Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11/10/2023, 14:23
Behavioral task
behavioral1
Sample
123xxx.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
123xxx.exe
Resource
win10v2004-20230915-en
General
-
Target
123xxx.exe
-
Size
907KB
-
MD5
8a8708ed2507d0907e08f10185d17bce
-
SHA1
6a3007eecffea8b616474e3a3f2a17660a567a22
-
SHA256
cdb7d368e382d1b82628e58928866e50683a194fc88308195a008225ab48b7e7
-
SHA512
f669d113ec12591af393c0ea7e662757d82d92c9ee3943dd39fc40e99621606c46ab3acc5ae8f4d7717391a195728fd9afa26e2e15d71aa5ac76d1fdf75bc744
-
SSDEEP
12288:Wgfe07KFML7iLMucoUe7dG1lFlWcYT70pxnnaaoawn7ueuRAxrZNrI0AilFEvxH9:/tY4MROxnFH9+rZlI0AilFEvxHiGWw
Malware Config
Extracted
orcus
de2.localto.net:41509
258334e365604d3ca90aaafdbf31c4c7
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%programfiles%\systemw\DSRHost.exe
-
reconnect_delay
10000
-
registry_keyname
DSRHost
-
taskscheduler_taskname
DSRHost
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcus main payload 3 IoCs
resource yara_rule behavioral1/files/0x000e000000012271-27.dat family_orcus behavioral1/files/0x000e000000012271-26.dat family_orcus behavioral1/files/0x000e000000012271-30.dat family_orcus -
Orcurs Rat Executable 4 IoCs
resource yara_rule behavioral1/files/0x000e000000012271-27.dat orcus behavioral1/files/0x000e000000012271-26.dat orcus behavioral1/files/0x000e000000012271-30.dat orcus behavioral1/memory/2536-31-0x0000000000070000-0x0000000000158000-memory.dmp orcus -
Executes dropped EXE 1 IoCs
pid Process 2536 DSRHost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\DSRHost = "\"C:\\Program Files\\systemw\\DSRHost.exe\"" DSRHost.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\systemw\DSRHost.exe 123xxx.exe File opened for modification C:\Program Files\systemw\DSRHost.exe 123xxx.exe File created C:\Program Files\systemw\DSRHost.exe.config 123xxx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2536 DSRHost.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2536 DSRHost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2388 2112 123xxx.exe 28 PID 2112 wrote to memory of 2388 2112 123xxx.exe 28 PID 2112 wrote to memory of 2388 2112 123xxx.exe 28 PID 2388 wrote to memory of 2744 2388 csc.exe 30 PID 2388 wrote to memory of 2744 2388 csc.exe 30 PID 2388 wrote to memory of 2744 2388 csc.exe 30 PID 2112 wrote to memory of 2536 2112 123xxx.exe 31 PID 2112 wrote to memory of 2536 2112 123xxx.exe 31 PID 2112 wrote to memory of 2536 2112 123xxx.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\123xxx.exe"C:\Users\Admin\AppData\Local\Temp\123xxx.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\diq3qcer.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FF3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6FF2.tmp"3⤵PID:2744
-
-
-
C:\Program Files\systemw\DSRHost.exe"C:\Program Files\systemw\DSRHost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2536
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
907KB
MD58a8708ed2507d0907e08f10185d17bce
SHA16a3007eecffea8b616474e3a3f2a17660a567a22
SHA256cdb7d368e382d1b82628e58928866e50683a194fc88308195a008225ab48b7e7
SHA512f669d113ec12591af393c0ea7e662757d82d92c9ee3943dd39fc40e99621606c46ab3acc5ae8f4d7717391a195728fd9afa26e2e15d71aa5ac76d1fdf75bc744
-
Filesize
907KB
MD58a8708ed2507d0907e08f10185d17bce
SHA16a3007eecffea8b616474e3a3f2a17660a567a22
SHA256cdb7d368e382d1b82628e58928866e50683a194fc88308195a008225ab48b7e7
SHA512f669d113ec12591af393c0ea7e662757d82d92c9ee3943dd39fc40e99621606c46ab3acc5ae8f4d7717391a195728fd9afa26e2e15d71aa5ac76d1fdf75bc744
-
Filesize
907KB
MD58a8708ed2507d0907e08f10185d17bce
SHA16a3007eecffea8b616474e3a3f2a17660a567a22
SHA256cdb7d368e382d1b82628e58928866e50683a194fc88308195a008225ab48b7e7
SHA512f669d113ec12591af393c0ea7e662757d82d92c9ee3943dd39fc40e99621606c46ab3acc5ae8f4d7717391a195728fd9afa26e2e15d71aa5ac76d1fdf75bc744
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
1KB
MD5a2452619e000110e48aa90aece091d6c
SHA184923a9a4f5a534e7e36eaf20ccf9528cfbf472b
SHA2567e62b8be3bb1e03d6e037ab3a87b2519bfa7f6f70800dcbef22e04daee0cf28d
SHA5126c79174d03a079110bd2a0ddffb3f4a795291653760ed2941ae62311245be822191de1dd17740c2fb87753d0392e9860fc3d94cd7b312ce3e7deb344e7119f45
-
Filesize
76KB
MD5fd20c3ba05adacae7f7508914ddf43dc
SHA1c1f2a712cfcd59598ece486691d75ff7769fbf4b
SHA256b74b9fa53ec66d096c8986272a8c2c992d178e9b224642fc752b5c79188008bd
SHA5125d03476874d78ca3fc86ae1ff8d75f90a5aa976b446a36097400623a003ff1d1ccba11022359f4632ce925628071d229c3e2184e777b84a9ab043142fa06120b
-
Filesize
676B
MD587bb3c6407e41d060d90c385884d67fc
SHA17c71c0cc6c46b813a973cd4fc16642e132451d8f
SHA256c81f64768a7687ae513690711a6e4e857f211b537ed9d7771061adc6c206f0d8
SHA5120bf658c98d2a3933b31aef65419368d0d54b0d92f138fce8657efd79c3678e687a72526c36aa86c7b3044f31410a3fe9b8fa3e217f3d73879a40d98637b7c13d
-
Filesize
208KB
MD52b14ae8b54d216abf4d228493ceca44a
SHA1d134351498e4273e9d6391153e35416bc743adef
SHA2564e1cc3da1f7bf92773aae6cffa6d61bfc3e25aead3ad947f6215f93a053f346c
SHA5125761b605add10ae3ef80f3b8706c8241b4e8abe4ac3ce36b7be8a97d08b08da5a72fedd5e976b3c9e1c463613a943ebb5d323e6a075ef6c7c3b1abdc0d53ac05
-
Filesize
349B
MD500c080f93694404c13f19be8edb9393f
SHA1dbba2823eb2e11fc70c1f629b7accd2e92d2e4fc
SHA256b927b1e2c688153f3044541c4fca336c6ebcfe68dd66142b656c2968525fde26
SHA512a9b53ce88d0375b5cb233cae053ea366b85a185356bb018f0424ff8df715889610da8610255b4438d5c51bdd61a8fccaa83ecec40408f1939827f8ee9b1e2e5f