Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-04-2024 02:17
Static task
static1
Behavioral task
behavioral1
Sample
dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe
Resource
win7-20240221-en
General
-
Target
dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe
-
Size
2.6MB
-
MD5
4be056c45b66d118b96e41a7c4a6f318
-
SHA1
487ecf930f74c6ab959e7bbd5d268b813450f5e6
-
SHA256
dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11
-
SHA512
dbe17c2d7dc67860017ef8863e4dfa13a0da0e7c9d647f730ab78041155fcd50343e0ad3ef75d21aa61a562c91746876125b946ca059b4a5255b8df672aef8b3
-
SSDEEP
24576:SAHnh+eWsN3skA4RV1Hom2KXSmHdK3VqbE6przwKpwvEuM/SD0wugdDEl6NrL/Nt:Vh+ZkldoPKiYdKr9T
Malware Config
Extracted
orcus
ligeon
ligeon.ddns.net:1606
b98fb09a59c24a81b9d17a55ccf2c036
-
autostart_method
Disable
-
enable_keylogger
true
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcurs Rat Executable 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3720-1-0x0000000000400000-0x00000000004EA000-memory.dmp orcus -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exesetspn.exesetspn.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation setspn.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation setspn.exe -
Executes dropped EXE 3 IoCs
Processes:
setspn.exesetspn.exesetspn.exepid process 3700 setspn.exe 4116 setspn.exe 4252 setspn.exe -
AutoIT Executable 5 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/3880-0-0x0000000000650000-0x00000000008FA000-memory.dmp autoit_exe C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe autoit_exe behavioral2/memory/3700-23-0x00000000003D0000-0x000000000067A000-memory.dmp autoit_exe behavioral2/memory/4116-35-0x00000000003D0000-0x000000000067A000-memory.dmp autoit_exe behavioral2/memory/4252-46-0x00000000003D0000-0x000000000067A000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exesetspn.exesetspn.exedescription pid process target process PID 3880 set thread context of 3720 3880 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe RegSvcs.exe PID 3700 set thread context of 1744 3700 setspn.exe RegSvcs.exe PID 4116 set thread context of 1488 4116 setspn.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 3392 schtasks.exe 568 schtasks.exe 4608 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exesetspn.exesetspn.exepid process 3880 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe 3880 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe 3880 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe 3880 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe 3700 setspn.exe 3700 setspn.exe 3700 setspn.exe 3700 setspn.exe 4116 setspn.exe 4116 setspn.exe 4116 setspn.exe 4116 setspn.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 3720 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 3720 RegSvcs.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.execmd.exesetspn.exesetspn.exedescription pid process target process PID 3880 wrote to memory of 3720 3880 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe RegSvcs.exe PID 3880 wrote to memory of 3720 3880 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe RegSvcs.exe PID 3880 wrote to memory of 3720 3880 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe RegSvcs.exe PID 3880 wrote to memory of 3720 3880 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe RegSvcs.exe PID 3880 wrote to memory of 3720 3880 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe RegSvcs.exe PID 3880 wrote to memory of 3392 3880 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe schtasks.exe PID 3880 wrote to memory of 3392 3880 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe schtasks.exe PID 3880 wrote to memory of 3392 3880 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe schtasks.exe PID 3880 wrote to memory of 1760 3880 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe cmd.exe PID 3880 wrote to memory of 1760 3880 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe cmd.exe PID 3880 wrote to memory of 1760 3880 dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe cmd.exe PID 1760 wrote to memory of 2120 1760 cmd.exe PING.EXE PID 1760 wrote to memory of 2120 1760 cmd.exe PING.EXE PID 1760 wrote to memory of 2120 1760 cmd.exe PING.EXE PID 3700 wrote to memory of 1744 3700 setspn.exe RegSvcs.exe PID 3700 wrote to memory of 1744 3700 setspn.exe RegSvcs.exe PID 3700 wrote to memory of 1744 3700 setspn.exe RegSvcs.exe PID 3700 wrote to memory of 1744 3700 setspn.exe RegSvcs.exe PID 3700 wrote to memory of 1744 3700 setspn.exe RegSvcs.exe PID 3700 wrote to memory of 568 3700 setspn.exe schtasks.exe PID 3700 wrote to memory of 568 3700 setspn.exe schtasks.exe PID 3700 wrote to memory of 568 3700 setspn.exe schtasks.exe PID 4116 wrote to memory of 1488 4116 setspn.exe RegSvcs.exe PID 4116 wrote to memory of 1488 4116 setspn.exe RegSvcs.exe PID 4116 wrote to memory of 1488 4116 setspn.exe RegSvcs.exe PID 4116 wrote to memory of 1488 4116 setspn.exe RegSvcs.exe PID 4116 wrote to memory of 1488 4116 setspn.exe RegSvcs.exe PID 4116 wrote to memory of 4608 4116 setspn.exe schtasks.exe PID 4116 wrote to memory of 4608 4116 setspn.exe schtasks.exe PID 4116 wrote to memory of 4608 4116 setspn.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe"C:\Users\Admin\AppData\Local\Temp\dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3720 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:3392 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /k ping 127.0.0.1 -t 0 & del C:\Users\Admin\AppData\Local\Temp\dd13f367b9b4728cf8e1da491ccc9a08c0d223b62fad80399c73b4a0fef15e11.exe & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -t 03⤵
- Runs ping.exe
PID:2120
-
C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exeC:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:1744
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:568
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3820 --field-trial-handle=2496,i,15897292497548307209,13920214570023230813,262144 --variations-seed-version /prefetch:81⤵PID:2432
-
C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exeC:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:1488
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
PID:4608
-
C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exeC:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe1⤵
- Executes dropped EXE
PID:4252
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50672db2ef13237d5cb85075ff4915942
SHA1ad8b4d3eb5e40791c47d48b22e273486f25f663f
SHA2560a933408890369b5a178f9c30aa93d2c94f425650815cf8e8310de4e90a3b519
SHA51284ad10ba5b695567d33a52f786405a5544aa49d8d23631ba9edf3afa877c5dbd81570d15bcf74bce5d9fb1afad2117d0a4ef913b396c0d923afefe615619c84b
-
Filesize
2.6MB
MD5ac6bfe4c1ed36f5a0485d061cdac2c55
SHA13fa7d3cb254392606d2f30b033b8e3ed16bf0a36
SHA256bf4e2e4b4c0cb256ea7da905b0565eec2db811e9ef5873071e54cea5849737b9
SHA5125806cfc4e64bfbaff1907a2711597e6d14f239d919abbbb3789c1584aeaf59e62d82ae11a4eb2f94da33f1f7a531984619d6a752fa1c98d647ccb8ae058b35f2