Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2023, 14:59
Behavioral task
behavioral1
Sample
b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe
Resource
win7-20231023-en
General
-
Target
b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe
-
Size
911KB
-
MD5
1b752392a6ce80a4fd406d61589396a3
-
SHA1
d3394b46da9fa47263071971355c4cbf543c8f17
-
SHA256
b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547
-
SHA512
3c9084d2eb4ef936e985316dd7250f68a1934d07332429c896cff7dc982513b02e643175ffc56b1341ea3027f99f251b42f717c630c3f6f76087d71cac6db878
-
SSDEEP
12288:Hy50ed4DkhUo2y27dG1lFlWcYT70pxnnaaoawVm1aBGyrZNrI0AilFEvxHvBMMYO:8zA4MROxnFnaBrZlI0AilFEvxHiVez
Malware Config
Extracted
orcus
NewPro
216.170.120.141:42069
d3d52ea46f88416fac4938bc6eb0a5d0
-
autostart_method
TaskScheduler
-
enable_keylogger
true
-
install_path
%programfiles%\Taber LLC\RMM\rmm.exe
-
reconnect_delay
10000
-
registry_keyname
RMM
-
taskscheduler_taskname
RMM
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcus main payload 4 IoCs
resource yara_rule behavioral2/files/0x000700000002320d-57.dat family_orcus behavioral2/files/0x000700000002320d-63.dat family_orcus behavioral2/files/0x000700000002320d-66.dat family_orcus behavioral2/files/0x000700000002320d-72.dat family_orcus -
Orcurs Rat Executable 5 IoCs
resource yara_rule behavioral2/files/0x000700000002320d-57.dat orcus behavioral2/files/0x000700000002320d-63.dat orcus behavioral2/files/0x000700000002320d-66.dat orcus behavioral2/memory/784-69-0x0000000000E40000-0x0000000000F2A000-memory.dmp orcus behavioral2/files/0x000700000002320d-72.dat orcus -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Control Panel\International\Geo\Nation b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe -
Executes dropped EXE 4 IoCs
pid Process 4868 WindowsInput.exe 752 WindowsInput.exe 784 rmm.exe 4572 rmm.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\Windows\assembly\Desktop.ini b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe File created C:\Windows\assembly\Desktop.ini b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsInput.exe b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe File created C:\Windows\SysWOW64\WindowsInput.exe.config b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe File created C:\Windows\SysWOW64\WindowsInput.InstallState WindowsInput.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Taber LLC\RMM\rmm.exe b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe File opened for modification C:\Program Files\Taber LLC\RMM\rmm.exe b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe File created C:\Program Files\Taber LLC\RMM\rmm.exe.config b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe File created C:\Windows\assembly\Desktop.ini b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe File opened for modification C:\Windows\assembly\Desktop.ini b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 784 rmm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 784 rmm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 456 wrote to memory of 3008 456 b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe 88 PID 456 wrote to memory of 3008 456 b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe 88 PID 3008 wrote to memory of 1664 3008 csc.exe 90 PID 3008 wrote to memory of 1664 3008 csc.exe 90 PID 456 wrote to memory of 4868 456 b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe 92 PID 456 wrote to memory of 4868 456 b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe 92 PID 456 wrote to memory of 784 456 b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe 95 PID 456 wrote to memory of 784 456 b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe"C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\inggx1eb.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES883C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC883B.tmp"3⤵PID:1664
