Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2023, 03:32

General

  • Target

    782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe

  • Size

    926KB

  • MD5

    5df1243f68a568c1b90a3e1c799c6c81

  • SHA1

    a12e5dc2113e43a6329152c698b4f29e88a7177a

  • SHA256

    782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d

  • SHA512

    f578ceb6cdf4331c8ed6803b01d33a663c37e94acaf9ed687be9688a11395b18cf7603a4a726f5a3736a5c3126cf2753c1e5a39fb01b6646f9f3e8ffd61ae510

  • SSDEEP

    24576:0WM4MROxnFE3jrXpJrZlI0AilFEvxHiCx:0WfMiuXpJrZlI0AilFEvxHi

Malware Config

Extracted

Family

orcus

C2

10.0.2.15:4444

Mutex

9f5db8c63bb047d39e98370a28bee370

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    Temp\java.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

  • Orcus main payload 3 IoCs
  • Orcurs Rat Executable 4 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe
    "C:\Users\Admin\AppData\Local\Temp\782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rudetyzv.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA832.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA831.tmp"
        3⤵
          PID:3004
      • C:\Windows\SysWOW64\WindowsInput.exe
        "C:\Windows\SysWOW64\WindowsInput.exe" --install
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:2688
      • C:\Program Files\Orcus\Orcus.exe
        "C:\Program Files\Orcus\Orcus.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Users\Admin\AppData\Local\Temp\java.exe
          "C:\Users\Admin\AppData\Local\Temp\java.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 2540 /protectFile
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1052
          • C:\Users\Admin\AppData\Local\Temp\java.exe
            "C:\Users\Admin\AppData\Local\Temp\java.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 2540 "/protectFile"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2256
    • C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe"
      1⤵
      • Executes dropped EXE
      PID:2912
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {7DEC34B3-4A95-4FC9-8B64-4C058B1D89A2} S-1-5-21-2085049433-1067986815-1244098655-1000:AHLBRYJO\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Program Files\Orcus\Orcus.exe
        "C:\Program Files\Orcus\Orcus.exe"
        2⤵
        • Executes dropped EXE
        PID:3048

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Orcus\Orcus.exe

      Filesize

      926KB

      MD5

      5df1243f68a568c1b90a3e1c799c6c81

      SHA1

      a12e5dc2113e43a6329152c698b4f29e88a7177a

      SHA256

      782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d

      SHA512

      f578ceb6cdf4331c8ed6803b01d33a663c37e94acaf9ed687be9688a11395b18cf7603a4a726f5a3736a5c3126cf2753c1e5a39fb01b6646f9f3e8ffd61ae510

    • C:\Program Files\Orcus\Orcus.exe

      Filesize

      926KB

      MD5

      5df1243f68a568c1b90a3e1c799c6c81

      SHA1

      a12e5dc2113e43a6329152c698b4f29e88a7177a

      SHA256

      782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d

      SHA512

      f578ceb6cdf4331c8ed6803b01d33a663c37e94acaf9ed687be9688a11395b18cf7603a4a726f5a3736a5c3126cf2753c1e5a39fb01b6646f9f3e8ffd61ae510

    • C:\Program Files\Orcus\Orcus.exe

      Filesize

      926KB

      MD5

      5df1243f68a568c1b90a3e1c799c6c81

      SHA1

      a12e5dc2113e43a6329152c698b4f29e88a7177a

      SHA256

      782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d

      SHA512

      f578ceb6cdf4331c8ed6803b01d33a663c37e94acaf9ed687be9688a11395b18cf7603a4a726f5a3736a5c3126cf2753c1e5a39fb01b6646f9f3e8ffd61ae510

    • C:\Program Files\Orcus\Orcus.exe.config

      Filesize

      357B

      MD5

      a2b76cea3a59fa9af5ea21ff68139c98

      SHA1

      35d76475e6a54c168f536e30206578babff58274

      SHA256

      f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

      SHA512

      b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

    • C:\Users\Admin\AppData\Local\Temp\RESA832.tmp

      Filesize

      1KB

      MD5

      75d50c07309ce805e5a03f39d567498a

      SHA1

      a28e5160b93bdb8ccc5eef8a62d0baa25839d707

      SHA256

      d08e3bcf10a32af23f2362971601f5bf05a9751c82af54514ef8f75cb945fd54

      SHA512

      3858b2cf028edb029cb4e15ec18e32a8ff59d49339860dc7460df942d7f5d18a71e9810da5cd6ede9ab736e53ed4649440f3df6dba5a98603bc62f29e9e4bcb7

    • C:\Users\Admin\AppData\Local\Temp\java.exe

      Filesize

      9KB

      MD5

      913967b216326e36a08010fb70f9dba3

      SHA1

      7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

      SHA256

      8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

      SHA512

      c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

    • C:\Users\Admin\AppData\Local\Temp\java.exe

      Filesize

      9KB

      MD5

      913967b216326e36a08010fb70f9dba3

      SHA1

      7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

      SHA256

      8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

      SHA512

      c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

    • C:\Users\Admin\AppData\Local\Temp\java.exe

      Filesize

      9KB

      MD5

      913967b216326e36a08010fb70f9dba3

      SHA1

      7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

      SHA256

      8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

      SHA512

      c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

    • C:\Users\Admin\AppData\Local\Temp\java.exe.config

      Filesize

      357B

      MD5

      a2b76cea3a59fa9af5ea21ff68139c98

      SHA1

      35d76475e6a54c168f536e30206578babff58274

      SHA256

      f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

      SHA512

      b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

    • C:\Users\Admin\AppData\Local\Temp\rudetyzv.dll

      Filesize

      76KB

      MD5

      42e57c933247a433ef181ac2ca7e9252

      SHA1

      2064d6a27593e03df0c52b78939f024f5fbd30ab

      SHA256

      b6adced3fde152b91764426fcbd79f65052d7324fa7219f05b23f7722937df41

      SHA512

      c7778499d28a7b35ee51b336966f579523d581a16da8b948cb3481c43a3d6e8d9d0c7c5179b3db698cc29bea6a7a118dabfaa6436180180dca055ec31d7cc4da

    • C:\Users\Admin\AppData\Roaming\Orcus\err_9f5db8c63bb047d39e98370a28bee370.dat

      Filesize

      1KB

      MD5

      ef9e4b3ffe78cad5303bd3afb8313c10

      SHA1

      15da26c72029bf97800fd6d884659077c7cc7640

      SHA256

      d2ab86969f842cda9deebe83f51ff6350ff707159daf5cda60617f35eaf6c15b

      SHA512

      94163d63f9642a20e8c89475136a6a80453ed937b1c1a258775c912b2532df9603621264e0f724059bb4a79c29c76735f6d49e822f77b2f6772e8345fd20d1ba

    • C:\Windows\SysWOW64\WindowsInput.exe

      Filesize

      21KB

      MD5

      e6fcf516d8ed8d0d4427f86e08d0d435

      SHA1

      c7691731583ab7890086635cb7f3e4c22ca5e409

      SHA256

      8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

      SHA512

      c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

    • C:\Windows\SysWOW64\WindowsInput.exe

      Filesize

      21KB

      MD5

      e6fcf516d8ed8d0d4427f86e08d0d435

      SHA1

      c7691731583ab7890086635cb7f3e4c22ca5e409

      SHA256

      8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

      SHA512

      c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

    • C:\Windows\SysWOW64\WindowsInput.exe

      Filesize

      21KB

      MD5

      e6fcf516d8ed8d0d4427f86e08d0d435

      SHA1

      c7691731583ab7890086635cb7f3e4c22ca5e409

      SHA256

      8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

      SHA512

      c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

    • C:\Windows\SysWOW64\WindowsInput.exe.config

      Filesize

      357B

      MD5

      a2b76cea3a59fa9af5ea21ff68139c98

      SHA1

      35d76475e6a54c168f536e30206578babff58274

      SHA256

      f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

      SHA512

      b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

    • \??\c:\Users\Admin\AppData\Local\Temp\CSCA831.tmp

      Filesize

      676B

      MD5

      454a79e0ae9dd06e66fc2f03cad5532f

      SHA1

      1f0cfa75712fcfffdd3806068d7b259fb41e4a6d

      SHA256

      b2eb70e6130b502153c0952ad0a6f3ee9d44ce41935111cd0a03b6b15207c1e3

      SHA512

      5b5527080700f75ece91a7e20a7c96802b3fac669b2a050bc4de147fbc4738ccc85669232481d84c27b82fe9c05928b7f4a8d30052b6ddac5359ae81d91292b0

    • \??\c:\Users\Admin\AppData\Local\Temp\rudetyzv.0.cs

      Filesize

      208KB

      MD5

      62a85092f060ce8271c5fba94b4aba7a

      SHA1

      9a2f7a2f472ad9ee885faf13579acdce5204908e

      SHA256

      da347f5c56a106054c19dc17c64b85007622b73bda1c96255d40e7604ef7c3cc

      SHA512

      8c1558a66fc9962ce32321725994bdeb06213487cb90b69b21ccf150a4f79975cf0b63bfaed775a53df33baefca8cacca2b58f3b6a4ba6914c3247f5afa7c280

    • \??\c:\Users\Admin\AppData\Local\Temp\rudetyzv.cmdline

      Filesize

      349B

      MD5

      821b11b8172338c9810bb0126213a164

      SHA1

      70786a84193a8f20e83bf73562d10645de512d4f

      SHA256

      a02f761affd9e536cb8a7fc2f5e3cec4503643e5b854f9ecc26675e04ab7ab59

      SHA512

      92a8d23729753ca69d18f267ba15b6dfbeddb8baa444a5f2080de883fbcba83b6a16d4f82c478cfcadcfa818d2697c0fe0469f501166992af18182505d926c7d

