Analysis
-
max time kernel
140s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
12-04-2024 01:52
Static task
static1
Behavioral task
behavioral1
Sample
cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exe
Resource
win7-20240220-en
General
-
Target
cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exe
-
Size
2.6MB
-
MD5
d8ee7afd9f98df1d92b3ad3c38f405a1
-
SHA1
921b80872b0733073b94b3c461e0e0c901890a29
-
SHA256
cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf
-
SHA512
ad4b2f873cbec1163d1a5f5717d43c10271d2c20adce615f0f619d5678cfa0d7f1ebe456429848a058f57cc5e09332d4247deac359e5cf55a10c6e75aa5c3839
-
SSDEEP
24576:SAHnh+eWsN3skA4RV1Hom2KXSmHdK3VqbE6przwKpwvEuM/SD0wugdDEl6NrL/NQ:Vh+ZkldoPKiYdKr9i
Malware Config
Extracted
orcus
ligeon
ligeon.ddns.net:1606
b98fb09a59c24a81b9d17a55ccf2c036
-
autostart_method
Disable
-
enable_keylogger
true
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcurs Rat Executable 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2588-3-0x0000000000090000-0x000000000017A000-memory.dmp orcus behavioral1/memory/2588-9-0x0000000000090000-0x000000000017A000-memory.dmp orcus behavioral1/memory/2588-10-0x0000000000090000-0x000000000017A000-memory.dmp orcus behavioral1/memory/1504-27-0x0000000000400000-0x00000000004EA000-memory.dmp orcus behavioral1/memory/1504-33-0x0000000000400000-0x00000000004EA000-memory.dmp orcus behavioral1/memory/1504-34-0x0000000000400000-0x00000000004EA000-memory.dmp orcus -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2600 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
setspn.exesetspn.exepid process 2236 setspn.exe 1848 setspn.exe -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2088-0-0x0000000001350000-0x00000000015FA000-memory.dmp autoit_exe C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe autoit_exe behavioral1/memory/2236-25-0x00000000013E0000-0x000000000168A000-memory.dmp autoit_exe behavioral1/memory/1848-39-0x00000000013E0000-0x000000000168A000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exesetspn.exesetspn.exedescription pid process target process PID 2088 set thread context of 2588 2088 cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exe RegSvcs.exe PID 2236 set thread context of 1504 2236 setspn.exe RegSvcs.exe PID 1848 set thread context of 324 1848 setspn.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2612 schtasks.exe 2336 schtasks.exe 1592 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exesetspn.exesetspn.exepid process 2088 cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exe 2088 cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exe 2236 setspn.exe 2236 setspn.exe 1848 setspn.exe 1848 setspn.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2588 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 2588 RegSvcs.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.execmd.exetaskeng.exesetspn.exesetspn.exedescription pid process target process PID 2088 wrote to memory of 2588 2088 cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exe RegSvcs.exe PID 2088 wrote to memory of 2588 2088 cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exe RegSvcs.exe PID 2088 wrote to memory of 2588 2088 cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exe RegSvcs.exe PID 2088 wrote to memory of 2588 2088 cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exe RegSvcs.exe PID 2088 wrote to memory of 2588 2088 cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exe RegSvcs.exe PID 2088 wrote to memory of 2588 2088 cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exe RegSvcs.exe PID 2088 wrote to memory of 2588 2088 cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exe RegSvcs.exe PID 2088 wrote to memory of 2588 2088 cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exe RegSvcs.exe PID 2088 wrote to memory of 2588 2088 cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exe RegSvcs.exe PID 2088 wrote to memory of 2612 2088 cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exe schtasks.exe PID 2088 wrote to memory of 2612 2088 cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exe schtasks.exe PID 2088 wrote to memory of 2612 2088 cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exe schtasks.exe PID 2088 wrote to memory of 2612 2088 cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exe schtasks.exe PID 2088 wrote to memory of 2600 2088 cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exe cmd.exe PID 2088 wrote to memory of 2600 2088 cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exe cmd.exe PID 2088 wrote to memory of 2600 2088 cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exe cmd.exe PID 2088 wrote to memory of 2600 2088 cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exe cmd.exe PID 2600 wrote to memory of 2404 2600 cmd.exe PING.EXE PID 2600 wrote to memory of 2404 2600 cmd.exe PING.EXE PID 2600 wrote to memory of 2404 2600 cmd.exe PING.EXE PID 2600 wrote to memory of 2404 2600 cmd.exe PING.EXE PID 1892 wrote to memory of 2236 1892 taskeng.exe setspn.exe PID 1892 wrote to memory of 2236 1892 taskeng.exe setspn.exe PID 1892 wrote to memory of 2236 1892 taskeng.exe setspn.exe PID 1892 wrote to memory of 2236 1892 taskeng.exe setspn.exe PID 2236 wrote to memory of 1504 2236 setspn.exe RegSvcs.exe PID 2236 wrote to memory of 1504 2236 setspn.exe RegSvcs.exe PID 2236 wrote to memory of 1504 2236 setspn.exe RegSvcs.exe PID 2236 wrote to memory of 1504 2236 setspn.exe RegSvcs.exe PID 2236 wrote to memory of 1504 2236 setspn.exe RegSvcs.exe PID 2236 wrote to memory of 1504 2236 setspn.exe RegSvcs.exe PID 2236 wrote to memory of 1504 2236 setspn.exe RegSvcs.exe PID 2236 wrote to memory of 1504 2236 setspn.exe RegSvcs.exe PID 2236 wrote to memory of 1504 2236 setspn.exe RegSvcs.exe PID 2236 wrote to memory of 2336 2236 setspn.exe schtasks.exe PID 2236 wrote to memory of 2336 2236 setspn.exe schtasks.exe PID 2236 wrote to memory of 2336 2236 setspn.exe schtasks.exe PID 2236 wrote to memory of 2336 2236 setspn.exe schtasks.exe PID 1892 wrote to memory of 1848 1892 taskeng.exe setspn.exe PID 1892 wrote to memory of 1848 1892 taskeng.exe setspn.exe PID 1892 wrote to memory of 1848 1892 taskeng.exe setspn.exe PID 1892 wrote to memory of 1848 1892 taskeng.exe setspn.exe PID 1848 wrote to memory of 324 1848 setspn.exe RegSvcs.exe PID 1848 wrote to memory of 324 1848 setspn.exe RegSvcs.exe PID 1848 wrote to memory of 324 1848 setspn.exe RegSvcs.exe PID 1848 wrote to memory of 324 1848 setspn.exe RegSvcs.exe PID 1848 wrote to memory of 324 1848 setspn.exe RegSvcs.exe PID 1848 wrote to memory of 324 1848 setspn.exe RegSvcs.exe PID 1848 wrote to memory of 324 1848 setspn.exe RegSvcs.exe PID 1848 wrote to memory of 324 1848 setspn.exe RegSvcs.exe PID 1848 wrote to memory of 324 1848 setspn.exe RegSvcs.exe PID 1848 wrote to memory of 1592 1848 setspn.exe schtasks.exe PID 1848 wrote to memory of 1592 1848 setspn.exe schtasks.exe PID 1848 wrote to memory of 1592 1848 setspn.exe schtasks.exe PID 1848 wrote to memory of 1592 1848 setspn.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exe"C:\Users\Admin\AppData\Local\Temp\cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2588 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:2612 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /k ping 127.0.0.1 -t 0 & del C:\Users\Admin\AppData\Local\Temp\cb49bf2372e28eedd203c223b78e1e2f9cdb8677dc55efac23aa2ce6bd355bbf.exe & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -t 03⤵
- Runs ping.exe
PID:2404
-
C:\Windows\system32\taskeng.exetaskeng.exe {3342A362-33A4-400D-974D-726DF85656A1} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exeC:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:1504
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:2336 -
C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exeC:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:324
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5d53aab692fe45afeb18bfac8a57bbc19
SHA1eea83526036f94e3436420b88718611b67e9ff0c
SHA2562b1f91f9c6d2d00b1bd7c7735773c5bbf06efb245668d51760291b23180b7f73
SHA5124a278bbcc6444867d38e05fc857f98d511cab0a9f950af79bf08ec1e63cdf8c682f132f8606759594c8aa7eb302f1abc6ca5c012781eef176eff7b29bd98b7e1