Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
3Static
static
3Orbit_04.1...Lh.rar
windows10-1703-x64
3Free Cheats.url
windows10-1703-x64
1Free Hacks.url
windows10-1703-x64
1Orbit.exe
windows10-1703-x64
1Orbit/Disa...ty.reg
windows10-1703-x64
1Orbit/Disa...st.reg
windows10-1703-x64
1Orbit/Driv...er.exe
windows10-1703-x64
1Orbit/Sams...ar.ttf
windows10-1703-x64
3Orbit/Smal...ar.ttf
windows10-1703-x64
3Orbit/Weap...ar.ttf
windows10-1703-x64
3Orbit/Win10_22H2.dll
windows10-1703-x64
1Orbit/Win11_22H2.dll
windows10-1703-x64
1Orbit/Zapp...ar.ttf
windows10-1703-x64
3Analysis
-
max time kernel
135s -
max time network
142s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
20/04/2024, 08:03
Static task
static1
Behavioral task
behavioral1
Sample
Orbit_04.19.24_mEU75yLj9OCJxLh.rar
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral2
Sample
Free Cheats.url
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral3
Sample
Free Hacks.url
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral4
Sample
Orbit.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral5
Sample
Orbit/DisableHypervisorEnforcedCodeIntegrity.reg
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral6
Sample
Orbit/DisableVulnerableDriverList.reg
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral7
Sample
Orbit/DriverMapper.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral8
Sample
Orbit/SamsungSans-Regular.ttf
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral9
Sample
Orbit/SmallestPixel7-Regular.ttf
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral10
Sample
Orbit/Weaponicons-Regular.ttf
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral11
Sample
Orbit/Win10_22H2.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral12
Sample
Orbit/Win11_22H2.dll
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral13
Sample
Orbit/Zappericons-Regular.ttf
Resource
win10-20240404-en
windows10-1703-x64
General
-
Target
Orbit_04.19.24_mEU75yLj9OCJxLh.rar
-
Size
722KB
-
MD5
75a862c385c872448d610b6abfb2ab62
-
SHA1
40299153d4266dd9a6232df5309f348b2d0dc7f5
-
SHA256
67453f543db5818fe7cb2eff9a09f8ec4df4d0217ed1c5fc86a61f245dedd345
-
SHA512
32e5a6ca5986a6ad95a4d44259dff24c7bbe36e9ef3c9fdfe69e2420b12d7a616a609aabc24193a2d50501123da940ffe623e71caf2671db81854d13a77ff390
-
SSDEEP
12288:2JQFPS1FwhumWw6d1r3L5c3LUh89HXx4SRBmNcR3ZlPe3UyQtZQ:YQFPS1F5mj6dp+YCHX+SRINcJZ8kTtZQ
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4456 OpenWith.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe 4456 OpenWith.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Orbit_04.19.24_mEU75yLj9OCJxLh.rar1⤵
- Modifies registry class
PID:2584
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4456
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:204