Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
164s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
01/12/2023, 15:08
Behavioral task
behavioral1
Sample
78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe
Resource
win7-20231023-en
General
-
Target
78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe
-
Size
911KB
-
MD5
4e959e6b6bcb3b88d1b791f397009ace
-
SHA1
03c6825264db0b9f7e84984e4833fa3450f11a9d
-
SHA256
78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1
-
SHA512
646b91c8ef0b1ef51c9473ce8ac21a91f0596433604c8afdf1bef76c980190a60172cc1c50dec92d5c9eeb726e0c771f186254ce1e499c5992848d1c202f0188
-
SSDEEP
12288:cy50ed4DkhUo2y27dG1lFlWcYT70pxnnaaoawVm1aBGyrZNrI0AilFEvxHvBMTLG:pzA4MROxnFnaBrZlI0AilFEvxHiCz
Malware Config
Extracted
orcus
Default
216.170.120.141:42069
c9015774f0ad4366bafd53ee00a5ef2f
-
autostart_method
TaskScheduler
-
enable_keylogger
true
-
install_path
%programfiles%\Taber LLC\RMM\rmm.exe
-
reconnect_delay
10000
-
registry_keyname
RMM
-
taskscheduler_taskname
RMM
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcus main payload 4 IoCs
resource yara_rule behavioral2/files/0x000700000002320b-47.dat family_orcus behavioral2/files/0x000700000002320b-53.dat family_orcus behavioral2/files/0x000700000002320b-56.dat family_orcus behavioral2/files/0x000700000002320b-70.dat family_orcus -
Orcurs Rat Executable 5 IoCs
resource yara_rule behavioral2/files/0x000700000002320b-47.dat orcus behavioral2/files/0x000700000002320b-53.dat orcus behavioral2/files/0x000700000002320b-56.dat orcus behavioral2/memory/3920-57-0x0000000000FA0000-0x000000000108A000-memory.dmp orcus behavioral2/files/0x000700000002320b-70.dat orcus -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation 78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe -
Executes dropped EXE 3 IoCs
pid Process 3184 WindowsInput.exe 3920 rmm.exe 3436 rmm.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini 78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe File opened for modification C:\Windows\assembly\Desktop.ini 78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsInput.exe 78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe File created C:\Windows\SysWOW64\WindowsInput.exe.config 78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe File created C:\Windows\SysWOW64\WindowsInput.InstallState WindowsInput.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\Taber LLC\RMM\rmm.exe 78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe File created C:\Program Files\Taber LLC\RMM\rmm.exe.config 78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe File created C:\Program Files\Taber LLC\RMM\rmm.exe 78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly 78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe File created C:\Windows\assembly\Desktop.ini 78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe File opened for modification C:\Windows\assembly\Desktop.ini 78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3920 rmm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3920 rmm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2968 wrote to memory of 2224 2968 78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe 92 PID 2968 wrote to memory of 2224 2968 78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe 92 PID 2224 wrote to memory of 4516 2224 csc.exe 94 PID 2224 wrote to memory of 4516 2224 csc.exe 94 PID 2968 wrote to memory of 3184 2968 78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe 95 PID 2968 wrote to memory of 3184 2968 78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe 95 PID 2968 wrote to memory of 3920 2968 78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe 99 PID 2968 wrote to memory of 3920 2968 78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe 99 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe"C:\Users\Admin\AppData\Local\Temp\78978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lf5krzfi.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES607B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC607A.tmp"3⤵PID:4516
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3184
-
-
C:\Program Files\Taber LLC\RMM\rmm.exe"C:\Program Files\Taber LLC\RMM\rmm.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3920
-
-
C:\Program Files\Taber LLC\RMM\rmm.exe"C:\Program Files\Taber LLC\RMM\rmm.exe"1⤵
- Executes dropped EXE
PID:3436
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
911KB
MD54e959e6b6bcb3b88d1b791f397009ace
SHA103c6825264db0b9f7e84984e4833fa3450f11a9d
SHA25678978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1
SHA512646b91c8ef0b1ef51c9473ce8ac21a91f0596433604c8afdf1bef76c980190a60172cc1c50dec92d5c9eeb726e0c771f186254ce1e499c5992848d1c202f0188
-
Filesize
911KB
MD54e959e6b6bcb3b88d1b791f397009ace
SHA103c6825264db0b9f7e84984e4833fa3450f11a9d
SHA25678978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1
SHA512646b91c8ef0b1ef51c9473ce8ac21a91f0596433604c8afdf1bef76c980190a60172cc1c50dec92d5c9eeb726e0c771f186254ce1e499c5992848d1c202f0188
-
Filesize
911KB
MD54e959e6b6bcb3b88d1b791f397009ace
SHA103c6825264db0b9f7e84984e4833fa3450f11a9d
SHA25678978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1
SHA512646b91c8ef0b1ef51c9473ce8ac21a91f0596433604c8afdf1bef76c980190a60172cc1c50dec92d5c9eeb726e0c771f186254ce1e499c5992848d1c202f0188
-
Filesize
911KB
MD54e959e6b6bcb3b88d1b791f397009ace
SHA103c6825264db0b9f7e84984e4833fa3450f11a9d
SHA25678978a36b56e68b07d49c3e380f30c7c12668edc3bb71761c2bd8b05b416fcb1
SHA512646b91c8ef0b1ef51c9473ce8ac21a91f0596433604c8afdf1bef76c980190a60172cc1c50dec92d5c9eeb726e0c771f186254ce1e499c5992848d1c202f0188
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
1KB
MD5d6e020456afd794f6f3b2efdea68a410
SHA12c3c2e825cf022e53de6c2079e421c941c391e35
SHA256a9721046573440d7937a6f0a567bb65f9a1413c0724dbfb63ad2b40c6bdd0dbf
SHA512b4648efab5ac1acad42772f293c867ab9a8521b0cea85388725d547976149b27b1a44917ada93236f74e9041bc2281fe8fbb716e80803c8945ecd8f4de0d1740
-
Filesize
76KB
MD5b7a0c22a584724b125419efb4798a50f
SHA198b598b009390cc28ab4e247d3e93948dc0d2ba3
SHA2567e28d1a310a9756934ecf48a3a23152ad9c1d201032491bb07ea4d46dc3178d5
SHA512af165ced9a93ab3fc495e9ff42661ff34e531f60cd2ce0e87d94299acc0047b8cd50606b54fea389bed6461f20cd37cbc5f4267b35f27288a23c4a77cec61607
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
676B
MD5ffa0f5817524f725c99344344689f61b
SHA171bdeda1aa5e03dba4406c6bd6b82a9bf10209fb
SHA25694fb66564c2a1660c7b9c3c6900fd46127c0c21b45c794dffa91fd721b11f993
SHA5127c968460f48a3140891264f2ec825263ce023587f19551949207460e6109e9e65113073756685432ea094be6bbd30951c86f5a09fa14313126bc91d55389760d
-
Filesize
208KB
MD5e34abb9dc0bd7f19d26b2d6f3ec44e4e
SHA1f8af8c41d442a547519cc0707fdd3132136a9e56
SHA256ac700db8854eb0f68c5cf85e61f15d2f87a5ee78b3f145c312d8497228ed16ad
SHA512f5807a0aec99bd96ccf1ebca28da4bb5bbe69b790a6e869ca272231240dee22980bfe7dbc9ab31de3f301bee73d65e63b407131a729cf94d200cec829f1c8ef9
-
Filesize
349B
MD5eaea31579fd69300042920ac86b18cfe
SHA1e86931a9273d54f5f4645521163c821bff6d2cbb
SHA256b403b523b853d715f4053d7b73bb79753cf535626644dac9239de2b9c798c5da
SHA5123a9c4907c3ca2594db48882f2e83072ed9aeb682ed204838208b5790cd51cce60bbeed62e4f4491beb067dbdc86f7e019dd65ed3ac379e97d7b3e234a345fd91