Analysis

  • max time kernel
    33s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    08-02-2024 15:56

General

  • Target

    BlitzedGrabberX96/BlitzedGrabberX96 Installer.exe

  • Size

    922.0MB

  • MD5

    579579c7f692ec28c4b198f6dd30f372

  • SHA1

    5eeeaf129ba78eec60d3a5cdb16d3d31eeb4a015

  • SHA256

    245806b93b9d8c782086ddd542a45e3f8920031ef450335c18fe2402b963b365

  • SHA512

    18ff96211d56d076c3b1ee29d18591cdc483761ddf0284dba26a6751d91db595d65500c0d3a5a92cc3c1512c53dad42fc8ee6d9d0a4b51a1789453c7eaecb31c

  • SSDEEP

    49152:p9sij7wmgm0JRjaXUVPJUdDrAZY6DQAJE8lIZCmT3KxX9xtARkN2AWUoWHF08xGw:Mij7wgEVPJU+ZHDPtqn3QjtAFIFKIz

Malware Config

Extracted

Family

orcus

C2

209.25.141.181:40489

Mutex

690c4574d03b45e4b89aa16b415b7baf

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    true

  • install_path

    %programdata%\Chrome\Plugins\chromedriver.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    svchost

  • watchdog_path

    AppData\svchost.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

  • Orcus main payload 5 IoCs
  • Orcurs Rat Executable 6 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe
      "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of SetWindowsHookEx
      PID:2300
    • C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE
      "C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2360
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -ExecutionPolicy Bypass -File poo.ps1
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2764
    • C:\Users\Admin\AppData\Local\Temp\chromedriver.exe
      "C:\Users\Admin\AppData\Local\Temp\chromedriver.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n5u5jwtw.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2576
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE0A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCE09.tmp"
          4⤵
            PID:2696
        • C:\Windows\SysWOW64\WindowsInput.exe
          "C:\Windows\SysWOW64\WindowsInput.exe" --install
          3⤵
          • Executes dropped EXE
          PID:1492
        • C:\ProgramData\Chrome\Plugins\chromedriver.exe
          "C:\ProgramData\Chrome\Plugins\chromedriver.exe"
          3⤵
            PID:3008
      • C:\Windows\SysWOW64\WindowsInput.exe
        "C:\Windows\SysWOW64\WindowsInput.exe"
        1⤵
          PID:896

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Chrome\Plugins\chromedriver.exe

          Filesize

          1.3MB

          MD5

          aa9d2640ec778b21412084b1b54abe7d

          SHA1

          00bce490735d41eb889dd4d27996e3ba93eb916c

          SHA256

          9b8821c06989f1522902fedee4915f25b31ee3125ba3973eff0718ad6885cb0b

          SHA512

          cb7de4503775f91000e95c3e67957d4bc4a9bd6f97c12b576827819fd2e4c8716bd4f501db27e32961901bfbcc80233a99345cd30016c2cf2598c521575f8ee1

        • C:\ProgramData\Chrome\Plugins\chromedriver.exe

          Filesize

          3.6MB

          MD5

          fc078f4520ba18711aedb2cc5787e98b

          SHA1

          0faa983831edad9c55df47f48015a8be8b29fe2e

          SHA256

          a5a8ff66cfe064da6235a08e31226dd99c4d5b6038c1d4b310d621d27b6c7f1f

          SHA512

          9ee3dd1a7e29944677d5929d17597f390b1e7a3696bab6e6b81fac2dab2971febfeeb9eaf4cc2b4e4684173623922ede122216c19f89185888afca87f4f0d97b

        • C:\ProgramData\Chrome\Plugins\chromedriver.exe

          Filesize

          2.8MB

          MD5

          ed76832e335324cde025123d2fff2ff4

          SHA1

          146ff5dced01b317f9a0588668c7caede69044ea

          SHA256

          caf66522099636d6da6f84d48f1a94e1fd49724ecf96fc0730909d9a24d257c1

          SHA512

          022800319c16f138cf8e869cfa35e755f9a64f20dad783043fec8e2766ec6edc297258961ecb253517dac7751220e73bfbe9ca6f5490567986ea430771207faf

