Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12-04-2024 20:29
Static task
static1
Behavioral task
behavioral1
Sample
3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exe
Resource
win10v2004-20240412-en
General
-
Target
3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exe
-
Size
3.0MB
-
MD5
1b66599aa9ddba22025c964377d96c81
-
SHA1
b30de57756593f95ba50dd0b5f730b7140ccb9f3
-
SHA256
3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf
-
SHA512
f3d13953d388d3422a8fcbf5fe3fe391ec441d4ff69b58476698dcdabaf83a3681ad5f91c5ac9c80d12a3fe084f7073341c0cef5bccae84906bf28bc5cb4d088
-
SSDEEP
24576:EWGn+oM55q4cYG8OYi1rr8ZoLRW+ghjpIADhL25AzbAWWCZrMui9v/4bliB6y3/x:Ta1ffeR2Ez+YOL2lid8pKCqMtW
Malware Config
Extracted
orcus
mrgrayhat.duckdns.org:1606
b3b6a52907b341e1845d276e770a3415
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Detects executables containing common artifacts observed in infostealers 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1728-10-0x000000001BDC0000-0x000000001BEA8000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer -
Detects executables manipulated with Fody 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1728-10-0x000000001BDC0000-0x000000001BEA8000-memory.dmp INDICATOR_EXE_Packed_Fody -
Orcurs Rat Executable 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1728-10-0x000000001BDC0000-0x000000001BEA8000-memory.dmp orcus -
Executes dropped EXE 1 IoCs
Processes:
Q-Dir_Installer_UC.exepid process 2816 Q-Dir_Installer_UC.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Q-dir = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exe\" -start" 3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exepid process 1728 3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exe 1728 3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exe 1728 3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exedescription pid process Token: SeDebugPrivilege 1728 3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exedescription pid process target process PID 1728 wrote to memory of 2816 1728 3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exe Q-Dir_Installer_UC.exe PID 1728 wrote to memory of 2816 1728 3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exe Q-Dir_Installer_UC.exe PID 1728 wrote to memory of 2816 1728 3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exe Q-Dir_Installer_UC.exe PID 1728 wrote to memory of 2816 1728 3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exe Q-Dir_Installer_UC.exe PID 1728 wrote to memory of 2816 1728 3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exe Q-Dir_Installer_UC.exe PID 1728 wrote to memory of 2816 1728 3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exe Q-Dir_Installer_UC.exe PID 1728 wrote to memory of 2816 1728 3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exe Q-Dir_Installer_UC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exe"C:\Users\Admin\AppData\Local\Temp\3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Roaming\vhhcxsdhbrf34568v0924b87tr\ ncbxkzvgnrio578435794\3.5.6.7\Q-Dir_Installer_UC.exe"C:\Users\Admin\AppData\Roaming\vhhcxsdhbrf34568v0924b87tr\ ncbxkzvgnrio578435794\3.5.6.7\Q-Dir_Installer_UC.exe"2⤵
- Executes dropped EXE
PID:2816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\vhhcxsdhbrf34568v0924b87tr\ ncbxkzvgnrio578435794\3.5.6.7\Q-Dir_Installer_UC.exe
Filesize984KB
MD595bbd05263acfcefcdc78457bc59c86d
SHA10c504d02086041d993ec08d3346531f8b466cd65
SHA25626199e48d49e465f7055b45d3b9e77dfef73427984821b423a1f7c7fcf79905c
SHA512d6f8b4dd8288d873fcb6421536fdd7ff602b1e553e9671b77845ca845f8fb9cdaacd7c3bd544d10c0d109a64e2ea36c7c4e90189c613a435e80f29834607ed15