Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/12/2023, 14:59

General

  • Target

    b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe

  • Size

    911KB

  • MD5

    1b752392a6ce80a4fd406d61589396a3

  • SHA1

    d3394b46da9fa47263071971355c4cbf543c8f17

  • SHA256

    b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547

  • SHA512

    3c9084d2eb4ef936e985316dd7250f68a1934d07332429c896cff7dc982513b02e643175ffc56b1341ea3027f99f251b42f717c630c3f6f76087d71cac6db878

  • SSDEEP

    12288:Hy50ed4DkhUo2y27dG1lFlWcYT70pxnnaaoawVm1aBGyrZNrI0AilFEvxHvBMMYO:8zA4MROxnFnaBrZlI0AilFEvxHiVez

Malware Config

Extracted

Family

orcus

Botnet

NewPro

C2

216.170.120.141:42069

Mutex

d3d52ea46f88416fac4938bc6eb0a5d0

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    true

  • install_path

    %programfiles%\Taber LLC\RMM\rmm.exe

  • reconnect_delay

    10000

  • registry_keyname

    RMM

  • taskscheduler_taskname

    RMM

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

  • Orcus main payload 4 IoCs
  • Orcurs Rat Executable 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe
    "C:\Users\Admin\AppData\Local\Temp\b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:456
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\inggx1eb.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES883C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC883B.tmp"
        3⤵
          PID:1664
      • C:\Windows\SysWOW64\WindowsInput.exe
        "C:\Windows\SysWOW64\WindowsInput.exe" --install
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:4868
      • C:\Program Files\Taber LLC\RMM\rmm.exe
        "C:\Program Files\Taber LLC\RMM\rmm.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:784
    • C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe"
      1⤵
      • Executes dropped EXE
      PID:752
    • C:\Program Files\Taber LLC\RMM\rmm.exe
      "C:\Program Files\Taber LLC\RMM\rmm.exe"
      1⤵
      • Executes dropped EXE
      PID:4572

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Taber LLC\RMM\rmm.exe

      Filesize

      911KB

      MD5

      1b752392a6ce80a4fd406d61589396a3

      SHA1

      d3394b46da9fa47263071971355c4cbf543c8f17

      SHA256

      b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547

      SHA512

      3c9084d2eb4ef936e985316dd7250f68a1934d07332429c896cff7dc982513b02e643175ffc56b1341ea3027f99f251b42f717c630c3f6f76087d71cac6db878

    • C:\Program Files\Taber LLC\RMM\rmm.exe

      Filesize

      911KB

      MD5

      1b752392a6ce80a4fd406d61589396a3

      SHA1

      d3394b46da9fa47263071971355c4cbf543c8f17

      SHA256

      b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547

      SHA512

      3c9084d2eb4ef936e985316dd7250f68a1934d07332429c896cff7dc982513b02e643175ffc56b1341ea3027f99f251b42f717c630c3f6f76087d71cac6db878

    • C:\Program Files\Taber LLC\RMM\rmm.exe

      Filesize

      911KB

      MD5

      1b752392a6ce80a4fd406d61589396a3

      SHA1

      d3394b46da9fa47263071971355c4cbf543c8f17

      SHA256

      b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547

      SHA512

      3c9084d2eb4ef936e985316dd7250f68a1934d07332429c896cff7dc982513b02e643175ffc56b1341ea3027f99f251b42f717c630c3f6f76087d71cac6db878

    • C:\Program Files\Taber LLC\RMM\rmm.exe

      Filesize

      911KB

      MD5

      1b752392a6ce80a4fd406d61589396a3

      SHA1

      d3394b46da9fa47263071971355c4cbf543c8f17

      SHA256

      b8a4b96e05940a81a14122f78a6fa3a796615c325a6d44c344fc83cf38100547

      SHA512

      3c9084d2eb4ef936e985316dd7250f68a1934d07332429c896cff7dc982513b02e643175ffc56b1341ea3027f99f251b42f717c630c3f6f76087d71cac6db878

    • C:\Program Files\Taber LLC\RMM\rmm.exe.config

      Filesize

      357B

      MD5

      a2b76cea3a59fa9af5ea21ff68139c98

      SHA1

      35d76475e6a54c168f536e30206578babff58274

      SHA256

      f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

      SHA512

      b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

    • C:\Users\Admin\AppData\Local\Temp\RES883C.tmp

      Filesize

      1KB

      MD5

      3be944b47a2e3a41f3f07c9694785c54

      SHA1

      6479c0bd339046743235c7eb8514aaf24e1bc04d

      SHA256

      4aeca4147d3103637aec1abe6ed6ec57d437d387f03bddf7846ffd2d95f2100e

      SHA512

      54df76ec4e0636dd1844f500f578c5c40e2364c0fcaa705780512115c887a2ecda9af4abde62ffb781f9e42b7484b8ac198977df7d216c7586db5dafe78ef103

    • C:\Users\Admin\AppData\Local\Temp\inggx1eb.dll

      Filesize

      76KB

      MD5

      8444f1c51e421e8848b15d37951b4919

      SHA1

      9f1fa34b8e95fa0e2e1b83760d532a85931b594d

      SHA256

      4ceb7f20e85c70ce936058af0463c28a4d97c5f16a7689f28ff8bad74d40741e

      SHA512

      50b14f19e6b266ad10467a7ec81f93c89fcdb94f8fbd0f430851e1bed75cee93e66a729d3ca2ad8fdacf9ec0f3edbe395a4e2a6c5f26700f1055b380cae6f558

    • C:\Windows\SysWOW64\WindowsInput.exe

      Filesize

      21KB

      MD5

      e6fcf516d8ed8d0d4427f86e08d0d435

      SHA1

      c7691731583ab7890086635cb7f3e4c22ca5e409

      SHA256

      8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

      SHA512

      c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

    • C:\Windows\SysWOW64\WindowsInput.exe

      Filesize

      21KB

      MD5

      e6fcf516d8ed8d0d4427f86e08d0d435

      SHA1

      c7691731583ab7890086635cb7f3e4c22ca5e409

      SHA256

      8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

      SHA512

      c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

    • C:\Windows\SysWOW64\WindowsInput.exe

      Filesize

      21KB

      MD5

      e6fcf516d8ed8d0d4427f86e08d0d435

      SHA1

      c7691731583ab7890086635cb7f3e4c22ca5e409

      SHA256

      8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

      SHA512

      c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

    • C:\Windows\SysWOW64\WindowsInput.exe

      Filesize

      21KB

      MD5

      e6fcf516d8ed8d0d4427f86e08d0d435

      SHA1

      c7691731583ab7890086635cb7f3e4c22ca5e409

      SHA256

      8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

      SHA512

      c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

    • C:\Windows\SysWOW64\WindowsInput.exe.config

      Filesize

      357B

      MD5

      a2b76cea3a59fa9af5ea21ff68139c98

      SHA1

      35d76475e6a54c168f536e30206578babff58274

      SHA256

      f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

      SHA512

      b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

    • \??\c:\Users\Admin\AppData\Local\Temp\CSC883B.tmp

      Filesize

      676B

      MD5

      bfb78b2cdda510b215826f73aa73a2a2

      SHA1

      e2696515ad40fd1f2e01e690ede91a19e09cc9e5

      SHA256

      26f0b5bf41c82782a5d0a1591aa147232220ec035c7ec61f86f2f80e97641c62

      SHA512

      dcc3f68786e1efd6be26e7256f5b68c057d3fc4b3e163efd14b79a959a68c6292d2cf597a93fcbf874f971db080e4f6487dd82d678566eeba64c0ea9a58e476e

    • \??\c:\Users\Admin\AppData\Local\Temp\inggx1eb.0.cs

      Filesize

      208KB

      MD5

      88abb8b0eb4adac94738adb42c1ffe0f

      SHA1

      5ddcddf573fbd26957a5a160a934832a80cc50c3

      SHA256

      70004d6eb4348b65f50ad330795c5200f50673f12a92510c95e0babbaf7d6330

      SHA512

      d9aaaa90e2c955687c2935aa20592067d11f5a3bd146dc28ab5d845ad2c2626d4114b9ce411e06451f95e4e9a42339e85f99a7f4751e0a765c70e9c568aa9f31

    • \??\c:\Users\Admin\AppData\Local\Temp\inggx1eb.cmdline

      Filesize

      349B

      MD5

      963c696ed467a1582b07476449d63dcf

      SHA1

      e76c8867c9b2a3f3d3b2237df99d1be2e25b41c3

      SHA256

      4b060ded1e510541c01efc9751095cfed43d1171de6a8ec40969f8810ca0231c

      SHA512

      d675869db2a498bb7dbcc3faad05f0b80abf9d0c16045a16453e6fc1a0850220af89082ed9728ad3b69d79c69d09595df2551f96a4ae8009697f02f3a0b22a06