        • C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe

          Filesize

          2.8MB

          MD5

          46d8dfadf7f9d90385ab7df71b5adce3

          SHA1

          99482121b86c790a6f2d732b0a47a1e41922518f

          SHA256

          7fc18666d83d233def6dd05b7c46851e65753a7e8ab3bc6c76141ed5c0ab7d7c

          SHA512

          2e133aac3c749a285f5bad25ee34776065607053cff04b84bafa0f01da9409f082de624e6bd422834ce55fbb87c4effa7f84a26766ad961bb73f9b967e1a4dc5

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\poo.ps1

          Filesize

          35B

          MD5

          5d792fc7c4e2fd3eb595fce4883dcb2d

          SHA1

          ee2a88f769ad746f119e144bd06832cb55ef1e0f

          SHA256

          41eccaa8649345b33e57f5d494429276e9f2eb23ca981f018da33a34aabfd8eb

          SHA512

          4b85fe8205c705914867227c97aa1333421970d8e6f11b2ac6be8e95fef1a0f31f985547eafe52e382f13c2a16afa05462bd614b75bee250464c50734d59a92e

        • C:\Users\Admin\AppData\Local\Temp\RESCE0A.tmp

          Filesize

          1KB

          MD5

          02e344c35b02f6787d8e4850dd7ed9d8

          SHA1

          928114a72e567d5f9636d4524c836d8cbbd2ebba

          SHA256

          0d29a290145e5c15914a03165ee02efeeeff13b40a7ae239f67508e2f0814603

          SHA512

          7a563d584a45ee767fad2024177e8a34d566d3a40e901764d77149da18aa0f699076d18a35f8c7dfd4ff45d5ab5c0baa077cf2f2fbd79c2142b0db693f737f6a

        • C:\Users\Admin\AppData\Local\Temp\chromedriver.exe

          Filesize

          9.7MB

          MD5

          8852a909c0869ff0d30eaeabf26c31a3

          SHA1

          dd1c42f06ea2d4c90e39029cee249db45f08cc52

          SHA256

          f80d363ec77935189502cd7dcd7be691b6470dbafd458bdef4d4f3be50382a9e

          SHA512

          0fbe1e18360e0766e4042f4ecc5381ba7f8dfeee98eb4487385232766729c1090e2c1cd2d6b05c31a0f0244e0c1c1e636f8de26ac027d95e629a8970370fd0db

        • C:\Users\Admin\AppData\Local\Temp\chromedriver.exe

          Filesize

          7.3MB

          MD5

          c1467138c0c59c1207855f2f878764c3

          SHA1

          ed43c05e9f92d0975661a902b2defdc58f6c2dd2

          SHA256

          56dd96fbdf2fabdc94b30f1e39ad3e53b90ffa4cc6447547d7de21c755e7f692

          SHA512

          fead9430a269431585bffb9872b09964ec09e2383ffa6a9d582e65246b0c3c6859dac966568ff847cf9a6a7920ba0d6703a88139ecf552f90ee24e4fe8e73e65

        • C:\Users\Admin\AppData\Local\Temp\n5u5jwtw.dll

          Filesize

          76KB

          MD5

          b5c42f9ed169acff9f5f880f7c27655d

          SHA1

          b812cb32f5d1412d82d8ea59c5a65d7e22cafc05

          SHA256

          744d7bafefd7d2addf16e5bb76e4dfff335b1d692f4351bdc26cb73de2e053d6

          SHA512

          08fc21d9dcee611395e2d828529ae0a2f638874446623a581125df083169bde14c028129d44d8910d87f0f8a6bf796c012d1898f6da205b3c5bbfbd68d18720b

