Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2023, 03:32
Behavioral task
behavioral1
Sample
782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe
Resource
win10v2004-20231130-en
General
-
Target
782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe
-
Size
926KB
-
MD5
5df1243f68a568c1b90a3e1c799c6c81
-
SHA1
a12e5dc2113e43a6329152c698b4f29e88a7177a
-
SHA256
782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d
-
SHA512
f578ceb6cdf4331c8ed6803b01d33a663c37e94acaf9ed687be9688a11395b18cf7603a4a726f5a3736a5c3126cf2753c1e5a39fb01b6646f9f3e8ffd61ae510
-
SSDEEP
24576:0WM4MROxnFE3jrXpJrZlI0AilFEvxHiCx:0WfMiuXpJrZlI0AilFEvxHi
Malware Config
Extracted
orcus
10.0.2.15:4444
9f5db8c63bb047d39e98370a28bee370
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
Temp\java.exe
Signatures
-
Orcus main payload 4 IoCs
resource yara_rule behavioral2/files/0x00070000000231d3-68.dat family_orcus behavioral2/files/0x00070000000231d3-74.dat family_orcus behavioral2/files/0x00070000000231d3-77.dat family_orcus behavioral2/files/0x00070000000231d3-86.dat family_orcus -
Orcurs Rat Executable 5 IoCs
resource yara_rule behavioral2/files/0x00070000000231d3-68.dat orcus behavioral2/files/0x00070000000231d3-74.dat orcus behavioral2/files/0x00070000000231d3-77.dat orcus behavioral2/memory/4004-80-0x0000000000110000-0x00000000001FE000-memory.dmp orcus behavioral2/files/0x00070000000231d3-86.dat orcus -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation java.exe Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation Orcus.exe -
Executes dropped EXE 6 IoCs
pid Process 2056 WindowsInput.exe 5052 WindowsInput.exe 4004 Orcus.exe 2012 Orcus.exe 1680 java.exe 2932 java.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\"" Orcus.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe File opened for modification C:\Windows\assembly\Desktop.ini 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsInput.exe 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe File created C:\Windows\SysWOW64\WindowsInput.exe.config 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe File created C:\Windows\SysWOW64\WindowsInput.InstallState WindowsInput.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Orcus\Orcus.exe.config 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe File created C:\Program Files\Orcus\Orcus.exe 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe File opened for modification C:\Program Files\Orcus\Orcus.exe 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe File created C:\Windows\assembly\Desktop.ini 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe File opened for modification C:\Windows\assembly\Desktop.ini 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4004 Orcus.exe 4004 Orcus.exe 4004 Orcus.exe 2932 java.exe 2932 java.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe 4004 Orcus.exe 2932 java.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4004 Orcus.exe Token: SeDebugPrivilege 1680 java.exe Token: SeDebugPrivilege 2932 java.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4004 Orcus.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4004 Orcus.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4500 wrote to memory of 1940 4500 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe 89 PID 4500 wrote to memory of 1940 4500 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe 89 PID 1940 wrote to memory of 3064 1940 csc.exe 91 PID 1940 wrote to memory of 3064 1940 csc.exe 91 PID 4500 wrote to memory of 2056 4500 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe 93 PID 4500 wrote to memory of 2056 4500 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe 93 PID 4500 wrote to memory of 4004 4500 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe 95 PID 4500 wrote to memory of 4004 4500 782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe 95 PID 4004 wrote to memory of 1680 4004 Orcus.exe 97 PID 4004 wrote to memory of 1680 4004 Orcus.exe 97 PID 4004 wrote to memory of 1680 4004 Orcus.exe 97 PID 1680 wrote to memory of 2932 1680 java.exe 98 PID 1680 wrote to memory of 2932 1680 java.exe 98 PID 1680 wrote to memory of 2932 1680 java.exe 98 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe"C:\Users\Admin\AppData\Local\Temp\782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6jwevuir.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D29.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3D28.tmp"3⤵PID:3064
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2056
-
-
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Users\Admin\AppData\Local\Temp\java.exe"C:\Users\Admin\AppData\Local\Temp\java.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 4004 /protectFile3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\java.exe"C:\Users\Admin\AppData\Local\Temp\java.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 4004 "/protectFile"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
PID:5052
-
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"1⤵
- Executes dropped EXE
PID:2012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
926KB
MD55df1243f68a568c1b90a3e1c799c6c81
SHA1a12e5dc2113e43a6329152c698b4f29e88a7177a
SHA256782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d
SHA512f578ceb6cdf4331c8ed6803b01d33a663c37e94acaf9ed687be9688a11395b18cf7603a4a726f5a3736a5c3126cf2753c1e5a39fb01b6646f9f3e8ffd61ae510
-
Filesize
926KB
MD55df1243f68a568c1b90a3e1c799c6c81
SHA1a12e5dc2113e43a6329152c698b4f29e88a7177a
SHA256782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d
SHA512f578ceb6cdf4331c8ed6803b01d33a663c37e94acaf9ed687be9688a11395b18cf7603a4a726f5a3736a5c3126cf2753c1e5a39fb01b6646f9f3e8ffd61ae510
-
Filesize
926KB
MD55df1243f68a568c1b90a3e1c799c6c81
SHA1a12e5dc2113e43a6329152c698b4f29e88a7177a
SHA256782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d
SHA512f578ceb6cdf4331c8ed6803b01d33a663c37e94acaf9ed687be9688a11395b18cf7603a4a726f5a3736a5c3126cf2753c1e5a39fb01b6646f9f3e8ffd61ae510
-
Filesize
926KB
MD55df1243f68a568c1b90a3e1c799c6c81
SHA1a12e5dc2113e43a6329152c698b4f29e88a7177a
SHA256782a64eadadacdc0352fac7c200e4037047d0d1ab4d446e6356a5fa65c58323d
SHA512f578ceb6cdf4331c8ed6803b01d33a663c37e94acaf9ed687be9688a11395b18cf7603a4a726f5a3736a5c3126cf2753c1e5a39fb01b6646f9f3e8ffd61ae510
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
76KB
MD5797c7df4f223bccc204bda80883916ea
SHA1247f43521ba80d8e0bbbcc4773cfb2d0f6d93cb7
SHA2564f0c23f7efad742a8f3e084fb788fdc23d80fb0d67d0a4104d73d2a8b86288d7
SHA512e7bcee0a09ac7943239b00ce7adfc6151e167c840ad4a9254ce989b2506dbd8673bbfb1fdfe00650efc28c263080319b6027fbcedfbee9fd7374024c68a13f12
-
Filesize
1KB
MD54586f062ce3af3442e9c67a7ce5a3bdf
SHA1e28edf59fd4f3e1381f9c8b3bf826d91f76ce4b6
SHA256ecc59eb739d953b2a5add92e446190edb761a71ab7a472d0d615c280578ada81
SHA5127604afdbc6e2ab31762d648849948feafffda0d4b06705ac9adf89824ee4d9993ab875f63c08e840ebce8e0881c416f3465383ba785eb0c00013252ff2e55cf9
-
Filesize
9KB
MD5913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
Filesize
9KB
MD5913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
Filesize
9KB
MD5913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
Filesize
9KB
MD5913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
1KB
MD5883c4db2fb3e2c33733c9d3fd0d37fff
SHA174351c8e76e64d80a8dd1edb4b836d4de1335475
SHA2567851722cbada179347e99453d256dffd424ca58ce67fdc46225bfb81050b39c9
SHA5126c94d8542575f99dc7879e23b87448eac8c6bc29a576ba73f3a1726c0774853bde4ae383eaf335323390a2a588c59e57a16e21a6a39eae5c969b08ae59d5b5b5
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
208KB
MD550b2e713d0cf1f3e1034faac3722c5f7
SHA1c107aef426bdf5968eec4b9201ebd8f1463fe971
SHA256f3993f469ca2c01107056cc26f8fef7a293c42079223bdfb40c413288985e472
SHA512eed374819e106f8cbe39a21d4167a27e32e886d2eb13281b024df17311c8df223e2596c792b242f23d49c655dc753a7c432f73b7027b5a2e6e2b2613076b7505
-
Filesize
349B
MD5ee31f3d3ce49f5ff6cb75b827ce59c9d
SHA15016504689927e14396e2f3159190a9f1e99c6d0
SHA256b7b96d0b5c73f601d4c807996d1e668acc5656443e1f52859fd13bba711697f8
SHA512a6ce1345e3ae55fce2ce3c80ce656ab3c85dc44ea353084ef763c83371626df79269ac41a7ba9f5faded7b3a3669d51dc93b674eb1b397b90c51e971175d9875
-
Filesize
676B
MD54962d36db72381c618cc78aa5f561ce0
SHA125781dd010ddb3166a57053b8b7db8e638539fcf
SHA25653c834165be9492418dc6cfbe72a5598acf38b0ef31094c1f01941102a6f810d
SHA512fac4080f0432bdf70bd9b1969ab4ead6e9e1ec2c4b59caf4e59a77ad88bfc0a264b9c0990a986c6bd4b66df9eef993ca9d4012be22e6c471f7776d857014548a