Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
01/12/2023, 14:59
Behavioral task
behavioral1
Sample
b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe
Resource
win7-20231023-en
General
-
Target
b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe
-
Size
911KB
-
MD5
1b752392a6ce80a4fd406d61589396a3
-
SHA1
d3394b46da9fa47263071971355c4cbf543c8f17
-
SHA256
b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547
-
SHA512
3c9084d2eb4ef936e985316dd7250f68a1934d07332429c896cff7dc982513b02e643175ffc56b1341ea3027f99f251b42f717c630c3f6f76087d71cac6db878
-
SSDEEP
12288:Hy50ed4DkhUo2y27dG1lFlWcYT70pxnnaaoawVm1aBGyrZNrI0AilFEvxHvBMMYO:8zA4MROxnFnaBrZlI0AilFEvxHiVez
Malware Config
Extracted
orcus
NewPro
216.170.120.141:42069
d3d52ea46f88416fac4938bc6eb0a5d0
-
autostart_method
TaskScheduler
-
enable_keylogger
true
-
install_path
%programfiles%\Taber LLC\RMM\rmm.exe
-
reconnect_delay
10000
-
registry_keyname
RMM
-
taskscheduler_taskname
RMM
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcus main payload 3 IoCs
resource yara_rule behavioral1/files/0x0008000000014faf-45.dat family_orcus behavioral1/files/0x0008000000014faf-43.dat family_orcus behavioral1/files/0x0008000000014faf-53.dat family_orcus -
Orcurs Rat Executable 4 IoCs
resource yara_rule behavioral1/memory/2424-46-0x0000000001370000-0x000000000145A000-memory.dmp orcus behavioral1/files/0x0008000000014faf-45.dat orcus behavioral1/files/0x0008000000014faf-43.dat orcus behavioral1/files/0x0008000000014faf-53.dat orcus -
Executes dropped EXE 4 IoCs
pid Process 2584 WindowsInput.exe 2752 WindowsInput.exe 2424 rmm.exe 2004 rmm.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsInput.exe b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe File created C:\Windows\SysWOW64\WindowsInput.exe.config b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe File created C:\Windows\SysWOW64\WindowsInput.InstallState WindowsInput.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Taber LLC\RMM\rmm.exe b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe File opened for modification C:\Program Files\Taber LLC\RMM\rmm.exe b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe File created C:\Program Files\Taber LLC\RMM\rmm.exe.config b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2424 rmm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2424 rmm.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2852 wrote to memory of 2776 2852 b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe 19 PID 2852 wrote to memory of 2776 2852 b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe 19 PID 2852 wrote to memory of 2776 2852 b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe 19 PID 2776 wrote to memory of 2368 2776 csc.exe 22 PID 2776 wrote to memory of 2368 2776 csc.exe 22 PID 2776 wrote to memory of 2368 2776 csc.exe 22 PID 2852 wrote to memory of 2584 2852 b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe 23 PID 2852 wrote to memory of 2584 2852 b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe 23 PID 2852 wrote to memory of 2584 2852 b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe 23 PID 2852 wrote to memory of 2424 2852 b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe 33 PID 2852 wrote to memory of 2424 2852 b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe 33 PID 2852 wrote to memory of 2424 2852 b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe 33 PID 1472 wrote to memory of 2004 1472 taskeng.exe 35 PID 1472 wrote to memory of 2004 1472 taskeng.exe 35 PID 1472 wrote to memory of 2004 1472 taskeng.exe 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe"C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\atvwerh0.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98F6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC98F5.tmp"3⤵PID:2368
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2584
-
-
C:\Program Files\Taber LLC\RMM\rmm.exe"C:\Program Files\Taber LLC\RMM\rmm.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2424
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
PID:2752
-
C:\Windows\system32\taskeng.exetaskeng.exe {689BE8B3-724E-4FD9-AFF3-8DD842B09167} S-1-5-21-2085049433-1067986815-1244098655-1000:AHLBRYJO\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Program Files\Taber LLC\RMM\rmm.exe"C:\Program Files\Taber LLC\RMM\rmm.exe"2⤵
- Executes dropped EXE
PID:2004
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
911KB
MD51b752392a6ce80a4fd406d61589396a3
SHA1d3394b46da9fa47263071971355c4cbf543c8f17
SHA256b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547
SHA5123c9084d2eb4ef936e985316dd7250f68a1934d07332429c896cff7dc982513b02e643175ffc56b1341ea3027f99f251b42f717c630c3f6f76087d71cac6db878
-
Filesize
911KB
MD51b752392a6ce80a4fd406d61589396a3
SHA1d3394b46da9fa47263071971355c4cbf543c8f17
SHA256b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547
SHA5123c9084d2eb4ef936e985316dd7250f68a1934d07332429c896cff7dc982513b02e643175ffc56b1341ea3027f99f251b42f717c630c3f6f76087d71cac6db878
-
Filesize
911KB
MD51b752392a6ce80a4fd406d61589396a3
SHA1d3394b46da9fa47263071971355c4cbf543c8f17
SHA256b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547
SHA5123c9084d2eb4ef936e985316dd7250f68a1934d07332429c896cff7dc982513b02e643175ffc56b1341ea3027f99f251b42f717c630c3f6f76087d71cac6db878
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
1KB
MD585a49af7252828ce5393dc057fdde298
SHA121fefe1aacd728269565152b12802f60e715ab80
SHA25660436d9e2e62fb5bfc3d721b3e7e80e75b6c88d1ef26a8be422f114b04f3c6e0
SHA51249e179819791860830e94f17ccabfdc617b1d69be4cb6e36ecd548c75dc3ee575bcf5638d3c7e7ba09d95d3cfb4884279415a7c4faa12f949cd5adaa38eb0b2b
-
Filesize
76KB
MD565c70a1bba89d0e15fedf098b6adc433
SHA1aa1a98a7a6c161a84b3dd7dee5f6e85cf9ba7a43
SHA256f202072de0f0914288bd5d68630eb5bbd22ac570ca59760de7d58f9cb29a063b
SHA5127595e395e774566b4036d26648ea6392b0ebbc77cbe460af731772d3c05308cb479f1368288431f8b5105724d6f1e08a3dcf5e83af4600b20e02c8aacc2332e2
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
676B
MD529597c927c9e70ed703a5fd8747e353b
SHA17d413d085a94a8bad878964adb00d5abf8046059
SHA256fb9b4ebc95d71978da8eb1c679c4f90cf35a9595027beeb65e001791c2814ec7
SHA5127e0a6eb8599a9607e8780e35ce55a4bbacf73d3d2f246ef721af855ab27891fba084281f4f9472fd746a580f11fe45eceeca45e202be5779bf8d7ce66c867dc3
-
Filesize
208KB
MD56011503497b1b9250a05debf9690e52c
SHA1897aea61e9bffc82d7031f1b3da12fb83efc6d82
SHA25608f42b8d57bb61bc8f9628c8a80953b06ca4149d50108083fca6dc26bdd49434
SHA512604c33e82e8b5bb5c54389c2899c81e5482a06e69db08268173a5b4574327ee5de656d312011d07e50a2e398a4c9b0cd79029013f76e05e18cf67ce5a916ffd9
-
Filesize
349B
MD5cb4bfd74272b946c47ee437cb3e36dd0
SHA1f32b594580bcb3545a9753ace6f84bffc5eb4cc3
SHA25683d1739a740dde70362af9162e75ff8854ac63e50495ba30d14fe4fdb6302e8d
SHA512f913d554412a5d978d70133ae6cc5b713f159e2064db915cd4038a7defdad037fd45f8ea1983a4fb92865703d089942fbaa94544c349bcf828c6cbaa27c37757