        • C:\Windows\SysWOW64\WindowsInput.exe

          Filesize

          21KB

          MD5

          e6fcf516d8ed8d0d4427f86e08d0d435

          SHA1

          c7691731583ab7890086635cb7f3e4c22ca5e409

          SHA256

          8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

          SHA512

          c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

        • C:\Windows\SysWOW64\WindowsInput.exe.config

          Filesize

          357B

          MD5

          a2b76cea3a59fa9af5ea21ff68139c98

          SHA1

          35d76475e6a54c168f536e30206578babff58274

          SHA256

          f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

          SHA512

          b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

        • \??\c:\Users\Admin\AppData\Local\Temp\CSCCE09.tmp

          Filesize

          676B

          MD5

          106bd87ddb7711359b45adc53518a01e

          SHA1

          449e76eeb440818fe634ab10ca908f17946fdfde

          SHA256

          1a99653f302a489d7c5c96ebad9fe246a9d12978a9a8b047d3124d8ba2a8a4c9

          SHA512

          74eb73fae207e8ebd49a06de862e5cfd2d821017d3ff46ebbb811da43ce28843c813f3dbf8fcbd0df2700e586c38ffc8451936b1bd3538b0bfc1cf5909fc9dce

        • \??\c:\Users\Admin\AppData\Local\Temp\n5u5jwtw.0.cs

          Filesize

          208KB

          MD5

          250321226bbc2a616d91e1c82cb4ab2b

          SHA1

          7cffd0b2e9c842865d8961386ab8fcfac8d04173

          SHA256

          ef2707f83a0c0927cfd46b115641b9cae52a41123e4826515b9eeb561785218d

          SHA512

          bda59ca04cdf254f837f2cec6da55eff5c3d2af00da66537b9ebaa3601c502ae63772f082fd12663b63d537d2e03efe87a3b5746ef25e842aaf1c7d88245b4e1

        • \??\c:\Users\Admin\AppData\Local\Temp\n5u5jwtw.cmdline

          Filesize

          349B

          MD5

          661d55759d0a620cdd3a4737d9e2e184

          SHA1

          ae417b2497a60fb5fcea2eaf564117cacf81b7be

          SHA256

          4793154841fa7fa7ab32ba987c31771940ab023b41b6c2fa1c2dba6e9d661eab

          SHA512

          2debd6ae28791f8a255137a3a63fba52e9e739d1c475a2b721ca87a751c834d0f57a4b581f8ab01a800b0a21cdf6b52548578a2ffc2b5f4a5c79449830e6849e

        • \Program Files\BlitzedGrabberX96\APIFOR.DLL

          Filesize

          13KB

          MD5

          91b4d211faddb0ebc64fb000d75d96c1

          SHA1

          ba496c122f8e562ff0a4fb272a68f0b9e7bf0a3c

          SHA256

          e47ab6fb21bd8943f63d79387533abac0c2bd98245546df44c4f333d8013c4de

          SHA512

          3f16b0b4618d446d0e42ed2063c611b4ffa72a5b0ff438df5286a216167881737e65d494aa12186e511690eaca2f51c00889c9eae5ab6392c1edf885e5592919

        • \Program Files\BlitzedGrabberX96\Bunifu_UI_v1.5.3.dll

          Filesize

          323KB

          MD5

          e0ef2817ee5a7c8cd1eb837195768bd2

          SHA1

          426ea1e201c7d3dc3fadce976536edce4cd51bce

          SHA256

          76e1d3ec95fdef74abaf90392dd6f4aa5e344922abf11e572707287d467f2930

          SHA512

          5ad95dd7f0e712d543acfe7fd4539695f7e894988c0a2c44231c43e5ee29e743cb1ffe6bdf1fbdbdcfd3aa374f036113bcc6a1befd0114954093520bac47234c

        • \Program Files\BlitzedGrabberX96\Guna.UI.dll

          Filesize

          876KB

          MD5

          6d6a1f28978d42ad2f0a8f278eaac966

          SHA1

          b09168ec88109422ca29cf4f1b6462d51930873d

          SHA256

          fb23fa4fca8f28bebe7b7e39593a211cd3c3405de5f948ec520e859b1bcaf91e

          SHA512

          76ddf88255a9355fc3c781880e23d94206acca4decf5623712411f7a733e91ca9ea37944860401cf9667f10e8c33a087803a4726f91faff1f23e3e0592ddf41d