    • memory/456-8-0x000000001CBE0000-0x000000001CC7C000-memory.dmp

      Filesize

      624KB

    • memory/456-25-0x000000001D5C0000-0x000000001D5E0000-memory.dmp

      Filesize

      128KB

    • memory/456-24-0x000000001BF10000-0x000000001BF22000-memory.dmp

      Filesize

      72KB

    • memory/456-22-0x000000001C160000-0x000000001C176000-memory.dmp

      Filesize

      88KB

    • memory/456-7-0x000000001C670000-0x000000001CB3E000-memory.dmp

      Filesize

      4.8MB

    • memory/456-67-0x00007FFD83440000-0x00007FFD83DE1000-memory.dmp

      Filesize

      9.6MB

    • memory/456-6-0x000000001C120000-0x000000001C12E000-memory.dmp

      Filesize

      56KB

    • memory/456-3-0x000000001BF30000-0x000000001BF8C000-memory.dmp

      Filesize

      368KB

    • memory/456-2-0x00007FFD83440000-0x00007FFD83DE1000-memory.dmp

      Filesize

      9.6MB

    • memory/456-1-0x0000000001380000-0x0000000001390000-memory.dmp

      Filesize

      64KB

    • memory/456-0-0x00007FFD83440000-0x00007FFD83DE1000-memory.dmp

      Filesize

      9.6MB

    • memory/752-49-0x00007FFD7FF70000-0x00007FFD80A31000-memory.dmp

      Filesize

      10.8MB

    • memory/752-82-0x000000001A120000-0x000000001A130000-memory.dmp

      Filesize

      64KB

    • memory/752-50-0x000000001A120000-0x000000001A130000-memory.dmp

      Filesize

      64KB

    • memory/752-51-0x000000001A640000-0x000000001A74A000-memory.dmp

      Filesize

      1.0MB

    • memory/752-81-0x00007FFD7FF70000-0x00007FFD80A31000-memory.dmp

      Filesize

      10.8MB

    • memory/784-85-0x000000001BBD0000-0x000000001BBE0000-memory.dmp

      Filesize

      64KB

    • memory/784-83-0x00007FFD7FF70000-0x00007FFD80A31000-memory.dmp

      Filesize

      10.8MB

    • memory/784-84-0x000000001BBD0000-0x000000001BBE0000-memory.dmp

      Filesize

      64KB

    • memory/784-68-0x00007FFD7FF70000-0x00007FFD80A31000-memory.dmp

      Filesize

      10.8MB

    • memory/784-75-0x000000001BBD0000-0x000000001BBE0000-memory.dmp

      Filesize

      64KB

    • memory/784-69-0x0000000000E40000-0x0000000000F2A000-memory.dmp

      Filesize

      936KB

    • memory/784-70-0x000000001BBD0000-0x000000001BBE0000-memory.dmp

      Filesize

      64KB

    • memory/784-71-0x000000001BBE0000-0x000000001BC2E000-memory.dmp

      Filesize

      312KB

    • memory/784-78-0x000000001BC50000-0x000000001BC60000-memory.dmp

      Filesize

      64KB

    • memory/784-73-0x000000001BC30000-0x000000001BC48000-memory.dmp

      Filesize

      96KB

    • memory/784-77-0x000000001C3D0000-0x000000001C592000-memory.dmp

      Filesize

      1.8MB

    • memory/3008-14-0x0000000002470000-0x0000000002480000-memory.dmp

      Filesize

      64KB

    • memory/4572-76-0x00000000026D0000-0x00000000026E0000-memory.dmp

      Filesize

      64KB

    • memory/4572-74-0x00007FFD7FF70000-0x00007FFD80A31000-memory.dmp

      Filesize

      10.8MB

    • memory/4572-80-0x00007FFD7FF70000-0x00007FFD80A31000-memory.dmp

      Filesize

      10.8MB

    • memory/4868-47-0x00007FFD7FF70000-0x00007FFD80A31000-memory.dmp

      Filesize

      10.8MB

    • memory/4868-39-0x0000000000B20000-0x0000000000B2C000-memory.dmp

      Filesize

      48KB

    • memory/4868-40-0x00007FFD7FF70000-0x00007FFD80A31000-memory.dmp

      Filesize

      10.8MB

    • memory/4868-41-0x000000001B820000-0x000000001B830000-memory.dmp

      Filesize

      64KB

    • memory/4868-42-0x0000000002DE0000-0x0000000002DF2000-memory.dmp

      Filesize

      72KB

    • memory/4868-43-0x000000001B750000-0x000000001B78C000-memory.dmp

      Filesize

      240KB