    • \Users\Admin\AppData\Local\Temp\java.exe

      Filesize

      9KB

      MD5

      913967b216326e36a08010fb70f9dba3

      SHA1

      7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

      SHA256

      8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

      SHA512

      c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

    • memory/1052-72-0x0000000000260000-0x0000000000268000-memory.dmp

      Filesize

      32KB

    • memory/1052-73-0x00000000747B0000-0x0000000074E9E000-memory.dmp

      Filesize

      6.9MB

    • memory/1052-76-0x00000000747B0000-0x0000000074E9E000-memory.dmp

      Filesize

      6.9MB

    • memory/2256-77-0x00000000747B0000-0x0000000074E9E000-memory.dmp

      Filesize

      6.9MB

    • memory/2256-83-0x00000000747B0000-0x0000000074E9E000-memory.dmp

      Filesize

      6.9MB

    • memory/2540-62-0x0000000000400000-0x0000000000410000-memory.dmp

      Filesize

      64KB

    • memory/2540-58-0x0000000000C30000-0x0000000000C48000-memory.dmp

      Filesize

      96KB

    • memory/2540-63-0x000000001B0F0000-0x000000001B170000-memory.dmp

      Filesize

      512KB

    • memory/2540-80-0x000007FEEC630000-0x000007FEED01C000-memory.dmp

      Filesize

      9.9MB

    • memory/2540-81-0x000000001B0F0000-0x000000001B170000-memory.dmp

      Filesize

      512KB

    • memory/2540-57-0x0000000000E10000-0x0000000000E5E000-memory.dmp

      Filesize

      312KB

    • memory/2540-50-0x00000000012B0000-0x000000000139E000-memory.dmp

      Filesize

      952KB

    • memory/2540-51-0x000007FEEC630000-0x000007FEED01C000-memory.dmp

      Filesize

      9.9MB

    • memory/2540-53-0x000000001B0F0000-0x000000001B170000-memory.dmp

      Filesize

      512KB

    • memory/2540-82-0x000000001B0F0000-0x000000001B170000-memory.dmp

      Filesize

      512KB

    • memory/2540-54-0x0000000000300000-0x0000000000312000-memory.dmp

      Filesize

      72KB

    • memory/2688-33-0x000007FEED020000-0x000007FEEDA0C000-memory.dmp

      Filesize

      9.9MB

    • memory/2688-34-0x000000001B2A0000-0x000000001B320000-memory.dmp

      Filesize

      512KB

    • memory/2688-32-0x0000000000F00000-0x0000000000F0C000-memory.dmp

      Filesize

      48KB

    • memory/2688-37-0x000007FEED020000-0x000007FEEDA0C000-memory.dmp

      Filesize

      9.9MB

    • memory/2912-78-0x000007FEEC630000-0x000007FEED01C000-memory.dmp

      Filesize

      9.9MB

    • memory/2912-39-0x0000000000040000-0x000000000004C000-memory.dmp

      Filesize

      48KB

    • memory/2912-40-0x000007FEEC630000-0x000007FEED01C000-memory.dmp

      Filesize

      9.9MB

    • memory/2912-41-0x0000000000D30000-0x0000000000DB0000-memory.dmp

      Filesize

      512KB

    • memory/3044-0-0x0000000000A10000-0x0000000000A6C000-memory.dmp

      Filesize

      368KB

    • memory/3044-3-0x0000000000AB0000-0x0000000000B30000-memory.dmp

      Filesize

      512KB

    • memory/3044-20-0x0000000000A80000-0x0000000000A88000-memory.dmp

      Filesize

      32KB

    • memory/3044-21-0x0000000000A90000-0x0000000000A98000-memory.dmp

      Filesize

      32KB

    • memory/3044-19-0x0000000000440000-0x0000000000452000-memory.dmp

      Filesize

      72KB

    • memory/3044-17-0x0000000000D30000-0x0000000000D46000-memory.dmp

      Filesize

      88KB

    • memory/3044-4-0x000007FEF5D40000-0x000007FEF66DD000-memory.dmp

      Filesize

      9.6MB

    • memory/3044-22-0x0000000000AB0000-0x0000000000B30000-memory.dmp

      Filesize

      512KB

    • memory/3044-2-0x000007FEF5D40000-0x000007FEF66DD000-memory.dmp

      Filesize

      9.6MB

    • memory/3044-24-0x0000000000AB0000-0x0000000000B30000-memory.dmp

      Filesize

      512KB

    • memory/3044-1-0x0000000000410000-0x000000000041E000-memory.dmp

      Filesize

      56KB

    • memory/3044-52-0x000007FEF5D40000-0x000007FEF66DD000-memory.dmp

      Filesize

      9.6MB

    • memory/3048-60-0x000007FEEC630000-0x000007FEED01C000-memory.dmp

      Filesize

      9.9MB

    • memory/3048-61-0x0000000000450000-0x00000000004D0000-memory.dmp

      Filesize

      512KB

    • memory/3048-79-0x000007FEEC630000-0x000007FEED01C000-memory.dmp

      Filesize

      9.9MB