Analysis
-
max time kernel
141s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12-04-2024 02:17
Static task
static1
Behavioral task
behavioral1
Sample
dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe
Resource
win7-20240221-en
General
-
Target
dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe
-
Size
2.6MB
-
MD5
4be056c45b66d118b96e41a7c4a6f318
-
SHA1
487ecf930f74c6ab959e7bbd5d268b813450f5e6
-
SHA256
dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11
-
SHA512
dbe17c2d7dc67860017ef8863e4dfa13a0da0e7c9d647f730ab78041155fcd50343e0ad3ef75d21aa61a562c91746876125b946ca059b4a5255b8df672aef8b3
-
SSDEEP
24576:SAHnh+eWsN3skA4RV1Hom2KXSmHdK3VqbE6przwKpwvEuM/SD0wugdDEl6NrL/Nt:Vh+ZkldoPKiYdKr9T
Malware Config
Extracted
orcus
ligeon
ligeon.ddns.net:1606
b98fb09a59c24a81b9d17a55ccf2c036
-
autostart_method
Disable
-
enable_keylogger
true
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcurs Rat Executable 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2496-3-0x0000000000400000-0x00000000004EA000-memory.dmp orcus behavioral1/memory/2496-10-0x0000000000400000-0x00000000004EA000-memory.dmp orcus behavioral1/memory/2496-9-0x0000000000400000-0x00000000004EA000-memory.dmp orcus -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2708 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
setspn.exesetspn.exepid process 2816 setspn.exe 2384 setspn.exe -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2168-0-0x0000000001220000-0x00000000014CA000-memory.dmp autoit_exe C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe autoit_exe behavioral1/memory/2816-25-0x00000000000F0000-0x000000000039A000-memory.dmp autoit_exe behavioral1/memory/2384-39-0x00000000012A0000-0x000000000154A000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exesetspn.exesetspn.exedescription pid process target process PID 2168 set thread context of 2496 2168 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe RegSvcs.exe PID 2816 set thread context of 2944 2816 setspn.exe RegSvcs.exe PID 2384 set thread context of 1716 2384 setspn.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2696 schtasks.exe 2652 schtasks.exe 1008 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exesetspn.exesetspn.exepid process 2168 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe 2168 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe 2816 setspn.exe 2816 setspn.exe 2384 setspn.exe 2384 setspn.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2496 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 2496 RegSvcs.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.execmd.exetaskeng.exesetspn.exesetspn.exedescription pid process target process PID 2168 wrote to memory of 2496 2168 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe RegSvcs.exe PID 2168 wrote to memory of 2496 2168 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe RegSvcs.exe PID 2168 wrote to memory of 2496 2168 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe RegSvcs.exe PID 2168 wrote to memory of 2496 2168 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe RegSvcs.exe PID 2168 wrote to memory of 2496 2168 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe RegSvcs.exe PID 2168 wrote to memory of 2496 2168 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe RegSvcs.exe PID 2168 wrote to memory of 2496 2168 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe RegSvcs.exe PID 2168 wrote to memory of 2496 2168 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe RegSvcs.exe PID 2168 wrote to memory of 2496 2168 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe RegSvcs.exe PID 2168 wrote to memory of 2696 2168 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe schtasks.exe PID 2168 wrote to memory of 2696 2168 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe schtasks.exe PID 2168 wrote to memory of 2696 2168 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe schtasks.exe PID 2168 wrote to memory of 2696 2168 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe schtasks.exe PID 2168 wrote to memory of 2708 2168 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe cmd.exe PID 2168 wrote to memory of 2708 2168 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe cmd.exe PID 2168 wrote to memory of 2708 2168 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe cmd.exe PID 2168 wrote to memory of 2708 2168 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe cmd.exe PID 2708 wrote to memory of 2412 2708 cmd.exe PING.EXE PID 2708 wrote to memory of 2412 2708 cmd.exe PING.EXE PID 2708 wrote to memory of 2412 2708 cmd.exe PING.EXE PID 2708 wrote to memory of 2412 2708 cmd.exe PING.EXE PID 1596 wrote to memory of 2816 1596 taskeng.exe setspn.exe PID 1596 wrote to memory of 2816 1596 taskeng.exe setspn.exe PID 1596 wrote to memory of 2816 1596 taskeng.exe setspn.exe PID 1596 wrote to memory of 2816 1596 taskeng.exe setspn.exe PID 2816 wrote to memory of 2944 2816 setspn.exe RegSvcs.exe PID 2816 wrote to memory of 2944 2816 setspn.exe RegSvcs.exe PID 2816 wrote to memory of 2944 2816 setspn.exe RegSvcs.exe PID 2816 wrote to memory of 2944 2816 setspn.exe RegSvcs.exe PID 2816 wrote to memory of 2944 2816 setspn.exe RegSvcs.exe PID 2816 wrote to memory of 2944 2816 setspn.exe RegSvcs.exe PID 2816 wrote to memory of 2944 2816 setspn.exe RegSvcs.exe PID 2816 wrote to memory of 2944 2816 setspn.exe RegSvcs.exe PID 2816 wrote to memory of 2944 2816 setspn.exe RegSvcs.exe PID 2816 wrote to memory of 2652 2816 setspn.exe schtasks.exe PID 2816 wrote to memory of 2652 2816 setspn.exe schtasks.exe PID 2816 wrote to memory of 2652 2816 setspn.exe schtasks.exe PID 2816 wrote to memory of 2652 2816 setspn.exe schtasks.exe PID 1596 wrote to memory of 2384 1596 taskeng.exe setspn.exe PID 1596 wrote to memory of 2384 1596 taskeng.exe setspn.exe PID 1596 wrote to memory of 2384 1596 taskeng.exe setspn.exe PID 1596 wrote to memory of 2384 1596 taskeng.exe setspn.exe PID 2384 wrote to memory of 1716 2384 setspn.exe RegSvcs.exe PID 2384 wrote to memory of 1716 2384 setspn.exe RegSvcs.exe PID 2384 wrote to memory of 1716 2384 setspn.exe RegSvcs.exe PID 2384 wrote to memory of 1716 2384 setspn.exe RegSvcs.exe PID 2384 wrote to memory of 1716 2384 setspn.exe RegSvcs.exe PID 2384 wrote to memory of 1716 2384 setspn.exe RegSvcs.exe PID 2384 wrote to memory of 1716 2384 setspn.exe RegSvcs.exe PID 2384 wrote to memory of 1716 2384 setspn.exe RegSvcs.exe PID 2384 wrote to memory of 1716 2384 setspn.exe RegSvcs.exe PID 2384 wrote to memory of 1008 2384 setspn.exe schtasks.exe PID 2384 wrote to memory of 1008 2384 setspn.exe schtasks.exe PID 2384 wrote to memory of 1008 2384 setspn.exe schtasks.exe PID 2384 wrote to memory of 1008 2384 setspn.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe"C:\Users\Admin\AppData\Local\Temp\dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2496 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:2696 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /k ping 127.0.0.1 -t 0 & del C:\Users\Admin\AppData\Local\Temp\dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -t 03⤵
- Runs ping.exe
PID:2412
-
C:\Windows\system32\taskeng.exetaskeng.exe {264BE37B-D881-42EF-B92D-99C535E440B9} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exeC:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:2944
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:2652 -
C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exeC:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:1716
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F3⤵
- Creates scheduled task(s)
PID:1008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD584ae63d165c1e0fe62700a47a788bd76
SHA117fdcf2056344a32eb050371cbd70f618408aa92
SHA256224957835cfa63caf285b687ee31ccf57e726f6e3ecb5f7777d2a7e4e45b766e
SHA51206ddf16748c6f7a472c3985910f83e9842d8404cbd1ebeed18d8a12f96c6211fa62557666cf0b421880b084ae985c8b5c63214438d95e8700ff248e1849d2f77