Analysis
-
max time kernel
127s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08-02-2024 01:33
Behavioral task
behavioral1
Sample
5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe
Resource
win7-20231215-en
General
-
Target
5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe
-
Size
3.0MB
-
MD5
74d76e40ed909ca7e1c84845502d4200
-
SHA1
68e52a5e876d3ced0acf3be1dab2cfec279c13cd
-
SHA256
5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45
-
SHA512
4178e42e6548168ffc54f077665c3d39ce4261e1ae03774a8bdef7e00b226ddf5c24e1eb146cbce624e31bdd333089b0639caf1fa78af1649a3dd4f4897e5177
-
SSDEEP
49152:Y1HS7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpbu/nRFfjI7L0qb:YUHTPJg8z1mKnypSbRxo9JCm
Malware Config
Extracted
orcus
Новый тег
31.44.184.52:58576
sudo_tlqmdzup58bzrjc1lr1vgx7o4bzyr68q
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%appdata%\httpmultiasync\linuxapi.exe
-
reconnect_delay
10000
-
registry_keyname
Sudik
-
taskscheduler_taskname
sudik
-
watchdog_path
AppData\aga.exe
Signatures
-
Orcus main payload 6 IoCs
resource yara_rule behavioral2/files/0x00060000000231ef-13.dat family_orcus behavioral2/files/0x00060000000231ef-19.dat family_orcus behavioral2/files/0x00060000000231ef-21.dat family_orcus behavioral2/files/0x00060000000231ef-28.dat family_orcus behavioral2/files/0x00060000000231ef-52.dat family_orcus behavioral2/files/0x00060000000231ef-56.dat family_orcus -
Orcurs Rat Executable 7 IoCs
resource yara_rule behavioral2/memory/4548-0-0x0000000000B70000-0x0000000000E6E000-memory.dmp orcus behavioral2/files/0x00060000000231ef-13.dat orcus behavioral2/files/0x00060000000231ef-19.dat orcus behavioral2/files/0x00060000000231ef-21.dat orcus behavioral2/files/0x00060000000231ef-28.dat orcus behavioral2/files/0x00060000000231ef-52.dat orcus behavioral2/files/0x00060000000231ef-56.dat orcus -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe -
Executes dropped EXE 4 IoCs
pid Process 3216 linuxapi.exe 1208 linuxapi.exe 3276 linuxapi.exe 2884 linuxapi.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3216 set thread context of 1672 3216 linuxapi.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 4548 5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe 3216 linuxapi.exe 3216 linuxapi.exe 3216 linuxapi.exe 3216 linuxapi.exe 3216 linuxapi.exe 3216 linuxapi.exe 1672 msbuild.exe 1672 msbuild.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4548 5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe Token: SeDebugPrivilege 3216 linuxapi.exe Token: SeDebugPrivilege 1672 msbuild.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4548 wrote to memory of 3216 4548 5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe 85 PID 4548 wrote to memory of 3216 4548 5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe 85 PID 4548 wrote to memory of 3216 4548 5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe 85 PID 3216 wrote to memory of 2520 3216 linuxapi.exe 86 PID 3216 wrote to memory of 2520 3216 linuxapi.exe 86 PID 3216 wrote to memory of 2520 3216 linuxapi.exe 86 PID 3216 wrote to memory of 180 3216 linuxapi.exe 87 PID 3216 wrote to memory of 180 3216 linuxapi.exe 87 PID 3216 wrote to memory of 180 3216 linuxapi.exe 87 PID 3216 wrote to memory of 1672 3216 linuxapi.exe 88 PID 3216 wrote to memory of 1672 3216 linuxapi.exe 88 PID 3216 wrote to memory of 1672 3216 linuxapi.exe 88 PID 3216 wrote to memory of 1672 3216 linuxapi.exe 88 PID 3216 wrote to memory of 1672 3216 linuxapi.exe 88 PID 3216 wrote to memory of 1672 3216 linuxapi.exe 88 PID 3216 wrote to memory of 1672 3216 linuxapi.exe 88 PID 3216 wrote to memory of 1672 3216 linuxapi.