Analysis
-
max time kernel
309s -
max time network
317s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04-02-2024 20:38
General
-
Target
BubbleGum.exe
-
Size
913KB
-
MD5
748d9e7dded0fe4061365ef179edf7c2
-
SHA1
424e254d2994cc84e9fe25cfa4fa70e0525962f0
-
SHA256
8e95e23ae63cb61ab1ccf577a9fdfc954a86909e0b56ffedba4991ceed2841f1
-
SHA512
bbe3dd8e067c09e783410a230f1abf515e050ee6c88d9b3d6c25a7dda864d3fb94c1fab94ab315393330ec1d645af08571ebc2f8bff5f9db01d5e0e4f5d0ab9e
-
SSDEEP
24576:X0M4MROxnFNFPurerrcI0AilFEvxHPZPooI:XuMieerrcI0AilFEvxHP
Malware Config
Extracted
orcus
192.168.1.78:10134
c29f10c39b8e4ad0bdd582b0231f4e4e
-
autostart_method
TaskScheduler
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcus main payload 3 IoCs
resource yara_rule behavioral1/files/0x0006000000023226-49.dat family_orcus behavioral1/files/0x0006000000023226-46.dat family_orcus behavioral1/files/0x0006000000023226-40.dat family_orcus -
Orcurs Rat Executable 4 IoCs
resource yara_rule behavioral1/memory/5064-1-0x00000000005D0000-0x00000000006BA000-memory.dmp orcus behavioral1/files/0x0006000000023226-49.dat orcus behavioral1/files/0x0006000000023226-46.dat orcus behavioral1/files/0x0006000000023226-40.dat orcus -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation BubbleGum.exe -
Executes dropped EXE 3 IoCs
pid Process 1164 WindowsInput.exe 4240 WindowsInput.exe 2512 Orcus.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsInput.InstallState WindowsInput.exe File created C:\Windows\SysWOW64\WindowsInput.exe BubbleGum.exe File created C:\Windows\SysWOW64\WindowsInput.exe.config BubbleGum.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Orcus\Orcus.exe BubbleGum.exe File opened for modification C:\Program Files (x86)\Orcus\Orcus.exe BubbleGum.exe File created C:\Program Files (x86)\Orcus\Orcus.exe.config BubbleGum.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2512 Orcus.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2512 Orcus.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 5064 wrote to memory of 1164 5064 BubbleGum.exe 85 PID 5064 wrote to memory of 1164 5064 BubbleGum.exe 85 PID 5064 wrote to memory of 2512 5064 BubbleGum.exe 87 PID 5064 wrote to memory of 2512 5064 BubbleGum.exe 87 PID 5064 wrote to memory of 2512 5064 BubbleGum.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\BubbleGum.exe"C:\Users\Admin\AppData\Local\Temp\BubbleGum.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1164
-
-
C:\Program Files (x86)\Orcus\Orcus.exe"C:\Program Files (x86)\Orcus\Orcus.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2512
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
PID:4240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
913KB
MD5748d9e7dded0fe4061365ef179edf7c2
SHA1424e254d2994cc84e9fe25cfa4fa70e0525962f0
SHA2568e95e23ae63cb61ab1ccf577a9fdfc954a86909e0b56ffedba4991ceed2841f1
SHA512bbe3dd8e067c09e783410a230f1abf515e050ee6c88d9b3d6c25a7dda864d3fb94c1fab94ab315393330ec1d645af08571ebc2f8bff5f9db01d5e0e4f5d0ab9e
-
Filesize
324KB
MD5cb20febd96ea133dade394f5e7667fd9
SHA1aef6af00e7843a2dc6e90d1f70170b9aae9a848c
SHA25633c969c1ce9a9f5e31ce4d1621aeb2e772b9fc64da482568665998b5e21dccc3
SHA51219006dd5e8dd66ad81119b54229b365bb04c1cf4aabb5b84a610f29bf360a4ee36fe75c557af97c715f8add94b1a314e89a7848e244663253178066ad9494c26
-
Filesize
409KB
MD54106a07c7e59c57f1e15e1d10d751d5d
SHA1c111e60621c8d355cc39b283215d98314ef1d95f
SHA256410649daf2edce04b21dfdfe29cab1e9556edf96861a0de2c9555d23b6200f9b
SHA5123f7070dd14bc4d86046b220a2527e92c51e65c650e9ec0f11a95d93aa364689b4a4bad0c0eb1ebeedb9d3087b3094c8d8fb42948a50680ca23f11c6ebd25eab7
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
1KB
MD50c4688eb293c3f51ba22ab0c8237c710
SHA1e4113a3998f783f6677a1dc1132804adfe0b1649
SHA256d2e379e0cc4cc667079a33444c59e2116eca3665f0ce70ed49854a7ee5fbe050
SHA5126b010d8ba44fd3a0e2497bb4adb32a4d23876ad3cf2682a34f4f58e24967162a2c10cdb089bcc10fddb532f91fee0809191b8f74a1a5978f9f88ce34e40eba64
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad