Analysis
-
max time kernel
140s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
12-04-2024 01:03
Static task
static1
Behavioral task
behavioral1
Sample
c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exe
Resource
win7-20240215-en
General
-
Target
c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exe
-
Size
2.6MB
-
MD5
be8f80724df234482960ce23d1ba3775
-
SHA1
2479394e9d3febf89636f427d5eb3faaec864465
-
SHA256
c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105
-
SHA512
90474b7659d9d31cbcfe8c946d3bbaec14b9f851b64f7d4f209c8dd3fcd99c82a9f6aed4c478bb64e597a33db09ad35c117804c5c89e2092f26a4bf1d21ff5a1
-
SSDEEP
24576:SAHnh+eWsN3skA4RV1Hom2KXSmHdK3VqbE6przwKpwvEuM/SD0wugdDEl6NrL/ND:Vh+ZkldoPKiYdKr9N
Malware Config
Extracted
orcus
ligeon
ligeon.ddns.net:1606
b98fb09a59c24a81b9d17a55ccf2c036
-
autostart_method
Disable
-
enable_keylogger
true
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcurs Rat Executable 3 IoCs
Processes:
resource yara_rule behavioral1/memory/3040-3-0x0000000000400000-0x00000000004EA000-memory.dmp orcus behavioral1/memory/3040-9-0x0000000000400000-0x00000000004EA000-memory.dmp orcus behavioral1/memory/3040-10-0x0000000000400000-0x00000000004EA000-memory.dmp orcus -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2544 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
setspn.exesetspn.exepid process 2324 setspn.exe 608 setspn.exe -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2956-0-0x0000000001110000-0x00000000013BA000-memory.dmp autoit_exe C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe autoit_exe behavioral1/memory/2324-25-0x00000000011F0000-0x000000000149A000-memory.dmp autoit_exe behavioral1/memory/608-39-0x00000000011F0000-0x000000000149A000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exesetspn.exesetspn.exedescription pid process target process PID 2956 set thread context of 3040 2956 c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exe RegSvcs.exe PID 2324 set thread context of 1464 2324 setspn.exe RegSvcs.exe PID 608 set thread context of 284 608 setspn.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2084 schtasks.exe 2776 schtasks.exe 2112 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exesetspn.exesetspn.exepid process 2956 c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exe 2956 c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exe 2324 setspn.exe 2324 setspn.exe 608 setspn.exe 608 setspn.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 3040 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 3040 RegSvcs.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.execmd.exetaskeng.exesetspn.exesetspn.exedescription pid process target process PID 2956 wrote to memory of 3040 2956 c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exe RegSvcs.exe PID 2956 wrote to memory of 3040 2956 c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exe RegSvcs.exe PID 2956 wrote to memory of 3040 2956 c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exe RegSvcs.exe PID 2956 wrote to memory of 3040 2956 c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exe RegSvcs.exe PID 2956 wrote to memory of 3040 2956 c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exe RegSvcs.exe PID 2956 wrote to memory of 3040 2956 c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exe RegSvcs.exe PID 2956 wrote to memory of 3040 2956 c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exe RegSvcs.exe PID 2956 wrote to memory of 3040 2956 c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exe RegSvcs.exe PID 2956 wrote to memory of 3040 2956 c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exe RegSvcs.exe PID 2956 wrote to memory of 2084 2956 c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exe schtasks.exe PID 2956 wrote to memory of 2084 2956 c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exe schtasks.exe PID 2956 wrote to memory of 2084 2956 c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exe schtasks.exe PID 2956 wrote to