        • \Program Files\BlitzedGrabberX96\Guna.UI2.dll

          Filesize

          1.9MB

          MD5

          0f07705bd42d86d77dab085c42775244

          SHA1

          7e4b5c367183f4753a8d610e353c458c3def3888

          SHA256

          cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443

          SHA512

          851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0

        • \Program Files\BlitzedGrabberX96\Kyanite.exe

          Filesize

          822KB

          MD5

          7cebe29a86c8bad15bbf7f190ae9c012

          SHA1

          a035287675af874872753aa813c2e17f712e2ff5

          SHA256

          808226fbf400593c702b5efe774290f0d2787d2a3fb25d0359cb3ca72a9b2b44

          SHA512

          add343a62e77af49870386a3d5f8976ab53bdc2b2d7820ce735238db806b95e06e111a99114b8ea5c0dd74ee38a58466a79255705c3b3b0a7746eea4beabedbe

        • \Program Files\BlitzedGrabberX96\Login Theme.dll

          Filesize

          102KB

          MD5

          34b9583b485e101ebbd9fd100699eab0

          SHA1

          63a8ed0e336f7ade8664c8ecff81eb473f9d4d05

          SHA256

          8879dcfb480f0b3c47414eef8ec50d57f13c6c0895644000b17a38e465896d7a

          SHA512

          467dea806fb1746a8eae12cf2d7cc7029a0a237790904c49fe22d809cfc582a81537bd6cb4c0fe1a34bce259bf20609924a0cc62b5335ed6d279ee26c1baa30e

        • \Program Files\BlitzedGrabberX96\Siticone.UI.dll

          Filesize

          1.6MB

          MD5

          ea797152ded4478107c08a9c9c28b454

          SHA1

          f28104d7099cca08ab84bf1ad1acb9233cbf116f

          SHA256

          c435f969a0150ec46e8f2414615e7cb1670322650fb632443ac9f0a146a98c14

          SHA512

          65d7a52243f46be4a5a4e82b0b5771be17efc7404411df9aaf95ecb4450699a5989fbed2f160b1ae917d04f6f3d71f172ad4bdaf238e37300780a781d13450ed

        • \Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe

          Filesize

          1.6MB

          MD5

          9b45f7cc824e5837d516748dfc1500f5

          SHA1

          4a762177f02a2af5b37e9185129c22ed3377634f

          SHA256

          dec1d85d19343b6526511288405f1a36ba120fcfff89c5e385ee1a8ee39cc536

          SHA512

          973aa196fee0f7c8d603031135466dae46a75ea63e14c2b5941c2edd779f7e3cd11423dc6b7f2cd5bbcbf7380b51164dadeefb4e3842b92a55d163f193041534

        • \Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe

          Filesize

          1.6MB

          MD5

          45127aab7927fbe1961b9591b22846e1

          SHA1

          576e2ddea98ed854407070ccbd066ca6d1b86808

          SHA256

          f0dc6b421e5924ab16c088930440ba67fcc13ff3d8f036a310465ffe752a0a3b

          SHA512

          ce557e821b6148fe4b71c9dcbe24802e9f1d44ea9e3fc2939dadf31eb0749b3da2b5b4fe16ba03beeea79a16bc6d8f906ba92649a965edcfd081afe78dd4ec3e

        • \Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE

          Filesize

          155KB

          MD5

          69bef95f8029651ff546b59544d3d6cd

          SHA1

          a8cf6d690064e6bdeeb4d68f4f5180eb7c4bb8b9

          SHA256

          0cb43f43e81730a4a92874911ac39420954174c7fd9b1faea8e891e9b814f8ac

          SHA512

          b3a4ac7268307a453eb903d0bc75939c9ba05f0c121fcbda0340e037ee8c7a9af1f11b212dfc6e41dea870e2005fc6896430fe84bbe360e96f75b91f459b710e

