Analysis
-
max time kernel
131s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
08-02-2024 01:33
Behavioral task
behavioral1
Sample
5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe
Resource
win7-20231215-en
General
-
Target
5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe
-
Size
3.0MB
-
MD5
74d76e40ed909ca7e1c84845502d4200
-
SHA1
68e52a5e876d3ced0acf3be1dab2cfec279c13cd
-
SHA256
5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45
-
SHA512
4178e42e6548168ffc54f077665c3d39ce4261e1ae03774a8bdef7e00b226ddf5c24e1eb146cbce624e31bdd333089b0639caf1fa78af1649a3dd4f4897e5177
-
SSDEEP
49152:Y1HS7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpbu/nRFfjI7L0qb:YUHTPJg8z1mKnypSbRxo9JCm
Malware Config
Extracted
orcus
Новый тег
31.44.184.52:58576
sudo_tlqmdzup58bzrjc1lr1vgx7o4bzyr68q
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%appdata%\httpmultiasync\linuxapi.exe
-
reconnect_delay
10000
-
registry_keyname
Sudik
-
taskscheduler_taskname
sudik
-
watchdog_path
AppData\aga.exe
Signatures
-
Orcus main payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000015c1b-10.dat family_orcus behavioral1/files/0x000b000000015c1b-13.dat family_orcus -
Orcurs Rat Executable 11 IoCs
resource yara_rule behavioral1/memory/1948-0-0x0000000001020000-0x000000000131E000-memory.dmp orcus behavioral1/files/0x000b000000015c1b-10.dat orcus behavioral1/files/0x000b000000015c1b-13.dat orcus behavioral1/memory/2724-17-0x00000000008F0000-0x0000000000BEE000-memory.dmp orcus behavioral1/memory/2816-28-0x0000000000400000-0x00000000006FE000-memory.dmp orcus behavioral1/memory/2816-29-0x0000000000400000-0x00000000006FE000-memory.dmp orcus behavioral1/memory/2816-32-0x0000000000400000-0x00000000006FE000-memory.dmp orcus behavioral1/memory/2816-35-0x0000000000400000-0x00000000006FE000-memory.dmp orcus behavioral1/memory/2816-37-0x0000000000400000-0x00000000006FE000-memory.dmp orcus behavioral1/memory/2328-66-0x0000000000E20000-0x000000000111E000-memory.dmp orcus behavioral1/memory/2152-70-0x0000000000E50000-0x000000000114E000-memory.dmp orcus -
Executes dropped EXE 4 IoCs
pid Process 2724 linuxapi.exe 2772 linuxapi.exe 2328 linuxapi.exe 2152 linuxapi.exe -
Loads dropped DLL 1 IoCs
pid Process 1948 5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2724 set thread context of 2816 2724 linuxapi.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1948 5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe 2724 linuxapi.exe 2724 linuxapi.exe 2724 linuxapi.exe 2724 linuxapi.exe 2724 linuxapi.exe 2724 linuxapi.exe 2816 installutil.exe 2816 installutil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1948 5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe Token: SeDebugPrivilege 2724 linuxapi.exe Token: SeDebugPrivilege 2816 installutil.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1948 wrote to memory of 2724 1948 5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe 28 PID 1948 wrote to memory of 2724 1948 5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe 28 PID 1948 wrote to memory of 2724 1948 5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe 28 PID 1948 wrote to memory of 2724 1948 5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe 28 PID 2828 wrote to memory of 2772 2828 taskeng.exe 31 PID 2828 wrote to memory of 2772 2828 taskeng.exe 31 PID 2828 wrote to memory of 2772 2828 taskeng.exe 31 PID 2828 wrote to memory of 2772 2828 taskeng.exe 31 PID 2724 wrote to memory of 2884 2724 linuxapi.exe 30 PID 2724 wrote to memory of 2884 2724 linuxapi.exe 30 PID 2724 wrote to memory of 2884 2724 linuxapi.exe 30 PID 2724 wrote to memory of 2884 2724 linuxapi.exe 30 PID 2724 wrote to memory of 2884 2724 linuxapi.exe 30 PID 2724 wrote to memory of 2884 2724 linuxapi.exe 30 PID 2724 wrote to memory of 2884 2724 linuxapi.exe 30 PID 2724 wrote to memory of 2844 2724 linuxapi.exe 32 PID 2724 wrote to memory of 2844 2724 linuxapi.exe 32 PID 2724 wrote to memory of 2844 2724 linuxapi.exe 32 PID 2724 wrote to memory of 2844 2724 linuxapi.exe 32 PID 2724 wrote to memory of 2844 2724 linuxapi.exe 32 PID 2724 wrote to memory of 2844 2724 linuxapi.exe 32 PID 2724 wrote to memory of 2844 2724 linuxapi.exe 32 PID 2724 wrote to memory of 2816 2724 linuxapi.exe 33 PID 2724 wrote to memory of 2816 2724 linuxapi.exe 33 PID 2724 wrote to memory of 2816 2724 linuxapi.exe 33 PID 2724 wrote to memory of 2816 2724 linuxapi.exe 33 PID 2724 wrote to memory of 2816 2724 linuxapi.exe 33 PID 2724 wrote to memory of 2816 2724 linuxapi.exe 33 PID 2724 wrote to memory of 2816 2724 linuxapi.exe 33 PID 2724 wrote to memory of 2816 2724 linuxapi.exe 33 PID 2724 wrote to memory of 2816 2724 linuxapi.exe 33 PID 2724 wrote to memory of 2816 2724 linuxapi.exe 33 PID 2724 wrote to memory of 2816 2724 linuxapi.exe 33 PID 2724 wrote to memory of 2816 2724 linuxapi.exe 33 PID 2828 wrote to memory of 2328 2828 taskeng.exe 37 PID 2828 wrote to memory of 2328 2828 taskeng.exe 37 PID 2828 wrote to memory of 2328 2828 taskeng.exe 37 PID 2828 wrote to memory of 2328 2828 taskeng.exe 37 PID 2828 wrote to memory of 2152 2828 taskeng.exe 38 PID 2828 wrote to memory of 2152 2828 taskeng.exe 38 PID 2828 wrote to memory of 2152 2828 taskeng.exe 38 PID 2828 wrote to memory of 2152 2828 taskeng.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe"C:\Users\Admin\AppData\Local\Temp\5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe"C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"3⤵PID:2884
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"3⤵PID:2844
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {96541568-88E5-4370-88A3-EEC4DA129719} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exeC:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe2⤵
- Executes dropped EXE
PID:2772
-
-
C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exeC:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe2⤵
- Executes dropped EXE
PID:2328
-
-
C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exeC:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe2⤵
- Executes dropped EXE
PID:2152
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
3.0MB
MD574d76e40ed909ca7e1c84845502d4200
SHA168e52a5e876d3ced0acf3be1dab2cfec279c13cd
SHA2565ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45
SHA5124178e42e6548168ffc54f077665c3d39ce4261e1ae03774a8bdef7e00b226ddf5c24e1eb146cbce624e31bdd333089b0639caf1fa78af1649a3dd4f4897e5177
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
2.6MB
MD5f7f991ab98e4011b4f8b1ba5d76c86d7
SHA16161a121f2f213286585ee8afb414cb7ddf9a2c2
SHA256d09027e28bae6a00a7593b742cf4980bfd48994bfd50af71c673ca72a2a9524c
SHA51288379ff55df6e47ed3398b59e325d82acaf05f7e4c862953f0dcc21f8c892e804fef0d02229c1038adba4e09e445b0a73713452ab8094ec96bdf6f27cbbcb92c