Analysis
-
max time kernel
168s -
max time network
173s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12-04-2024 01:50
Static task
static1
Behavioral task
behavioral1
Sample
d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exe
Resource
win7-20240221-en
General
-
Target
d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exe
-
Size
2.6MB
-
MD5
8471f457a12c512aafaea1b4ed4478f8
-
SHA1
2e23e6fb3a549705154a13da70aa7dca47018032
-
SHA256
d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440
-
SHA512
68353f3b95bd20d18243cbbaf4de13c3b6f17820802b19a60eb80414000424882be697d085726db5e7b52f4a4f8c3927cba4c51f010deae03c59b6b6a5aedaf4
-
SSDEEP
24576:SAHnh+eWsN3skA4RV1Hom2KXSmHdK3VqbE6przwKpwvEuM/SD0wugdDEl6NrL/Nw:Vh+ZkldoPKiYdKr9y
Malware Config
Extracted
orcus
ligeon
ligeon.ddns.net:1606
b98fb09a59c24a81b9d17a55ccf2c036
-
autostart_method
Disable
-
enable_keylogger
true
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcurs Rat Executable 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2876-4-0x0000000000400000-0x00000000004EA000-memory.dmp orcus behavioral1/memory/2876-10-0x0000000000400000-0x00000000004EA000-memory.dmp orcus behavioral1/memory/2876-11-0x0000000000400000-0x00000000004EA000-memory.dmp orcus -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2640 cmd.exe -
Executes dropped EXE 3 IoCs
Processes:
setspn.exesetspn.exesetspn.exepid process 2620 setspn.exe 3028 setspn.exe 748 setspn.exe -
AutoIT Executable 5 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2632-0-0x0000000000180000-0x000000000042A000-memory.dmp autoit_exe C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe autoit_exe behavioral1/memory/2620-24-0x00000000010B0000-0x000000000135A000-memory.dmp autoit_exe behavioral1/memory/3028-40-0x0000000001130000-0x00000000013DA000-memory.dmp autoit_exe behavioral1/memory/748-53-0x0000000001130000-0x00000000013DA000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exesetspn.exesetspn.exesetspn.exedescription pid process target process PID 2632 set thread context of 2876 2632 d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exe RegSvcs.exe PID 2620 set thread context of 2476 2620 setspn.exe RegSvcs.exe PID 3028 set thread context of 2720 3028 setspn.exe RegSvcs.exe PID 748 set thread context of 600 748 setspn.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1208 schtasks.exe 2712 schtasks.exe 2684 schtasks.exe 2104 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exesetspn.exesetspn.exesetspn.exepid process 2632 d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exe 2632 d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exe 2620 setspn.exe 2620 setspn.exe 3028 setspn.exe 3028 setspn.exe 748 setspn.exe 748 setspn.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2876 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 2876 RegSvcs.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.execmd.exetaskeng.exesetspn.exesetspn.exesetspn.exedescription pid process target process PID 2632 wrote to memory of 2876 2632 d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exe RegSvcs.exe PID 2632 wrote to memory of 2876 2632 d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exe RegSvcs.exe PID 2632 wrote to memory of 2876 2632 d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exe RegSvcs.exe PID 2632 wrote to memory of 2876 2632 d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exe RegSvcs.exe PID 2632 wrote to memory of 2876 2632 d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exe RegSvcs.exe PID 2632 wrote to memory of 2876 2632 d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exe RegSvcs.exe PID 2632 wrote to memory of 2876 2632 d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exe RegSvcs.exe PID 2632 wrote to memory of 2876 2632 d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exe RegSvcs.exe PID 2632 wrote to memory of 2876 2632 d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exe RegSvcs.exe PID 2632 wrote to memory of 2712 2632 d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exe schtasks.exe PID 2632 wrote to memory of 2712 2632 d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exe schtasks.exe PID 2632 wrote to memory of 2712 2632 d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exe schtasks.exe PID 2632 wrote to memory of 2712 2632 d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exe schtasks.exe PID 2632 wrote to memory of 2640 2632 d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exe cmd.exe PID 2632 wrote to