Analysis
-
max time kernel
0s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2024 01:07
Behavioral task
behavioral1
Sample
b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe
Resource
win7-20231215-en
General
-
Target
b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe
-
Size
3.0MB
-
MD5
a0bf0e1d9998071ab3eea44c602e62fe
-
SHA1
abbfe33f050e0d86141e3d86353e442ec137ce5f
-
SHA256
b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c
-
SHA512
37c2c2716467f266c0119b8f951a141522422c4f9d0ea6f28c428b6064ae2c1547ee8637ac840c49d0b5aec1a1c89fb49372700b399db7154313f497b8e4afce
-
SSDEEP
49152:O3X27p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpEu/nRFfjI7L0qbE:OWHTPJg8z1mKnypSbRxo9JCm
Malware Config
Extracted
orcus
Новый тег
31.44.184.52:58576
sudo_2f0j3yx80ngl37acxfsp3wpr9q36wsle
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%appdata%\javascriptpackettemp\lowbase.exe
-
reconnect_delay
10000
-
registry_keyname
Sudik
-
taskscheduler_taskname
sudik
-
watchdog_path
AppData\aga.exe
Signatures
-
Orcus main payload 2 IoCs
resource yara_rule behavioral2/files/0x0006000000023238-13.dat family_orcus behavioral2/files/0x0006000000023238-22.dat family_orcus -
Orcurs Rat Executable 3 IoCs
resource yara_rule behavioral2/memory/4744-1-0x0000000000D40000-0x000000000103E000-memory.dmp orcus behavioral2/files/0x0006000000023238-13.dat orcus behavioral2/files/0x0006000000023238-22.dat orcus -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4744 b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4744 b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe"C:\Users\Admin\AppData\Local\Temp\b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4744 -
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe"C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe"2⤵PID:668
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"3⤵PID:4472
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"3⤵PID:1148
-
-
-
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exeC:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe1⤵PID:3580
-
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exeC:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe1⤵PID:3664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5663b8d5469caa4489d463aa9bc18124f
SHA1e57123a7d969115853ea631a3b33826335025d28
SHA2567b4fa505452f0b8ac74bb31f5a03b13342836318018fb18d224ae2ff11b1a7e8
SHA51245e373295125a629fcc0b19609608d969c9106514918bfac5d6b8e340e407434577b825741b8fa6a043c8f3f5c1a030ba8857da5f4e8ef15a551ce3c5fe03b55
-
Filesize
91KB
MD57efee619e783d06d8d526cc763ccb994
SHA138f32a260d01d1c0a8b0840dea4c7c7404784137
SHA256e79045493be7f0d7c9604eb49d4c15a883aa0c08cfa4ef721a1d70fe4ac89b84
SHA512c249861f4dde01199e62126840e2481f16c6ae776e643ddbecaa9a15d048da136a6e86c5493f9c823a08cdc5f187694fd5016904f7d5cb10bf5efd69a897bbbd
-
Filesize
124KB
MD5f0b5b7471116c984a131ba59102aa893
SHA18de0255b5704ff3bbd2b1c65d9deff87bbbbaf6e
SHA25631e77bfeaad9c2591ade00a28e8a53337b789094e431521d26ab06cbe9992ed2
SHA51261f1938e8a457e6a3a4ea31bd23ebd5c6bc04189869ac1787fb3b6bf4cd37f91bbf44356cda90a0c5133f69735425afb45a1ab07ea2f25f8b7fda2cd15415c07
-
Filesize
89KB
MD52b0e9a26e54cee4ffda0c920d5fadd1c
SHA199b532aa4ddc76b292cf7f98fb7231d0bf21fdcc
SHA256c5d08f7fc7901991889b37de648d5b7a4db50229894fc75181c692f10414fe42
SHA512ab50b106af07d04feb66de744765f3f4ad3da6bb85af4fa3e1140d2b8ba62e532ac1d22f999238cf811594473b27735a5cc8a7a116c18258780fcc76c73a3b04
-
Filesize
79KB
MD50339e4143a8c2cd99acdbf7c41533a70
SHA1722e2e3c8fae4d1941ddee805b10d8a82540ced9
SHA256ddcd8d53e3276b1077c1c3c225db89e48323a85733be0bc4ee79d4f4aeb86f5a
SHA512578ff57699bc65a1ea7ae2b9bcd4ccde588733c234d28b68dbe9b60bbf7f0cb873655efe5a4c75941472ac32f1f2d180233707fc28d1129a79f0028212f57911
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad