Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
28-03-2024 06:38
General
-
Target
4c59be9855505c9af55d8b532031c1de313885604162eafa12d53539085df4b2.exe
-
Size
3.0MB
-
MD5
e067840e2f9733e5d7bc083cc11ed4fa
-
SHA1
4d9ad6f1c50a9eb4141a17a5af43f0e0c105b9e0
-
SHA256
4c59be9855505c9af55d8b532031c1de313885604162eafa12d53539085df4b2
-
SHA512
278a8da77ac55e97776239813cc9b19940dc6e99a4792a4ecdc806a4b026fe3adb1b1cf6c169545569ef54cad07abc97dd1522fcb939eae2a03a9bd1d3e7f4ec
-
SSDEEP
49152:WVFonuvKFmwLGZeM9/dFQMDjjzKCkElU+fPONM6WAypQxb1o9JnCmwKWnzFfGI7k:W9CFmwLvEeMDjnpHfP56xypSb1o9JCm
Malware Config
Extracted
orcus
Conflicker
Conflicker-35081.portmap.host:35081
09bbf5ad32294289979fe0ce356efd76
-
autostart_method
TaskScheduler
-
enable_keylogger
true
-
install_path
%programfiles%\Config\Conflicker.exe
-
reconnect_delay
10000
-
registry_keyname
Conflicker
-
taskscheduler_taskname
Secure
-
watchdog_path
AppData\%appdata%\conflicker\conflicker.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
UAC bypass 3 TTPs 6 IoCs
-
Orcurs Rat Executable 5 IoCs
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Drops file in System32 directory 3 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
-
System policy modification 1 TTPs 16 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c59be9855505c9af55d8b532031c1de313885604162eafa12d53539085df4b2.exe"C:\Users\Admin\AppData\Local\Temp\4c59be9855505c9af55d8b532031c1de313885604162eafa12d53539085df4b2.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Config\Conflicker.exe"C:\Program Files\Config\Conflicker.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\taskeng.exetaskeng.exe {BE85436D-8F2F-4D0F-BE0C-6AC336C00B58} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Config\Conflicker.exe"C:\Program Files\Config\Conflicker.exe"2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5e067840e2f9733e5d7bc083cc11ed4fa
SHA14d9ad6f1c50a9eb4141a17a5af43f0e0c105b9e0
SHA2564c59be9855505c9af55d8b532031c1de313885604162eafa12d53539085df4b2
SHA512278a8da77ac55e97776239813cc9b19940dc6e99a4792a4ecdc806a4b026fe3adb1b1cf6c169545569ef54cad07abc97dd1522fcb939eae2a03a9bd1d3e7f4ec
-
Filesize
128KB
MD57fca7ede989ee726d2b7e6444704314c
SHA1752ac5e49efb053e1d46e3f439f87adcb6a3125a
SHA2562cab3db82491e2b9209233261346a1b672bb78d9fbc15b3176d5c0cad5163562
SHA512385599e5744f3c7fb7e0553d5477eeca1bd1b8dad005045d2445b29c30b1c6468568c3c35726ed3e5544d6fd9b0fc4267679eae7e4ff996629ed3e30bcece4ce
-
Filesize
7KB
MD50ae0b49960dba8f228da5fefcc2b0e8a
SHA1360fac01b52b2a142bd2c6ff378239805b9b4172
SHA256d6c45e48118cb61ed894afc354673392d15291776447ddb63ea7d7679051a762
SHA5122fe463c09a5ed562218c4a377a21854cec082e1412ce75984e6e516fe9a3cf4c5946523a267210d251c4384b0806c26f85003176b3227ac82862154063e40fa4
-
Filesize
1KB
MD5f9f47e502c73fc9f0d6526c397c8b01b
SHA1ab82e105597e6d620c06281d147c1f3781bbde91
SHA256514720e4b4e18ee06d1dbd3b968f9cc69964389ea7047135c61ad9b0477b7123
SHA5120b157c0bf955d3cb1ab807791a13ac9213b4e206171f24e660ab452f20e90468499934283673b1f629c518e14050655f79873f4a9d28beac85ac1e08926f937c
-
Filesize
21KB
MD5b7b8815f40cfcfafe94eedef0f9626f7
SHA19309f5f229845c27332d6a98d1e1f864400755c6
SHA2564a8878876c87cd8d74f90b4947449c6d72bed6d8d70e1643b2e2572a64c0d8a8
SHA512b5224ec900b13f3da823c1948e1cdad4a9d855ea6da0e07b28b1c412dfcbda84dab829ccc4f414bef35902bc587cc3b2a3d4ce2b60f958081c6ce1ff6be8d12f
-
Filesize
349B
MD589817519e9e0b4e703f07e8c55247861
SHA14636de1f6c997a25c3190f73f46a3fd056238d78
SHA256f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13
SHA512b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3
-
Filesize
112KB
-
Filesize
236KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
168KB
-
Filesize
56KB
-
Filesize
152KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
152KB
-
Filesize
3.0MB
-
Filesize
344KB
-
Filesize
40KB
-
Filesize
3.0MB
-
Filesize
152KB
-
Filesize
96KB
-
Filesize
236KB
-
Filesize
88KB
-
Filesize
368KB
-
Filesize
80KB
-
Filesize
112KB
-
Filesize
112KB
-
Filesize
1.0MB
-
Filesize
48KB
-
Filesize
128KB
-
Filesize
152KB
-
Filesize
612KB
-
Filesize
24KB
-
Filesize
56KB
-
Filesize
992KB
-
Filesize
448KB
-
Filesize
436KB
-
Filesize
9.9MB
-
Filesize
3.0MB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
9.9MB
-
Filesize
48KB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
48KB