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4868
-
-
C:\Program Files\Taber LLC\RMM\rmm.exe"C:\Program Files\Taber LLC\RMM\rmm.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:784
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
PID:752
-
C:\Program Files\Taber LLC\RMM\rmm.exe"C:\Program Files\Taber LLC\RMM\rmm.exe"1⤵
- Executes dropped EXE
PID:4572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
911KB
MD51b752392a6ce80a4fd406d61589396a3
SHA1d3394b46da9fa47263071971355c4cbf543c8f17
SHA256b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547
SHA5123c9084d2eb4ef936e985316dd7250f68a1934d07332429c896cff7dc982513b02e643175ffc56b1341ea3027f99f251b42f717c630c3f6f76087d71cac6db878
-
Filesize
911KB
MD51b752392a6ce80a4fd406d61589396a3
SHA1d3394b46da9fa47263071971355c4cbf543c8f17
SHA256b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547
SHA5123c9084d2eb4ef936e985316dd7250f68a1934d07332429c896cff7dc982513b02e643175ffc56b1341ea3027f99f251b42f717c630c3f6f76087d71cac6db878
-
Filesize
911KB
MD51b752392a6ce80a4fd406d61589396a3
SHA1d3394b46da9fa47263071971355c4cbf543c8f17
SHA256b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547
SHA5123c9084d2eb4ef936e985316dd7250f68a1934d07332429c896cff7dc982513b02e643175ffc56b1341ea3027f99f251b42f717c630c3f6f76087d71cac6db878
-
Filesize
911KB
MD51b752392a6ce80a4fd406d61589396a3
SHA1d3394b46da9fa47263071971355c4cbf543c8f17
SHA256b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547
SHA5123c9084d2eb4ef936e985316dd7250f68a1934d07332429c896cff7dc982513b02e643175ffc56b1341ea3027f99f251b42f717c630c3f6f76087d71cac6db878
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
1KB
MD53be944b47a2e3a41f3f07c9694785c54
SHA16479c0bd339046743235c7eb8514aaf24e1bc04d
SHA2564aeca4147d3103637aec1abe6ed6ec57d437d387f03bddf7846ffd2d95f2100e
SHA51254df76ec4e0636dd1844f500f578c5c40e2364c0fcaa705780512115c887a2ecda9af4abde62ffb781f9e42b7484b8ac198977df7d216c7586db5dafe78ef103
-
Filesize
76KB
MD58444f1c51e421e8848b15d37951b4919
SHA19f1fa34b8e95fa0e2e1b83760d532a85931b594d
SHA2564ceb7f20e85c70ce936058af0463c28a4d97c5f16a7689f28ff8bad74d40741e
SHA51250b14f19e6b266ad10467a7ec81f93c89fcdb94f8fbd0f430851e1bed75cee93e66a729d3ca2ad8fdacf9ec0f3edbe395a4e2a6c5f26700f1055b380cae6f558
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
676B
MD5bfb78b2cdda510b215826f73aa73a2a2
SHA1e2696515ad40fd1f2e01e690ede91a19e09cc9e5
SHA25626f0b5bf41c82782a5d0a1591aa147232220ec035c7ec61f86f2f80e97641c62
SHA512dcc3f68786e1efd6be26e7256f5b68c057d3fc4b3e163efd14b79a959a68c6292d2cf597a93fcbf874f971db080e4f6487dd82d678566eeba64c0ea9a58e476e
-
Filesize
208KB
MD588abb8b0eb4adac94738adb42c1ffe0f
SHA15ddcddf573fbd26957a5a160a934832a80cc50c3
SHA25670004d6eb4348b65f50ad330795c5200f50673f12a92510c95e0babbaf7d6330
SHA512d9aaaa90e2c955687c2935aa20592067d11f5a3bd146dc28ab5d845ad2c2626d4114b9ce411e06451f95e4e9a42339e85f99a7f4751e0a765c70e9c568aa9f31
-
Filesize
349B
MD5963c696ed467a1582b07476449d63dcf
SHA1e76c8867c9b2a3f3d3b2237df99d1be2e25b41c3
SHA2564b060ded1e510541c01efc9751095cfed43d1171de6a8ec40969f8810ca0231c
SHA512d675869db2a498bb7dbcc3faad05f0b80abf9d0c16045a16453e6fc1a0850220af89082ed9728ad3b69d79c69d09595df2551f96a4ae8009697f02f3a0b22a06