Analysis
-
max time kernel
143s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07-02-2024 02:54
Behavioral task
behavioral1
Sample
7fa210b3f0cf860121a9c5cc44f92a330e04dbb7e89deb113c21687e9ae29775.exe
Resource
win7-20231215-en
General
-
Target
7fa210b3f0cf860121a9c5cc44f92a330e04dbb7e89deb113c21687e9ae29775.exe
-
Size
3.0MB
-
MD5
f250b617f96b16057d1ca4a2539b7f99
-
SHA1
ec6cd5efabe7dc98b62a8120d47d0417e0d335c6
-
SHA256
7fa210b3f0cf860121a9c5cc44f92a330e04dbb7e89deb113c21687e9ae29775
-
SHA512
2265b4557d5a22987e341ccc60b74efeac1c31403a9d9fb0143018450ce4e49c68f4c3af4c9ba77dc73f89bc8a2898790212065464f4370d44b70552d9d28816
-
SSDEEP
49152:Y1HS7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpbu/nRFfjI7L0qb:YUHTPJg8z1mKnypSbRxo9JCm
Malware Config
Extracted
orcus
Новый тег
31.44.184.52:58029
aaax6va698fwvwnskxxhhiv7p2n6j5erbcly
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%appdata%\wpprivatepacket\jsrequest.exe
-
reconnect_delay
10000
-
registry_keyname
Sudik
-
taskscheduler_taskname
sudik
-
watchdog_path
AppData\aga.exe
Signatures
-
Orcus main payload 2 IoCs
resource yara_rule behavioral2/files/0x000600000002313c-13.dat family_orcus behavioral2/files/0x000600000002313c-37.dat family_orcus -
Orcurs Rat Executable 3 IoCs
resource yara_rule behavioral2/memory/2932-1-0x0000000000380000-0x000000000067E000-memory.dmp orcus behavioral2/files/0x000600000002313c-13.dat orcus behavioral2/files/0x000600000002313c-37.dat orcus -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 7fa210b3f0cf860121a9c5cc44f92a330e04dbb7e89deb113c21687e9ae29775.exe -
Executes dropped EXE 5 IoCs
pid Process 3840 jsrequest.exe 180 jsrequest.exe 1484 jsrequest.exe 2232 jsrequest.exe 1528 jsrequest.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3840 set thread context of 1756 3840 jsrequest.exe 86 PID 180 set thread context of 3152 180 jsrequest.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2932 7fa210b3f0cf860121a9c5cc44f92a330e04dbb7e89deb113c21687e9ae29775.exe 3840 jsrequest.exe 3840 jsrequest.exe 180 jsrequest.exe 180 jsrequest.exe 1756 regasm.exe 1756 regasm.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2932 7fa210b3f0cf860121a9c5cc44f92a330e04dbb7e89deb113c21687e9ae29775.exe Token: SeDebugPrivilege 3840 jsrequest.exe Token: SeDebugPrivilege 180 jsrequest.exe Token: SeDebugPrivilege 1756 regasm.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2932 wrote to memory of 3840 2932 7fa210b3f0cf860121a9c5cc44f92a330e04dbb7e89deb113c21687e9ae29775.exe 84 PID 2932 wrote to memory of 3840 2932 7fa210b3f0cf860121a9c5cc44f92a330e04dbb7e89deb113c21687e9ae29775.exe 84 PID 2932 wrote to memory of 3840 2932 7fa210b3f0cf860121a9c5cc44f92a330e04dbb7e89deb113c21687e9ae29775.exe 84 PID 3840 wrote to memory of 1756 3840 jsrequest.exe 86 PID 3840 wrote to memory of 1756 3840 jsrequest.exe 86 PID 3840 wrote to memory of 1756 3840 jsrequest.exe 86 PID 3840 wrote to memory of 1756 3840 jsrequest.exe 86 PID 3840 wrote to memory of 1756 3840 jsrequest.exe 86 PID 3840 wrote to memory of 1756 3840 jsrequest.exe 86 PID 3840 wrote to memory of 1756 3840 jsrequest.exe 86 PID 3840 wrote to memory of 1756 3840 jsrequest.exe 86 PID 180 wrote to memory of 3152 180 jsrequest.exe 88 PID 180 wrote to memory of 3152 180 jsrequest.exe 88 PID 180 wrote to memory of 3152 180 jsrequest.exe 88 PID 180 wrote to memory of 3152 180 jsrequest.exe 88 PID 180 wrote to memory of 3152 180 jsrequest.exe 88 PID 180 wrote to memory of 3152 180 jsrequest.exe 88 PID 180 wrote to memory of 3152 180 jsrequest.exe 88 PID 180 wrote to memory of 3152 180 jsrequest.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fa210b3f0cf860121a9c5cc44f92a330e04dbb7e89deb113c21687e9ae29775.exe"C:\Users\Admin\AppData\Local\Temp\7fa210b3f0cf860121a9c5cc44f92a330e04dbb7e89deb113c21687e9ae29775.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Users\Admin\AppData\Roaming\wpprivatepacket\jsrequest.exe"C:\Users\Admin\AppData\Roaming\wpprivatepacket\jsrequest.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
-
-
C:\Users\Admin\AppData\Roaming\wpprivatepacket\jsrequest.exeC:\Users\Admin\AppData\Roaming\wpprivatepacket\jsrequest.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:180 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵PID:3152
-
-
C:\Users\Admin\AppData\Roaming\wpprivatepacket\jsrequest.exeC:\Users\Admin\AppData\Roaming\wpprivatepacket\jsrequest.exe1⤵
- Executes dropped EXE
PID:1484
-
C:\Users\Admin\AppData\Roaming\wpprivatepacket\jsrequest.exeC:\Users\Admin\AppData\Roaming\wpprivatepacket\jsrequest.exe1⤵
- Executes dropped EXE
PID:2232
-
C:\Users\Admin\AppData\Roaming\wpprivatepacket\jsrequest.exeC:\Users\Admin\AppData\Roaming\wpprivatepacket\jsrequest.exe1⤵
- Executes dropped EXE
PID:1528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5663b8d5469caa4489d463aa9bc18124f
SHA1e57123a7d969115853ea631a3b33826335025d28
SHA2567b4fa505452f0b8ac74bb31f5a03b13342836318018fb18d224ae2ff11b1a7e8
SHA51245e373295125a629fcc0b19609608d969c9106514918bfac5d6b8e340e407434577b825741b8fa6a043c8f3f5c1a030ba8857da5f4e8ef15a551ce3c5fe03b55
-
Filesize
3.0MB
MD5f250b617f96b16057d1ca4a2539b7f99
SHA1ec6cd5efabe7dc98b62a8120d47d0417e0d335c6
SHA2567fa210b3f0cf860121a9c5cc44f92a330e04dbb7e89deb113c21687e9ae29775
SHA5122265b4557d5a22987e341ccc60b74efeac1c31403a9d9fb0143018450ce4e49c68f4c3af4c9ba77dc73f89bc8a2898790212065464f4370d44b70552d9d28816
-
Filesize
128KB
MD5e958488754282b677350494a4cbb6d1e
SHA1743e0c83d6816be0b2f36057e00a5f2580a20569
SHA25638e19a338d553253c1bf5576f02287ee0da3ca9883e69ebeb709667e4ced6875
SHA5129855b2b66e0612653c164b59749d137e797b71d9e7fdd554b1b07f48a1ca85d142220e060f8be46006775395fffc3334dddc6cac09e052e162d2bcc12019fa02
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad