Analysis
-
max time kernel
142s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12-04-2024 01:44
Static task
static1
Behavioral task
behavioral1
Sample
02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exe
Resource
win7-20240221-en
General
-
Target
02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exe
-
Size
2.6MB
-
MD5
2881da0a29f1c8396704b74d8d583061
-
SHA1
6b157a9182997360d4adc3aade23a961564619d2
-
SHA256
02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e
-
SHA512
4b8e58da698ce5a630237a3d80e1122347998c32448dca94eea1c2fb7cba97b44721132db65eed58cf47bf692030fd7204f468140ecb68421a894ff8b4a256f4
-
SSDEEP
24576:SAHnh+eWsN3skA4RV1Hom2KXSmHdK3VqbE6przwKpwvEuM/SD0wugdDEl6NrL/NP:Vh+ZkldoPKiYdKr9d
Malware Config
Extracted
orcus
ligeon
ligeon.ddns.net:1606
b98fb09a59c24a81b9d17a55ccf2c036
-
autostart_method
Disable
-
enable_keylogger
true
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcurs Rat Executable 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2376-3-0x0000000000400000-0x00000000004EA000-memory.dmp orcus behavioral1/memory/2376-9-0x0000000000400000-0x00000000004EA000-memory.dmp orcus behavioral1/memory/2376-10-0x0000000000400000-0x00000000004EA000-memory.dmp orcus -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2648 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
setspn.exesetspn.exepid process 1996 setspn.exe 752 setspn.exe -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1812-0-0x0000000000EE0000-0x000000000118A000-memory.dmp autoit_exe C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe autoit_exe behavioral1/memory/1996-25-0x0000000000180000-0x000000000042A000-memory.dmp autoit_exe behavioral1/memory/752-40-0x0000000000E70000-0x000000000111A000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exesetspn.exesetspn.exedescription pid process target process PID 1812 set thread context of 2376 1812 02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exe RegSvcs.exe PID 1996 set thread context of 1412 1996 setspn.exe RegSvcs.exe PID 752 set thread context of 1652 752 setspn.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2404 schtasks.exe 1952 schtasks.exe 1084 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exesetspn.exesetspn.exepid process 1812 02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exe 1812 02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exe 1996 setspn.exe 1996 setspn.exe 752 setspn.exe 752 setspn.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2376 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 2376 RegSvcs.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.execmd.exetaskeng.exesetspn.exesetspn.exedescription pid process target process PID 1812 wrote to memory of 2376 1812 02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exe RegSvcs.exe PID 1812 wrote to memory of 2376 1812 02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exe RegSvcs.exe PID 1812 wrote to memory of 2376 1812 02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exe RegSvcs.exe PID 1812 wrote to memory of 2376 1812 02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exe RegSvcs.exe PID 1812 wrote to memory of 2376 1812 02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exe RegSvcs.exe PID 1812 wrote to memory of 2376 1812 02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exe RegSvcs.exe PID 1812 wrote to memory of 2376 1812 02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exe RegSvcs.exe PID 1812 wrote to memory of 2376 1812 02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exe RegSvcs.exe PID 1812 wrote to memory of 2376 1812 02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exe RegSvcs.exe PID 1812 wrote to memory of 2404 1812 02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exe schtasks.exe PID 1812 wrote to memory of 2404 1812 02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exe schtasks.exe PID 1812 wrote to memory of 2404 1812 02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exe schtasks.exe PID 1812 wrote to