        • memory/840-0-0x0000000000980000-0x0000000000E1A000-memory.dmp

          Filesize

          4.6MB

        • memory/840-38-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

          Filesize

          9.9MB

        • memory/840-2-0x000000001B5E0000-0x000000001B660000-memory.dmp

          Filesize

          512KB

        • memory/840-1-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

          Filesize

          9.9MB

        • memory/896-119-0x00000000002E0000-0x00000000002EC000-memory.dmp

          Filesize

          48KB

        • memory/896-120-0x000007FEEDB10000-0x000007FEEE4FC000-memory.dmp

          Filesize

          9.9MB

        • memory/896-134-0x000007FEEDB10000-0x000007FEEE4FC000-memory.dmp

          Filesize

          9.9MB

        • memory/1492-117-0x000007FEF1940000-0x000007FEF232C000-memory.dmp

          Filesize

          9.9MB

        • memory/1492-67-0x0000000000290000-0x000000000029C000-memory.dmp

          Filesize

          48KB

        • memory/1492-75-0x000000001A6F0000-0x000000001A770000-memory.dmp

          Filesize

          512KB

        • memory/1492-68-0x000007FEF1940000-0x000007FEF232C000-memory.dmp

          Filesize

          9.9MB

        • memory/2576-48-0x0000000000820000-0x00000000008A0000-memory.dmp

          Filesize

          512KB

        • memory/2764-28-0x0000000002860000-0x00000000028E0000-memory.dmp

          Filesize

          512KB

        • memory/2764-32-0x000007FEEE500000-0x000007FEEEE9D000-memory.dmp

          Filesize

          9.6MB

        • memory/2764-25-0x00000000023E0000-0x00000000023E8000-memory.dmp

          Filesize

          32KB

        • memory/2764-23-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

          Filesize

          2.9MB

        • memory/2764-26-0x0000000002860000-0x00000000028E0000-memory.dmp

          Filesize

          512KB

        • memory/2764-24-0x000007FEEE500000-0x000007FEEEE9D000-memory.dmp

          Filesize

          9.6MB

        • memory/2764-27-0x000007FEEE500000-0x000007FEEEE9D000-memory.dmp

          Filesize

          9.6MB

        • memory/2764-29-0x0000000002860000-0x00000000028E0000-memory.dmp

          Filesize

          512KB

        • memory/2764-31-0x0000000002860000-0x00000000028E0000-memory.dmp

          Filesize

          512KB

        • memory/3008-133-0x00000000003C0000-0x0000000000440000-memory.dmp

          Filesize

          512KB

        • memory/3008-132-0x000007FEEDB10000-0x000007FEEE4FC000-memory.dmp

          Filesize

          9.9MB

        • memory/3008-131-0x0000000000CD0000-0x0000000000DBC000-memory.dmp

          Filesize

          944KB

        • memory/3028-58-0x0000000000440000-0x0000000000452000-memory.dmp

          Filesize

          72KB

        • memory/3028-42-0x0000000000290000-0x000000000029E000-memory.dmp

          Filesize

          56KB

        • memory/3028-41-0x0000000000A60000-0x0000000000ABC000-memory.dmp

          Filesize

          368KB

        • memory/3028-40-0x000007FEEE500000-0x000007FEEEE9D000-memory.dmp

          Filesize

          9.6MB

        • memory/3028-130-0x000007FEEE500000-0x000007FEEEE9D000-memory.dmp

          Filesize

          9.6MB

        • memory/3028-111-0x000007FEEE500000-0x000007FEEEE9D000-memory.dmp

          Filesize

          9.6MB

        • memory/3028-56-0x0000000000710000-0x0000000000726000-memory.dmp

          Filesize

          88KB

        • memory/3028-59-0x0000000000570000-0x0000000000578000-memory.dmp

          Filesize

          32KB

        • memory/3028-39-0x000007FEEE500000-0x000007FEEEE9D000-memory.dmp

          Filesize

          9.6MB