Analysis
-
max time kernel
33s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
08-02-2024 15:56
Static task
static1
Behavioral task
behavioral1
Sample
BlitzedGrabberX96/Bin/UltraEmbeddable.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
BlitzedGrabberX96/Bin/UltraEmbeddable.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
BlitzedGrabberX96/Bin/leaf.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
BlitzedGrabberX96/Bin/leaf.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
BlitzedGrabberX96/BlitzedGrabberX96 Installer.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
BlitzedGrabberX96/BlitzedGrabberX96 Installer.exe
Resource
win10v2004-20231215-en
General
-
Target
BlitzedGrabberX96/BlitzedGrabberX96 Installer.exe
-
Size
922.0MB
-
MD5
579579c7f692ec28c4b198f6dd30f372
-
SHA1
5eeeaf129ba78eec60d3a5cdb16d3d31eeb4a015
-
SHA256
245806b93b9d8c782086ddd542a45e3f8920031ef450335c18fe2402b963b365
-
SHA512
18ff96211d56d076c3b1ee29d18591cdc483761ddf0284dba26a6751d91db595d65500c0d3a5a92cc3c1512c53dad42fc8ee6d9d0a4b51a1789453c7eaecb31c
-
SSDEEP
49152:p9sij7wmgm0JRjaXUVPJUdDrAZY6DQAJE8lIZCmT3KxX9xtARkN2AWUoWHF08xGw:Mij7wgEVPJU+ZHDPtqn3QjtAFIFKIz
Malware Config
Extracted
orcus
209.25.141.181:40489
690c4574d03b45e4b89aa16b415b7baf
-
autostart_method
TaskScheduler
-
enable_keylogger
true
-
install_path
%programdata%\Chrome\Plugins\chromedriver.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
svchost
-
watchdog_path
AppData\svchost.exe
Signatures
-
Orcus main payload 5 IoCs
resource yara_rule behavioral5/files/0x001900000000558e-36.dat family_orcus behavioral5/files/0x001900000000558e-37.dat family_orcus behavioral5/files/0x000500000001a301-123.dat family_orcus behavioral5/files/0x000500000001a301-127.dat family_orcus behavioral5/files/0x000500000001a301-129.dat family_orcus -
Orcurs Rat Executable 6 IoCs
resource yara_rule behavioral5/files/0x001900000000558e-36.dat orcus behavioral5/files/0x001900000000558e-37.dat orcus behavioral5/files/0x000500000001a301-123.dat orcus behavioral5/files/0x000500000001a301-127.dat orcus behavioral5/files/0x000500000001a301-129.dat orcus behavioral5/memory/3008-131-0x0000000000CD0000-0x0000000000DBC000-memory.dmp orcus -
Executes dropped EXE 4 IoCs
pid Process 2300 BlitzedGrabberX96 Install.exe 2360 UnityCrashHandler.EXE 3028 chromedriver.exe 1492 WindowsInput.exe -
Loads dropped DLL 4 IoCs
pid Process 840 BlitzedGrabberX96 Installer.exe 2300 BlitzedGrabberX96 Install.exe 2300 BlitzedGrabberX96 Install.exe 2300 BlitzedGrabberX96 Install.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral5/files/0x0005000000019bf2-91.dat agile_net -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" UnityCrashHandler.EXE -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsInput.exe.config chromedriver.exe File created C:\Windows\SysWOW64\WindowsInput.exe chromedriver.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\BlitzedGrabberX96\APIFOR.DLL BlitzedGrabberX96 Install.