Analysis
-
max time kernel
56s -
max time network
71s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08-02-2024 15:56
Static task
static1
Behavioral task
behavioral1
Sample
BlitzedGrabberX96/Bin/UltraEmbeddable.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
BlitzedGrabberX96/Bin/UltraEmbeddable.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
BlitzedGrabberX96/Bin/leaf.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
BlitzedGrabberX96/Bin/leaf.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
BlitzedGrabberX96/BlitzedGrabberX96 Installer.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
BlitzedGrabberX96/BlitzedGrabberX96 Installer.exe
Resource
win10v2004-20231215-en
General
-
Target
BlitzedGrabberX96/BlitzedGrabberX96 Installer.exe
-
Size
922.0MB
-
MD5
579579c7f692ec28c4b198f6dd30f372
-
SHA1
5eeeaf129ba78eec60d3a5cdb16d3d31eeb4a015
-
SHA256
245806b93b9d8c782086ddd542a45e3f8920031ef450335c18fe2402b963b365
-
SHA512
18ff96211d56d076c3b1ee29d18591cdc483761ddf0284dba26a6751d91db595d65500c0d3a5a92cc3c1512c53dad42fc8ee6d9d0a4b51a1789453c7eaecb31c
-
SSDEEP
49152:p9sij7wmgm0JRjaXUVPJUdDrAZY6DQAJE8lIZCmT3KxX9xtARkN2AWUoWHF08xGw:Mij7wgEVPJU+ZHDPtqn3QjtAFIFKIz
Malware Config
Extracted
orcus
209.25.141.181:40489
690c4574d03b45e4b89aa16b415b7baf
-
autostart_method
TaskScheduler
-
enable_keylogger
true
-
install_path
%programdata%\Chrome\Plugins\chromedriver.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
svchost
-
watchdog_path
AppData\svchost.exe
Signatures
-
Orcus main payload 3 IoCs
resource yara_rule behavioral6/files/0x0008000000023231-49.dat family_orcus behavioral6/files/0x0008000000023231-55.dat family_orcus behavioral6/files/0x0008000000023231-57.dat family_orcus -
Orcurs Rat Executable 3 IoCs
resource yara_rule behavioral6/files/0x0008000000023231-49.dat orcus behavioral6/files/0x0008000000023231-55.dat orcus behavioral6/files/0x0008000000023231-57.dat orcus -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation BlitzedGrabberX96 Installer.exe -
Executes dropped EXE 3 IoCs
pid Process 4452 BlitzedGrabberX96 Install.exe 4920 UnityCrashHandler.EXE 2788 chromedriver.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" UnityCrashHandler.EXE -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini chromedriver.exe File opened for modification C:\Windows\assembly\Desktop.ini chromedriver.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly chromedriver.exe File created C:\Windows\assembly\Desktop.ini chromedriver.exe File opened for modification C:\Windows\assembly\Desktop.ini chromedriver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4332 powershell.exe 4332 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4332 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4452 BlitzedGrabberX96 Install.exe 4452 BlitzedGrabberX96 Install.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1512 wrote to memory of 4452 1512 BlitzedGrabberX96 Installer.exe 85 PID 1512 wrote to memory of 4452 1512 BlitzedGrabberX96 Installer.exe 85 PID 1512 wrote to memory of 4452 1512 BlitzedGrabberX96 Installer.exe 85 PID 1512 wrote to memory of 4920 1512 BlitzedGrabberX96 Installer.exe 86 PID 1512 wrote to memory of 4920 1512 BlitzedGrabberX96 Installer.exe 86 PID 4920 wrote to memory of 4332 4920 UnityCrashHandler.EXE 87 PID 4920 wrote to memory of 4332 4920 UnityCrashHandler.EXE 87 PID 1512 wrote to memory of 2788 1512 BlitzedGrabberX96 Installer.exe 94 PID 1512 wrote to memory of 2788 1512 BlitzedGrabberX96 Installer.exe 94 PID 2788 wrote to memory of 3004 2788 chromedriver.exe 96 PID 2788 wrote to memory of 3004 2788 chromedriver.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96\BlitzedGrabberX96 Installer.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberX96 Install.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4452
-
-
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE"C:\Users\Admin\AppData\Local\Temp\UnityCrashHandler.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -File poo.ps13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4332
-
-
-
C:\Users\Admin\AppData\Local\Temp\chromedriver.exe"C:\Users\Admin\AppData\Local\Temp\chromedriver.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w0yenjbs.cmdline"3⤵PID:3004
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD546d8dfadf7f9d90385ab7df71b5adce3
SHA199482121b86c790a6f2d732b0a47a1e41922518f
SHA2567fc18666d83d233def6dd05b7c46851e65753a7e8ab3bc6c76141ed5c0ab7d7c
SHA5122e133aac3c749a285f5bad25ee34776065607053cff04b84bafa0f01da9409f082de624e6bd422834ce55fbb87c4effa7f84a26766ad961bb73f9b967e1a4dc5
-
Filesize
35B
MD55d792fc7c4e2fd3eb595fce4883dcb2d
SHA1ee2a88f769ad746f119e144bd06832cb55ef1e0f
SHA25641eccaa8649345b33e57f5d494429276e9f2eb23ca981f018da33a34aabfd8eb
SHA5124b85fe8205c705914867227c97aa1333421970d8e6f11b2ac6be8e95fef1a0f31f985547eafe52e382f13c2a16afa05462bd614b75bee250464c50734d59a92e
-
Filesize
155KB
MD569bef95f8029651ff546b59544d3d6cd
SHA1a8cf6d690064e6bdeeb4d68f4f5180eb7c4bb8b9
SHA2560cb43f43e81730a4a92874911ac39420954174c7fd9b1faea8e891e9b814f8ac
SHA512b3a4ac7268307a453eb903d0bc75939c9ba05f0c121fcbda0340e037ee8c7a9af1f11b212dfc6e41dea870e2005fc6896430fe84bbe360e96f75b91f459b710e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
32.6MB
MD504f2087176aa677018403cc8f973dc4a
SHA1b7bf181e52f3bfe97938248a17656a0707d4c65b
SHA25690e0882fbe6f041e91c620bf601847d04100e95e5076acbc83b2a38faf355755
SHA51295b5e6f72f33d914d4bec80026f883b03f0edc7af14185b67b73e074c94a8b62ccc2ee742c768536b7fbfec0e7dbae579b73c69e0fa343dbd8ed0c8495931baa
-
Filesize
6.0MB
MD5d9347ebc4f5ad8db1401a18f8619e279
SHA11567a4da5dea19ef56e367993173084a8b9fd81a
SHA256b096c0044b44b576b35765607869ef0e205a23b71c66bba3720e5a12580bb84d
SHA51250c0f2906fe864657c35175314963a173bc274bd7076032e37c176a2678727f03499e3076a40a78cbdfe19280b9839af0c3fd045d6bb68bed09c309976d6df34
-
Filesize
4.8MB
MD58ae8c0f6e3d956f14ce9a97cb04d08eb
SHA1978a48363c63d76704f05c62f196e7c7260b88d1
SHA25622eec05cc3e6f2e8a9d1eb33345db07830aac6c0c6699282efe7697aafbbee00
SHA512120dce578d03c8822bd6e86172da26238f32a7c676774fb9f1354404ddb4712f09bfce63e10ee4990b33f6b7b3459bf7e5526aad05e522a56f13bb0d89f5dc99