fd72e90ae5989da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\orimi.exe

Filesize
802KB

MD5
ba16b0741b90153284a324fac53f8a91

SHA1
ef4d0855352cfe8aa5675e1cecb4d87298a84098

SHA256
9c4324bf614dd4edf60abad7c7d97c6e67ee37977dc7c4d00be096ea22efac74

SHA512
351b829ee345bf8ce06d714f5e1e0ce734ff2bd8816bb1c14480d34517226417019a38eed78303af2c3cd7c668b1eada26430004d643b32bfec6ac50aec7c8b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\orimi.exe

Filesize
802KB

MD5
ba16b0741b90153284a324fac53f8a91

SHA1
ef4d0855352cfe8aa5675e1cecb4d87298a84098

SHA256
9c4324bf614dd4edf60abad7c7d97c6e67ee37977dc7c4d00be096ea22efac74

SHA512
351b829ee345bf8ce06d714f5e1e0ce734ff2bd8816bb1c14480d34517226417019a38eed78303af2c3cd7c668b1eada26430004d643b32bfec6ac50aec7c8b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\orimi.exe

Filesize
802KB

MD5
ba16b0741b90153284a324fac53f8a91

SHA1
ef4d0855352cfe8aa5675e1cecb4d87298a84098

SHA256
9c4324bf614dd4edf60abad7c7d97c6e67ee37977dc7c4d00be096ea22efac74

SHA512
351b829ee345bf8ce06d714f5e1e0ce734ff2bd8816bb1c14480d34517226417019a38eed78303af2c3cd7c668b1eada26430004d643b32bfec6ac50aec7c8b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.73911316443715019033628210444898505.class

Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\orim.jar

Filesize
479KB

MD5
6a8979d38cd1d99c33eaa74aa7775143

SHA1
efa1b842a8c66c2800e870f090eaeddca0bacdb6

SHA256
50fb5acf95563164b7c3e5a922641cfefbfec4abb6d31439dc69fba075ca4b56

SHA512
4e529d575800446246c7011c907c5dd7169892680d3a8fc126b22d0996e6a1819e013da41133090bc1f287d4358b059d3d5f1c48f57d02a0a148cdd0e0150acb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2275444769-3691835758-4097679484-1000\83aa4cc77f591dfc2374580bbd95f6ba_6d187d53-139c-415c-b71c-a4b59992e636

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
memory/1404-170-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2224-238-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/2224-205-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/2224-255-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/2224-207-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/3376-152-0x0000000000400000-0x00000000004CA1BF-memory.dmp

Filesize
808KB

Download
memory/3376-167-0x0000000000400000-0x00000000004CA1BF-memory.dmp

Filesize
808KB

Download
memory/4292-258-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/4292-256-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/4292-188-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/4292-236-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/4300-218-0x0000000000FB0000-0x0000000000FC0000-memory.dmp

Filesize
64KB

Download
memory/4300-225-0x0000000000FB0000-0x0000000000FC0000-memory.dmp

Filesize
64KB

Download
memory/4300-169-0x0000000000FB0000-0x0000000000FC0000-memory.dmp

Filesize
64KB

Download
memory/4300-239-0x0000000000FB0000-0x0000000000FC0000-memory.dmp

Filesize
64KB

Download
memory/4596-192-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4596-196-0x0000000074EC0000-0x0000000074EC6000-memory.dmp

Filesize
24KB

Download
memory/4596-189-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4596-203-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4596-201-0x0000000074E20000-0x0000000074E37000-memory.dmp

Filesize
92KB

Download