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2764 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2764 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2300 BlitzedGrabberX96 Install.exe 2300 BlitzedGrabberX96 Install.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 840 wrote to memory of 2300 840 BlitzedGrabberX96 Installer.exe 28 PID 840 wrote to memory of 2300 840 BlitzedGrabberX96 Installer.exe 28 PID 840 wrote to memory of 2300 840 BlitzedGrabberX96 Installer.exe 28 PID 840 wrote to memory of 2300 840 BlitzedGrabberX96 Installer.exe 28 PID 840 wrote to memory of 2300 840 BlitzedGrabberX96 Installer.exe 28 PID 840 wrote to memory of 2300 840 BlitzedGrabberX96 Installer.exe 28 PID 840 wrote to memory of 2300 840 BlitzedGrabberX96 Installer.exe 28 PID 840 wrote to memory of 2360 840 BlitzedGrabberX96 Installer.exe 29 PID 840 wrote to memory of 2360 840 BlitzedGrabberX96 Installer.exe 29 PID 840 wrote to memory of 2360 840 BlitzedGrabberX96 Installer.exe 29 PID 2360 wrote to memory of 2764 2360 UnityCrashHandler.EXE 30 PID 2360 wrote to memory of 2764 2360 UnityCrashHandler.EXE 30 PID 2360 wrote to memory of 2764 2360 UnityCrashHandler.EXE 30 PID 840 wrote to memory of 3028 840 BlitzedGrabberX96 Installer.exe 32 PID 840 wrote to memory of 3028 840 BlitzedGrabberX96 Installer.exe 32 PID 840 wrote to memory of 3028 840 BlitzedGrabberX96 Installer.exe 32 PID 3028 wrote to memory of 2576 3028 chromedriver.exe 33 PID 3028 wrote to memory of 2576 3028 chromedriver.exe 33 PID 3028 wrote to memory of 2576 3028 chromedriver.exe 33 PID 2576 wrote to memory of 2696 2576 csc.exe 35 PID 2576 wrote to memory of 2696 2576 csc.exe 35 PID 2576 wrote to memory of 2696 2576 csc.exe 35 PID 3028 wrote to memory of 1492 3028 chromedriver.exe 38 PID 3028 wrote to memory of 1492 3028 chromedriver.exe 38 PID 3028 wrote to memory of 1492 3028 chromedriver.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE"C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -File poo.ps13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
-
C:\Users\Admin\AppData\Local\Temp\chromedriver.exe"C:\Users\Admin\AppData\Local\Temp\chromedriver.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n5u5jwtw.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE0A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCE09.tmp"4⤵PID:2696
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install3⤵
- Executes dropped EXE
PID:1492
-
-
C:\ProgramData\Chrome\Plugins\chromedriver.exe"C:\ProgramData\Chrome\Plugins\chromedriver.exe"3⤵PID:3008
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵PID:896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5aa9d2640ec778b21412084b1b54abe7d
SHA100bce490735d41eb889dd4d27996e3ba93eb916c
SHA2569b8821c06989f1522902fedee4915f25b31ee3125ba3973eff0718ad6885cb0b
SHA512cb7de4503775f91000e95c3e67957d4bc4a9bd6f97c12b576827819fd2e4c8716bd4f501db27e32961901bfbcc80233a99345cd30016c2cf2598c521575f8ee1
-
Filesize
3.6MB
MD5fc078f4520ba18711aedb2cc5787e98b
SHA10faa983831edad9c55df47f48015a8be8b29fe2e
SHA256a5a8ff66cfe064da6235a08e31226dd99c4d5b6038c1d4b310d621d27b6c7f1f
SHA5129ee3dd1a7e29944677d5929d17597f390b1e7a3696bab6e6b81fac2dab2971febfeeb9eaf4cc2b4e4684173623922ede122216c19f89185888afca87f4f0d97b