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe"C:\Users\Admin\AppData\Local\Temp\5ab24737d60ad841c55bc85a30f2c9cfc876a1c54a7dd267c96b8f1cf3f80b45.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe"C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"3⤵PID:2520
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"3⤵PID:180
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
-
C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exeC:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe1⤵
- Executes dropped EXE
PID:1208
-
C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exeC:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe1⤵
- Executes dropped EXE
PID:3276
-
C:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exeC:\Users\Admin\AppData\Roaming\httpmultiasync\linuxapi.exe1⤵
- Executes dropped EXE
PID:2884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5663b8d5469caa4489d463aa9bc18124f
SHA1e57123a7d969115853ea631a3b33826335025d28
SHA2567b4fa505452f0b8ac74bb31f5a03b13342836318018fb18d224ae2ff11b1a7e8
SHA51245e373295125a629fcc0b19609608d969c9106514918bfac5d6b8e340e407434577b825741b8fa6a043c8f3f5c1a030ba8857da5f4e8ef15a551ce3c5fe03b55
-
Filesize
1.1MB
MD52a9d1009e59680f73b7b315491e7b78f
SHA15fe5b17c577baccaa91e56725c73ed0d80e58628
SHA256d699a9a85b358e657f0f1287f357c64c4cf82aab375446629102bbcb4ab0c7e4
SHA5123eb641a3d04182a73ca7dbf6174412cf0afc8769572f93ed67ff5cfae9018aa89fef40feb990880c9266962b163a0aff01a7b8724079c639338064646c2f79e3
-
Filesize
698KB
MD5a62f10244bfc7ac326c3f1509633d837
SHA178718eccad87a529d0ce497ea2dcc151075fc170
SHA256e8a0a2db481aed0f0c969f7a112c6068a910e4e7b9e2301c02b68fafdc6c121c
SHA51293a1946843927f8e98617d6383c8ed100cc0e61c849b07cc755a61ea898254a60ebb290b20abce0d2aa35014a823c1e26ceafe0cf3901ac767df8cd66d372488
-
Filesize
923KB
MD5f10c627484d209f98d62332cc20af71d
SHA1c0387c1bdcc41d1e95c6d2c3e6324046c2a1ed65
SHA25695507ba52cfea43c0bbd1d78656660816267bf3608f6a3b495c913d9a7069d7e
SHA512280dd97829e49fef4cd4adebe8b7d91ae5726018e852267b96d8da951517670270a92731a2df8185320bcdba27832cb33c4b5c2702913fc212db79ac6468205d
-
Filesize
448KB
MD5ea30aef27161241655b98f5f14b5917a
SHA1ab7c954cb58ae8306708f434085eec06dfdf93c8
SHA256e3df5826de0c88f30761eadc33d9048194c9cfc5e946b031e9603fb124fb08db
SHA512995a26afb367ef328057da35e43d2539fd922680dc8bd64ec6721501a174c57c7bf2c735a94286967b9f4a508031cd7ed2ebd9c6c18cd1361c809b1f00a64037
-
Filesize
174KB
MD5211a8427d5f87809aa121e5306a9d541
SHA1ee3bc008d806224ea29e9ae9f0b3aafa9f424741
SHA25623ba6e789edef4ee3e478e7ff70d3af4256460ef51503b5f8841cf7388ea80ee
SHA51228c221c85a0c89bfc4c3217c4ceefc9c7e0440d3d8a7ee60efe6cbe210cdf8756a33ecc2518b72c57e6dcdeeef72744a2ab72a5e937f1843b9355f0fd5935953
-
Filesize
597KB
MD5d5d7c73cb9fcf38f74239627588bfed3
SHA184774a93e5cb0ac519a1094b0d2f00d6c678e263
SHA256165c24b04d51fa8602c4075cc9dfc9e7d818ca3dd33c151ea92647b8096ed22b
SHA512e329028c33ca6db03d4a902e3212c6ad8ba42f273a70d2bc3b676d9aeba60578cb4fe042b4c0f6e4bfd3d46e8f1cda71761220490b91957cd9cb7fd3be43827c
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad