Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
06/12/2023, 03:32
Behavioral task
behavioral1
Sample
782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe
Resource
win10v2004-20231130-en
General
-
Target
782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe
-
Size
926KB
-
MD5
5df1243f68a568c1b90a3e1c799c6c81
-
SHA1
a12e5dc2113e43a6329152c698b4f29e88a7177a
-
SHA256
782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d
-
SHA512
f578ceb6cdf4331c8ed6803b01d33a663c37e94acaf9ed687be9688a11395b18cf7603a4a726f5a3736a5c3126cf2753c1e5a39fb01b6646f9f3e8ffd61ae510
-
SSDEEP
24576:0WM4MROxnFE3jrXpJrZlI0AilFEvxHiCx:0WfMiuXpJrZlI0AilFEvxHi
Malware Config
Extracted
orcus
10.0.2.15:4444
9f5db8c63bb047d39e98370a28bee370
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
Temp\java.exe
Signatures
-
Orcus main payload 3 IoCs
resource yara_rule behavioral1/files/0x0008000000018ad8-47.dat family_orcus behavioral1/files/0x0008000000018ad8-49.dat family_orcus behavioral1/files/0x0008000000018ad8-59.dat family_orcus -
Orcurs Rat Executable 4 IoCs
resource yara_rule behavioral1/files/0x0008000000018ad8-47.dat orcus behavioral1/files/0x0008000000018ad8-49.dat orcus behavioral1/memory/2540-50-0x00000000012B0000-0x000000000139E000-memory.dmp orcus behavioral1/files/0x0008000000018ad8-59.dat orcus -
Executes dropped EXE 6 IoCs
pid Process 2688 WindowsInput.exe 2912 WindowsInput.exe 2540 Orcus.exe 3048 Orcus.exe 1052 java.exe 2256 java.exe -
Loads dropped DLL 1 IoCs
pid Process 1052 java.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\"" Orcus.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsInput.InstallState WindowsInput.exe File created C:\Windows\SysWOW64\WindowsInput.exe 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe File created C:\Windows\SysWOW64\WindowsInput.exe.config 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Orcus\Orcus.exe 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe File opened for modification C:\Program Files\Orcus\Orcus.exe 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe File created C:\Program Files\Orcus\Orcus.exe.config 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2256 java.exe 2256 java.exe 2540 Orcus.exe 2540 Orcus.exe 2540 Orcus.exe 2256 java.exe 2540 Orcus.exe 2256 java.exe 2540 Orcus.exe 2256 java.exe 2540 Orcus.exe 2256 java.exe 2540 Orcus.exe 2256 java.exe 2540 Orcus.exe 2256 java.exe 2540 Orcus.exe 2256 java.exe 2540 Orcus.exe 2256 java.exe 2540 Orcus.exe 2256 java.exe 2540 Orcus.exe 2256 java.exe 2540 Orcus.exe 2256 java.exe 2540 Orcus.exe 2256 java.exe 2540 Orcus.exe 2256 java.exe 2540 Orcus.exe 2256 java.exe 2540 Orcus.exe 2256 java.exe 2540 Orcus.exe 2256 java.exe 2540 Orcus.exe 2256 java.exe 2540 Orcus.exe 2256 java.exe 2540 Orcus.exe 2256 java.exe 2540 Orcus.exe 2256 java.exe 2256 java.exe 2540 Orcus.exe 2256 java.exe 2540 Orcus.exe 2540 Orcus.exe 2256 java.exe 2256 java.exe 2540 Orcus.exe 2540 Orcus.exe 2256 java.exe 2540 Orcus.exe 2256 java.exe 2540 Orcus.exe 2256 java.exe 2540 Orcus.exe 2256 java.exe 2540 Orcus.exe 2256 java.exe 2256 java.exe 2540 Orcus.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2540 Orcus.exe Token: SeDebugPrivilege 1052 java.exe Token: SeDebugPrivilege 2256 java.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2540 Orcus.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2540 Orcus.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 3044 wrote to memory of 2440 3044 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe 28 PID 3044 wrote to memory of 2440 3044 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe 28 PID 3044 wrote to memory of 2440 3044 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe 28 PID 2440 wrote to memory of 3004 2440 csc.exe 30 PID 2440 wrote to memory of 3004 2440 csc.exe 30 PID 2440 wrote to memory of 3004 2440 csc.exe 30 PID 3044 wrote to memory of 2688 3044 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe 32 PID 3044 wrote to memory of 2688 3044 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe 32 PID 3044 wrote to memory of 2688 3044 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe 32 PID 3044 wrote to memory of 2540 3044 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe 34 PID 3044 wrote to memory of 2540 3044 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe 34 PID 3044 wrote to memory of 2540 3044 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe 34 PID 2580 wrote to memory of 3048 2580 taskeng.exe 36 PID 2580 wrote to memory of 3048 2580 taskeng.exe 36 PID 2580 wrote to memory of 3048 2580 taskeng.exe 36 PID 2540 wrote to memory of 1052 2540 Orcus.exe 37 PID 2540 wrote to memory of 1052 2540 Orcus.exe 37 PID 2540 wrote to memory of 1052 2540 Orcus.exe 37 PID 2540 wrote to memory of 1052 2540 Orcus.exe 37 PID 2540 wrote to memory of 1052 2540 Orcus.exe 37 PID 2540 wrote to memory of 1052 2540 Orcus.exe 37 PID 2540 wrote to memory of 1052 2540 Orcus.exe 37 PID 1052 wrote to memory of 2256 1052 java.exe 38 PID 1052 wrote to memory of 2256 1052 java.exe 38 PID 1052 wrote to memory of 2256 1052 java.exe 38 PID 1052 wrote to memory of 2256 1052 java.exe 38 PID 1052 wrote to memory of 2256 1052 java.exe 38 PID 1052 wrote to memory of 2256 1052 java.exe 38 PID 1052 wrote to memory of 2256 1052 java.exe 38 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe"C:\Users\Admin\AppData\Local\Temp\782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rudetyzv.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA832.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA831.tmp"3⤵PID:3004
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2688
-
-
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\java.exe"C:\Users\Admin\AppData\Local\Temp\java.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 2540 /protectFile3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Users\Admin\AppData\Local\Temp\java.exe"C:\Users\Admin\AppData\Local\Temp\java.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 2540 "/protectFile"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
PID:2912
-
C:\Windows\system32\taskeng.exetaskeng.exe {7DEC34B3-4A95-4FC9-8B64-4C058B1D89A2} S-1-5-21-2085049433-1067986815-1244098655-1000:AHLBRYJO\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"2⤵
- Executes dropped EXE
PID:3048
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
926KB
MD55df1243f68a568c1b90a3e1c799c6c81
SHA1a12e5dc2113e43a6329152c698b4f29e88a7177a
SHA256782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d
SHA512f578ceb6cdf4331c8ed6803b01d33a663c37e94acaf9ed687be9688a11395b18cf7603a4a726f5a3736a5c3126cf2753c1e5a39fb01b6646f9f3e8ffd61ae510
-
Filesize
926KB
MD55df1243f68a568c1b90a3e1c799c6c81
SHA1a12e5dc2113e43a6329152c698b4f29e88a7177a
SHA256782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d
SHA512f578ceb6cdf4331c8ed6803b01d33a663c37e94acaf9ed687be9688a11395b18cf7603a4a726f5a3736a5c3126cf2753c1e5a39fb01b6646f9f3e8ffd61ae510
-
Filesize
926KB
MD55df1243f68a568c1b90a3e1c799c6c81
SHA1a12e5dc2113e43a6329152c698b4f29e88a7177a
SHA256782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d
SHA512f578ceb6cdf4331c8ed6803b01d33a663c37e94acaf9ed687be9688a11395b18cf7603a4a726f5a3736a5c3126cf2753c1e5a39fb01b6646f9f3e8ffd61ae510
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
1KB
MD575d50c07309ce805e5a03f39d567498a
SHA1a28e5160b93bdb8ccc5eef8a62d0baa25839d707
SHA256d08e3bcf10a32af23f2362971601f5bf05a9751c82af54514ef8f75cb945fd54
SHA5123858b2cf028edb029cb4e15ec18e32a8ff59d49339860dc7460df942d7f5d18a71e9810da5cd6ede9ab736e53ed4649440f3df6dba5a98603bc62f29e9e4bcb7
-
Filesize
9KB
MD5913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
Filesize
9KB
MD5913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
Filesize
9KB
MD5913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
76KB
MD542e57c933247a433ef181ac2ca7e9252
SHA12064d6a27593e03df0c52b78939f024f5fbd30ab
SHA256b6adced3fde152b91764426fcbd79f65052d7324fa7219f05b23f7722937df41
SHA512c7778499d28a7b35ee51b336966f579523d581a16da8b948cb3481c43a3d6e8d9d0c7c5179b3db698cc29bea6a7a118dabfaa6436180180dca055ec31d7cc4da
-
Filesize
1KB
MD5ef9e4b3ffe78cad5303bd3afb8313c10
SHA115da26c72029bf97800fd6d884659077c7cc7640
SHA256d2ab86969f842cda9deebe83f51ff6350ff707159daf5cda60617f35eaf6c15b
SHA51294163d63f9642a20e8c89475136a6a80453ed937b1c1a258775c912b2532df9603621264e0f724059bb4a79c29c76735f6d49e822f77b2f6772e8345fd20d1ba
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
676B
MD5454a79e0ae9dd06e66fc2f03cad5532f
SHA11f0cfa75712fcfffdd3806068d7b259fb41e4a6d
SHA256b2eb70e6130b502153c0952ad0a6f3ee9d44ce41935111cd0a03b6b15207c1e3
SHA5125b5527080700f75ece91a7e20a7c96802b3fac669b2a050bc4de147fbc4738ccc85669232481d84c27b82fe9c05928b7f4a8d30052b6ddac5359ae81d91292b0
-
Filesize
208KB
MD562a85092f060ce8271c5fba94b4aba7a
SHA19a2f7a2f472ad9ee885faf13579acdce5204908e
SHA256da347f5c56a106054c19dc17c64b85007622b73bda1c96255d40e7604ef7c3cc
SHA5128c1558a66fc9962ce32321725994bdeb06213487cb90b69b21ccf150a4f79975cf0b63bfaed775a53df33baefca8cacca2b58f3b6a4ba6914c3247f5afa7c280
-
Filesize
349B
MD5821b11b8172338c9810bb0126213a164
SHA170786a84193a8f20e83bf73562d10645de512d4f
SHA256a02f761affd9e536cb8a7fc2f5e3cec4503643e5b854f9ecc26675e04ab7ab59
SHA51292a8d23729753ca69d18f267ba15b6dfbeddb8baa444a5f2080de883fbcba83b6a16d4f82c478cfcadcfa818d2697c0fe0469f501166992af18182505d926c7d
-
Filesize
9KB
MD5913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33