-
Filesize
2.8MB
MD5ed76832e335324cde025123d2fff2ff4
SHA1146ff5dced01b317f9a0588668c7caede69044ea
SHA256caf66522099636d6da6f84d48f1a94e1fd49724ecf96fc0730909d9a24d257c1
SHA512022800319c16f138cf8e869cfa35e755f9a64f20dad783043fec8e2766ec6edc297258961ecb253517dac7751220e73bfbe9ca6f5490567986ea430771207faf
-
Filesize
2.8MB
MD546d8dfadf7f9d90385ab7df71b5adce3
SHA199482121b86c790a6f2d732b0a47a1e41922518f
SHA2567fc18666d83d233def6dd05b7c46851e65753a7e8ab3bc6c76141ed5c0ab7d7c
SHA5122e133aac3c749a285f5bad25ee34776065607053cff04b84bafa0f01da9409f082de624e6bd422834ce55fbb87c4effa7f84a26766ad961bb73f9b967e1a4dc5
-
Filesize
35B
MD55d792fc7c4e2fd3eb595fce4883dcb2d
SHA1ee2a88f769ad746f119e144bd06832cb55ef1e0f
SHA25641eccaa8649345b33e57f5d494429276e9f2eb23ca981f018da33a34aabfd8eb
SHA5124b85fe8205c705914867227c97aa1333421970d8e6f11b2ac6be8e95fef1a0f31f985547eafe52e382f13c2a16afa05462bd614b75bee250464c50734d59a92e
-
Filesize
1KB
MD502e344c35b02f6787d8e4850dd7ed9d8
SHA1928114a72e567d5f9636d4524c836d8cbbd2ebba
SHA2560d29a290145e5c15914a03165ee02efeeeff13b40a7ae239f67508e2f0814603
SHA5127a563d584a45ee767fad2024177e8a34d566d3a40e901764d77149da18aa0f699076d18a35f8c7dfd4ff45d5ab5c0baa077cf2f2fbd79c2142b0db693f737f6a
-
Filesize
9.7MB
MD58852a909c0869ff0d30eaeabf26c31a3
SHA1dd1c42f06ea2d4c90e39029cee249db45f08cc52
SHA256f80d363ec77935189502cd7dcd7be691b6470dbafd458bdef4d4f3be50382a9e
SHA5120fbe1e18360e0766e4042f4ecc5381ba7f8dfeee98eb4487385232766729c1090e2c1cd2d6b05c31a0f0244e0c1c1e636f8de26ac027d95e629a8970370fd0db
-
Filesize
7.3MB
MD5c1467138c0c59c1207855f2f878764c3
SHA1ed43c05e9f92d0975661a902b2defdc58f6c2dd2
SHA25656dd96fbdf2fabdc94b30f1e39ad3e53b90ffa4cc6447547d7de21c755e7f692
SHA512fead9430a269431585bffb9872b09964ec09e2383ffa6a9d582e65246b0c3c6859dac966568ff847cf9a6a7920ba0d6703a88139ecf552f90ee24e4fe8e73e65
-
Filesize
76KB
MD5b5c42f9ed169acff9f5f880f7c27655d
SHA1b812cb32f5d1412d82d8ea59c5a65d7e22cafc05
SHA256744d7bafefd7d2addf16e5bb76e4dfff335b1d692f4351bdc26cb73de2e053d6
SHA51208fc21d9dcee611395e2d828529ae0a2f638874446623a581125df083169bde14c028129d44d8910d87f0f8a6bf796c012d1898f6da205b3c5bbfbd68d18720b
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
676B
MD5106bd87ddb7711359b45adc53518a01e
SHA1449e76eeb440818fe634ab10ca908f17946fdfde
SHA2561a99653f302a489d7c5c96ebad9fe246a9d12978a9a8b047d3124d8ba2a8a4c9
SHA51274eb73fae207e8ebd49a06de862e5cfd2d821017d3ff46ebbb811da43ce28843c813f3dbf8fcbd0df2700e586c38ffc8451936b1bd3538b0bfc1cf5909fc9dce
-
Filesize
208KB
MD5250321226bbc2a616d91e1c82cb4ab2b
SHA17cffd0b2e9c842865d8961386ab8fcfac8d04173
SHA256ef2707f83a0c0927cfd46b115641b9cae52a41123e4826515b9eeb561785218d
SHA512bda59ca04cdf254f837f2cec6da55eff5c3d2af00da66537b9ebaa3601c502ae63772f082fd12663b63d537d2e03efe87a3b5746ef25e842aaf1c7d88245b4e1
-
Filesize
349B
MD5661d55759d0a620cdd3a4737d9e2e184
SHA1ae417b2497a60fb5fcea2eaf564117cacf81b7be
SHA2564793154841fa7fa7ab32ba987c31771940ab023b41b6c2fa1c2dba6e9d661eab
SHA5122debd6ae28791f8a255137a3a63fba52e9e739d1c475a2b721ca87a751c834d0f57a4b581f8ab01a800b0a21cdf6b52548578a2ffc2b5f4a5c79449830e6849e