memory of 2640 2632 d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exe cmd.exe PID 2632 wrote to memory of 2640 2632 d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exe cmd.exe PID 2632 wrote to memory of 2640 2632 d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exe cmd.exe PID 2640 wrote to memory of 2404 2640 cmd.exe PING.EXE PID 2640 wrote to memory of 2404 2640 cmd.exe PING.EXE PID 2640 wrote to memory of 2404 2640 cmd.exe PING.EXE PID 2640 wrote to memory of 2404 2640 cmd.exe PING.EXE PID 764 wrote to memory of 2620 764 taskeng.exe setspn.exe PID 764 wrote to memory of 2620 764 taskeng.exe setspn.exe PID 764 wrote to memory of 2620 764 taskeng.exe setspn.exe PID 764 wrote to memory of 2620 764 taskeng.exe setspn.exe PID 2620 wrote to memory of 2476 2620 setspn.exe RegSvcs.exe PID 2620 wrote to memory of 2476 2620 setspn.exe RegSvcs.exe PID 2620 wrote to memory of 2476 2620 setspn.exe RegSvcs.exe PID 2620 wrote to memory of 2476 2620 setspn.exe RegSvcs.exe PID 2620 wrote to memory of 2476 2620 setspn.exe RegSvcs.exe PID 2620 wrote to memory of 2476 2620 setspn.exe RegSvcs.exe PID 2620 wrote to memory of 2476 2620 setspn.exe RegSvcs.exe PID 2620 wrote to memory of 2476 2620 setspn.exe RegSvcs.exe PID 2620 wrote to memory of 2476 2620 setspn.exe RegSvcs.exe PID 2620 wrote to memory of 2684 2620 setspn.exe schtasks.exe PID 2620 wrote to memory of 2684 2620 setspn.exe schtasks.exe PID 2620 wrote to memory of 2684 2620 setspn.exe schtasks.exe PID 2620 wrote to memory of 2684 2620 setspn.exe schtasks.exe PID 764 wrote to memory of 3028 764 taskeng.exe setspn.exe PID 764 wrote to memory of 3028 764 taskeng.exe setspn.exe PID 764 wrote to memory of 3028 764 taskeng.exe setspn.exe PID 764 wrote to memory of 3028 764 taskeng.exe setspn.exe PID 3028 wrote to memory of 2720 3028 setspn.exe RegSvcs.exe PID 3028 wrote to memory of 2720 3028 setspn.exe RegSvcs.exe PID 3028 wrote to memory of 2720 3028 setspn.exe RegSvcs.exe PID 3028 wrote to memory of 2720 3028 setspn.exe RegSvcs.exe PID 3028 wrote to memory of 2720 3028 setspn.exe RegSvcs.exe PID 3028 wrote to memory of 2720 3028 setspn.exe RegSvcs.exe PID 3028 wrote to memory of 2720 3028 setspn.exe RegSvcs.exe PID 3028 wrote to memory of 2720 3028 setspn.exe RegSvcs.exe PID 3028 wrote to memory of 2720 3028 setspn.exe RegSvcs.exe PID 3028 wrote to memory of 2104 3028 setspn.exe schtasks.exe PID 3028 wrote to memory of 2104 3028 setspn.exe schtasks.exe PID 3028 wrote to memory of 2104 3028 setspn.exe schtasks.exe PID 3028 wrote to memory of 2104 3028 setspn.exe schtasks.exe PID 764 wrote to memory of 748 764 taskeng.exe setspn.exe PID 764 wrote to memory of 748 764 taskeng.exe setspn.exe PID 764 wrote to memory of 748 764 taskeng.exe setspn.exe PID 764 wrote to memory of 748 764 taskeng.exe setspn.exe PID 748 wrote to memory of 600 748 setspn.exe RegSvcs.exe PID 748 wrote to memory of 600 748 setspn.exe RegSvcs.exe PID 748 wrote to memory of 600 748 setspn.exe RegSvcs.exe PID 748 wrote to memory of 600 748 setspn.exe RegSvcs.exe PID 748 wrote to memory of 600 748 setspn.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exe"C:\Users\Admin\AppData\Local\Temp\d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2876 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:2712 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /k ping 127.0.0.1 -t 0 & del C:\Users\Admin\AppData\Local\Temp\d6ac723ad6c3708612c5f636eb9312b5b56f1f2d42621286cb01a52dcde7d440.exe & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -t 03⤵
- Runs ping.exe
PID:2404
-
C:\Windows\system32\taskeng.exetaskeng.exe {2B3E2A5E-F505-46E7-A4E4-A354837F68B3} S-1-5-21-2461186416-2307104501-1787948496-1000:MGILJUBR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exeC:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:2476
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:2684 -
C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exeC:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:2720
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:2104 -
C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exeC:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:600
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD52845f6f8f562f4e70c3e78957c765b5b
SHA194a3e38a41629792e07beabc849cc913d9b64172
SHA256fe49a489c84e292836641cb773b0252d85dbe9c60fe8961e36b7a3c1c01524cb
SHA5122cc49334dccae70d42c6d36725fd6d1f28467396af79a83d8ae29da96e190f00f603b87358c38add0dadcf7614aec25a7b7cee44506a8e8e7564837ccf19783a