memory of 2084 2956 c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exe schtasks.exe PID 2956 wrote to memory of 2544 2956 c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exe cmd.exe PID 2956 wrote to memory of 2544 2956 c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exe cmd.exe PID 2956 wrote to memory of 2544 2956 c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exe cmd.exe PID 2956 wrote to memory of 2544 2956 c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exe cmd.exe PID 2544 wrote to memory of 2720 2544 cmd.exe PING.EXE PID 2544 wrote to memory of 2720 2544 cmd.exe PING.EXE PID 2544 wrote to memory of 2720 2544 cmd.exe PING.EXE PID 2544 wrote to memory of 2720 2544 cmd.exe PING.EXE PID 2040 wrote to memory of 2324 2040 taskeng.exe setspn.exe PID 2040 wrote to memory of 2324 2040 taskeng.exe setspn.exe PID 2040 wrote to memory of 2324 2040 taskeng.exe setspn.exe PID 2040 wrote to memory of 2324 2040 taskeng.exe setspn.exe PID 2324 wrote to memory of 1464 2324 setspn.exe RegSvcs.exe PID 2324 wrote to memory of 1464 2324 setspn.exe RegSvcs.exe PID 2324 wrote to memory of 1464 2324 setspn.exe RegSvcs.exe PID 2324 wrote to memory of 1464 2324 setspn.exe RegSvcs.exe PID 2324 wrote to memory of 1464 2324 setspn.exe RegSvcs.exe PID 2324 wrote to memory of 1464 2324 setspn.exe RegSvcs.exe PID 2324 wrote to memory of 1464 2324 setspn.exe RegSvcs.exe PID 2324 wrote to memory of 1464 2324 setspn.exe RegSvcs.exe PID 2324 wrote to memory of 1464 2324 setspn.exe RegSvcs.exe PID 2324 wrote to memory of 2776 2324 setspn.exe schtasks.exe PID 2324 wrote to memory of 2776 2324 setspn.exe schtasks.exe PID 2324 wrote to memory of 2776 2324 setspn.exe schtasks.exe PID 2324 wrote to memory of 2776 2324 setspn.exe schtasks.exe PID 2040 wrote to memory of 608 2040 taskeng.exe setspn.exe PID 2040 wrote to memory of 608 2040 taskeng.exe setspn.exe PID 2040 wrote to memory of 608 2040 taskeng.exe setspn.exe PID 2040 wrote to memory of 608 2040 taskeng.exe setspn.exe PID 608 wrote to memory of 284 608 setspn.exe RegSvcs.exe PID 608 wrote to memory of 284 608 setspn.exe RegSvcs.exe PID 608 wrote to memory of 284 608 setspn.exe RegSvcs.exe PID 608 wrote to memory of 284 608 setspn.exe RegSvcs.exe PID 608 wrote to memory of 284 608 setspn.exe RegSvcs.exe PID 608 wrote to memory of 284 608 setspn.exe RegSvcs.exe PID 608 wrote to memory of 284 608 setspn.exe RegSvcs.exe PID 608 wrote to memory of 284 608 setspn.exe RegSvcs.exe PID 608 wrote to memory of 284 608 setspn.exe RegSvcs.exe PID 608 wrote to memory of 2112 608 setspn.exe schtasks.exe PID 608 wrote to memory of 2112 608 setspn.exe schtasks.exe PID 608 wrote to memory of 2112 608 setspn.exe schtasks.exe PID 608 wrote to memory of 2112 608 setspn.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exe"C:\Users\Admin\AppData\Local\Temp\c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3040 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:2084 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /k ping 127.0.0.1 -t 0 & del C:\Users\Admin\AppData\Local\Temp\c1bb4878d2985dd8077358a034652f3ee13d8d22a92d407757538dd7fc667105.exe & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -t 03⤵
- Runs ping.exe
PID:2720
-
C:\Windows\system32\taskeng.exetaskeng.exe {24F59B9A-DB55-4449-9209-1DEB27634499} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exeC:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:1464
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:2776 -
C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exeC:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:284
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:2112
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5d989eb5bbba2d8c73b8278cc1d071217
SHA118c3acc254e3f404bcb24effb06ca467eecd7a5a
SHA25693a326c3caf058af05acd6b41801812967fa7282aab562016ae3364be11d97e2
SHA51280d482c7adf6f8f38f2aca6a832579241a3e827045678bf7af61de14cd6b4b59a9af639103061f8c3dc10b40d6ede5588f4d5d8b389b905df04d8ce11ba3e81b