-
Filesize
13KB
MD591b4d211faddb0ebc64fb000d75d96c1
SHA1ba496c122f8e562ff0a4fb272a68f0b9e7bf0a3c
SHA256e47ab6fb21bd8943f63d79387533abac0c2bd98245546df44c4f333d8013c4de
SHA5123f16b0b4618d446d0e42ed2063c611b4ffa72a5b0ff438df5286a216167881737e65d494aa12186e511690eaca2f51c00889c9eae5ab6392c1edf885e5592919
-
Filesize
323KB
MD5e0ef2817ee5a7c8cd1eb837195768bd2
SHA1426ea1e201c7d3dc3fadce976536edce4cd51bce
SHA25676e1d3ec95fdef74abaf90392dd6f4aa5e344922abf11e572707287d467f2930
SHA5125ad95dd7f0e712d543acfe7fd4539695f7e894988c0a2c44231c43e5ee29e743cb1ffe6bdf1fbdbdcfd3aa374f036113bcc6a1befd0114954093520bac47234c
-
Filesize
876KB
MD56d6a1f28978d42ad2f0a8f278eaac966
SHA1b09168ec88109422ca29cf4f1b6462d51930873d
SHA256fb23fa4fca8f28bebe7b7e39593a211cd3c3405de5f948ec520e859b1bcaf91e
SHA51276ddf88255a9355fc3c781880e23d94206acca4decf5623712411f7a733e91ca9ea37944860401cf9667f10e8c33a087803a4726f91faff1f23e3e0592ddf41d
-
Filesize
1.9MB
MD50f07705bd42d86d77dab085c42775244
SHA17e4b5c367183f4753a8d610e353c458c3def3888
SHA256cf9b66e11506fa431849350c0cb58430a71e5ec943d2db9ef1b2e2302f299443
SHA512851b1a4c470ee7fe07ce5619c16fd391428585926c5b559694a9e445633ea51ec86c74a3bbf3bce39d943c4bf714dad2fd3c4a4d0703be2333541c79a2ee97f0
-
Filesize
822KB
MD57cebe29a86c8bad15bbf7f190ae9c012
SHA1a035287675af874872753aa813c2e17f712e2ff5
SHA256808226fbf400593c702b5efe774290f0d2787d2a3fb25d0359cb3ca72a9b2b44
SHA512add343a62e77af49870386a3d5f8976ab53bdc2b2d7820ce735238db806b95e06e111a99114b8ea5c0dd74ee38a58466a79255705c3b3b0a7746eea4beabedbe
-
Filesize
102KB
MD534b9583b485e101ebbd9fd100699eab0
SHA163a8ed0e336f7ade8664c8ecff81eb473f9d4d05
SHA2568879dcfb480f0b3c47414eef8ec50d57f13c6c0895644000b17a38e465896d7a
SHA512467dea806fb1746a8eae12cf2d7cc7029a0a237790904c49fe22d809cfc582a81537bd6cb4c0fe1a34bce259bf20609924a0cc62b5335ed6d279ee26c1baa30e
-
Filesize
1.6MB
MD5ea797152ded4478107c08a9c9c28b454
SHA1f28104d7099cca08ab84bf1ad1acb9233cbf116f
SHA256c435f969a0150ec46e8f2414615e7cb1670322650fb632443ac9f0a146a98c14
SHA51265d7a52243f46be4a5a4e82b0b5771be17efc7404411df9aaf95ecb4450699a5989fbed2f160b1ae917d04f6f3d71f172ad4bdaf238e37300780a781d13450ed
-
Filesize
1.6MB
MD59b45f7cc824e5837d516748dfc1500f5
SHA14a762177f02a2af5b37e9185129c22ed3377634f
SHA256dec1d85d19343b6526511288405f1a36ba120fcfff89c5e385ee1a8ee39cc536
SHA512973aa196fee0f7c8d603031135466dae46a75ea63e14c2b5941c2edd779f7e3cd11423dc6b7f2cd5bbcbf7380b51164dadeefb4e3842b92a55d163f193041534
-
Filesize
1.6MB
MD545127aab7927fbe1961b9591b22846e1
SHA1576e2ddea98ed854407070ccbd066ca6d1b86808
SHA256f0dc6b421e5924ab16c088930440ba67fcc13ff3d8f036a310465ffe752a0a3b
SHA512ce557e821b6148fe4b71c9dcbe24802e9f1d44ea9e3fc2939dadf31eb0749b3da2b5b4fe16ba03beeea79a16bc6d8f906ba92649a965edcfd081afe78dd4ec3e
-
Filesize
155KB
MD569bef95f8029651ff546b59544d3d6cd
SHA1a8cf6d690064e6bdeeb4d68f4f5180eb7c4bb8b9
SHA2560cb43f43e81730a4a92874911ac39420954174c7fd9b1faea8e891e9b814f8ac
SHA512b3a4ac7268307a453eb903d0bc75939c9ba05f0c121fcbda0340e037ee8c7a9af1f11b212dfc6e41dea870e2005fc6896430fe84bbe360e96f75b91f459b710e