Analysis
-
max time kernel
0s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
06-02-2024 01:07
Behavioral task
behavioral1
Sample
b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe
Resource
win7-20231215-en
General
-
Target
b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe
-
Size
3.0MB
-
MD5
a0bf0e1d9998071ab3eea44c602e62fe
-
SHA1
abbfe33f050e0d86141e3d86353e442ec137ce5f
-
SHA256
b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c
-
SHA512
37c2c2716467f266c0119b8f951a141522422c4f9d0ea6f28c428b6064ae2c1547ee8637ac840c49d0b5aec1a1c89fb49372700b399db7154313f497b8e4afce
-
SSDEEP
49152:O3X27p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpEu/nRFfjI7L0qbE:OWHTPJg8z1mKnypSbRxo9JCm
Malware Config
Extracted
orcus
Новый тег
31.44.184.52:58576
sudo_2f0j3yx80ngl37acxfsp3wpr9q36wsle
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%appdata%\javascriptpackettemp\lowbase.exe
-
reconnect_delay
10000
-
registry_keyname
Sudik
-
taskscheduler_taskname
sudik
-
watchdog_path
AppData\aga.exe
Signatures
-
Orcus main payload 1 IoCs
resource yara_rule behavioral1/files/0x000d000000012343-15.dat family_orcus -
Orcurs Rat Executable 3 IoCs
resource yara_rule behavioral1/memory/2572-0-0x0000000000F40000-0x000000000123E000-memory.dmp orcus behavioral1/files/0x000d000000012343-15.dat orcus behavioral1/memory/2848-36-0x00000000011D0000-0x00000000014CE000-memory.dmp orcus -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2572 b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2572 b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe"C:\Users\Admin\AppData\Local\Temp\b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572 -
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe"C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe"2⤵PID:1548
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {8DDE8B7B-4EF7-4DF1-8509-BE2675C88193} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]1⤵PID:2784
-
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exeC:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe2⤵PID:2848
-
-
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exeC:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe2⤵PID:2800
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"1⤵PID:2884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD5922ce20009f9d164ce954487d373527c
SHA18a1942db234c4c8eec8f30f955a9e3ac2f8c58f2
SHA256d42dd4c42aa9feaa2e2649936e08d954fe57e9d1e75cca2adb0c1e0e19fe147c
SHA512a35eef341dd309c58a8236298b0ebb845294a13dbbd91d6085b469866bb91bf242858454fd0b2301755faf208e6819796484c49d575b1ec961ba209e23f4d89f
-
Filesize
99KB
MD519f3cdec267ffcb022a8b6aa43ce2e17
SHA1166c3ce0546f191dc4ff70d79ed633d6e0d9062c
SHA2569c9deb62e9e20ec30dad4a6d493643b47c25fef0de90740936921dc6095ac6eb
SHA512d6897fffefc936d28f18c76a5c71dca325b73f4d161473e86fbd821214d50b1d6920af9228c52bc63d83c9cd3e48af6c99d488fee841710c0a6ad8d75026e9f4
-
Filesize
64KB
MD52794dea72b9f3133d95c7b85ead090a7
SHA19857270851b6e0659fa5721a720a5cfac88eb46e
SHA2565300e25aa5b4a5f50db8edd222d6ece5de4033d62f5e6d6849ea0024676475a1
SHA512370ce42f427d7017eb3407247d5f18bd2cad299fc21326014d07c7130ba38d5cb7625eb6ebe6c2b6d397dd9902547fd8aa9e7b8798da0e2fa1a6afd60ffd0ff5
-
Filesize
91KB
MD565696ae7f9f46b859b8569b43999d07f
SHA1bd221e65e2a3deaf259894d503dc523bc5fc37c1
SHA256a1ec055137a4f5b42fdf16b95c6859bb2bd4fbd6a931347f0fa13b9ec5c92845
SHA5127b1bd9823ad0effb965c32f6fb90c788c07223c936edaeca6585c6a67c9b69176e773193b8aecb1b6b0be0dc6ff98753ca70c68e81d41a91618780399ecf802b
-
Filesize
5KB
MD54e7e9a42a051bd0def8039d32d0242de
SHA1bbcbd0399ae7c403c8a864f5504cf96be9dd06a1
SHA256cf169c95539b74ea038c48ccfb75e538a97bc54d1dd16a48fcfa40c0e1045a18
SHA512ff5a2999ec0a0223fce9ede4577dbda09d82495f539d7e9f1cf1dddc165e0a5b943e7a591970db1bdf4a25cd479a835f8693678a74f9af947c560bb1b390d6fe
-
Filesize
68KB
MD559b4ef1defad2968fb0d9366566daecf
SHA1081326ac42537f6f10088cbe03fe84d4c9877f5c
SHA256054c3323fa6e538f57544206961a5f6f4d937822e4b70d522173fd29ff652314
SHA51210a6582e7c11b17ce789ebb10d33dc5e47fc38d1b3e902eccb69b46641da7887f24bf08d7c161683b81db32fa2206ff878c2234ffa60122627a4025a4a0b44ca
-
Filesize
406KB
MD5ee7052356bbd3afa1ee3c21a4222b55f
SHA19e3ecff8b9394c8b3786ad231a08dedc059df354
SHA2561e6742f6f742d68a6d0fb6647643e6e26058762cc54ef9573f059fd3eb2add30
SHA512225c2de3ab31ff8927ddf14562222cdaeae26cb6b17545067e3bda305879ab4974c653c8a27dae77b77dcdbe8cf95b6964a745522ecd8110a8ebfa9c648ab620