memory of 2404 1812 02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exe schtasks.exe PID 1812 wrote to memory of 2648 1812 02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exe cmd.exe PID 1812 wrote to memory of 2648 1812 02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exe cmd.exe PID 1812 wrote to memory of 2648 1812 02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exe cmd.exe PID 1812 wrote to memory of 2648 1812 02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exe cmd.exe PID 2648 wrote to memory of 2692 2648 cmd.exe PING.EXE PID 2648 wrote to memory of 2692 2648 cmd.exe PING.EXE PID 2648 wrote to memory of 2692 2648 cmd.exe PING.EXE PID 2648 wrote to memory of 2692 2648 cmd.exe PING.EXE PID 1624 wrote to memory of 1996 1624 taskeng.exe setspn.exe PID 1624 wrote to memory of 1996 1624 taskeng.exe setspn.exe PID 1624 wrote to memory of 1996 1624 taskeng.exe setspn.exe PID 1624 wrote to memory of 1996 1624 taskeng.exe setspn.exe PID 1996 wrote to memory of 1412 1996 setspn.exe RegSvcs.exe PID 1996 wrote to memory of 1412 1996 setspn.exe RegSvcs.exe PID 1996 wrote to memory of 1412 1996 setspn.exe RegSvcs.exe PID 1996 wrote to memory of 1412 1996 setspn.exe RegSvcs.exe PID 1996 wrote to memory of 1412 1996 setspn.exe RegSvcs.exe PID 1996 wrote to memory of 1412 1996 setspn.exe RegSvcs.exe PID 1996 wrote to memory of 1412 1996 setspn.exe RegSvcs.exe PID 1996 wrote to memory of 1412 1996 setspn.exe RegSvcs.exe PID 1996 wrote to memory of 1412 1996 setspn.exe RegSvcs.exe PID 1996 wrote to memory of 1952 1996 setspn.exe schtasks.exe PID 1996 wrote to memory of 1952 1996 setspn.exe schtasks.exe PID 1996 wrote to memory of 1952 1996 setspn.exe schtasks.exe PID 1996 wrote to memory of 1952 1996 setspn.exe schtasks.exe PID 1624 wrote to memory of 752 1624 taskeng.exe setspn.exe PID 1624 wrote to memory of 752 1624 taskeng.exe setspn.exe PID 1624 wrote to memory of 752 1624 taskeng.exe setspn.exe PID 1624 wrote to memory of 752 1624 taskeng.exe setspn.exe PID 752 wrote to memory of 1652 752 setspn.exe RegSvcs.exe PID 752 wrote to memory of 1652 752 setspn.exe RegSvcs.exe PID 752 wrote to memory of 1652 752 setspn.exe RegSvcs.exe PID 752 wrote to memory of 1652 752 setspn.exe RegSvcs.exe PID 752 wrote to memory of 1652 752 setspn.exe RegSvcs.exe PID 752 wrote to memory of 1652 752 setspn.exe RegSvcs.exe PID 752 wrote to memory of 1652 752 setspn.exe RegSvcs.exe PID 752 wrote to memory of 1652 752 setspn.exe RegSvcs.exe PID 752 wrote to memory of 1652 752 setspn.exe RegSvcs.exe PID 752 wrote to memory of 1084 752 setspn.exe schtasks.exe PID 752 wrote to memory of 1084 752 setspn.exe schtasks.exe PID 752 wrote to memory of 1084 752 setspn.exe schtasks.exe PID 752 wrote to memory of 1084 752 setspn.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exe"C:\Users\Admin\AppData\Local\Temp\02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2376 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:2404 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /k ping 127.0.0.1 -t 0 & del C:\Users\Admin\AppData\Local\Temp\02be5e1ff3d3187c1fd3a389210dadb5a59c8f9382736e50fe5e82f9c39acb3e.exe & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -t 03⤵
- Runs ping.exe
PID:2692
-
C:\Windows\system32\taskeng.exetaskeng.exe {DFFE2DA2-E0B3-4483-9D62-4943A03EAD1D} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exeC:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:1412
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1952 -
C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exeC:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:1652
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1084
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD50adbd64b1acaf106bc1896574b43a261
SHA1352cdba221d19837930e63255dc4be1ee1c63f28
SHA2565743307aafc536348e8f56d3f9f092d00fc2b578642d9fae41e9342dd618525b
SHA512558c4be07392442acfac02c33a6afe9905a1faa73714d72966274b82e115266c15ed40cc7d14358fcc652c2b3f49175c808ce2524c22eaeb57fc976ceea3535f