Overview

overview

10

Static

static

5

00d87c913a...f5.exe

windows7-x64

10

00d87c913a...f5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    57s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-04-2024 01:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00d87c913a6a4a3ded61763ed63c196f4f3d79e7aac5b6ebc49b0341ec5bf0f5.exe

  • Size

    2.6MB

  • MD5

    fddf433f759f354b7fcffbbb11196661

  • SHA1

    41ec7591ef29b5d855fa85adfecd6eea1bcf259a

  • SHA256

    00d87c913a6a4a3ded61763ed63c196f4f3d79e7aac5b6ebc49b0341ec5bf0f5

  • SHA512

    cb6a969f87c67b4f03b50af305a734add9b4c41048f5b6b4e8988287ac43eecb1821d345d44bd5fc9116cc5b6de0a03d7ad48ef27047435899b5a69d47ecd2b9

  • SSDEEP

    24576:QAHnh+eWsN3skA4RV1Hom2KXSmHdqf0K44JzixdvW80EXLq31gEfUvWDyBFZpxxU:Hh+ZkldoPKiYdqd68

Score
10/10
orcusligeonratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

ligeon

C2

ligeon.ddns.net:1606

Mutex

b98fb09a59c24a81b9d17a55ccf2c036

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcurs Rat Executable 3 IoCs
  • Executes dropped EXE 1 IoCs
  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00d87c913a6a4a3ded61763ed63c196f4f3d79e7aac5b6ebc49b0341ec5bf0f5.exe
    "C:\Users\Admin\AppData\Local\Temp\00d87c913a6a4a3ded61763ed63c196f4f3d79e7aac5b6ebc49b0341ec5bf0f5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2668
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F
      2⤵
      • Creates scheduled task(s)
      PID:2632
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {C5A24AE7-ED27-4235-B42E-618454979FD4} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
      C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:2832
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F
          3⤵
          • Creates scheduled task(s)
          PID:1980
      • C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
        C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
        2⤵
          PID:2872
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            3⤵
              PID:3032
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F
              3⤵
              • Creates scheduled task(s)
              PID:988

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
          Filesize

          1.4MB

          MD5

          3eda964cfab93780a6b9133196ac34a2

          SHA1

          9e0df2d3bd38f5ec3ec30ea7d7981924f91cc0db

          SHA256

          837ea6866bb1d6625220e182973296a25329a6bd5f922a2fccee19f55641fe98

          SHA512

          30a170c4a76c38d209eb8aca7c02d6d5a239fa384327ea10b1c2a4baced99df2533e9e7109fbc358c71c7be2d6f760eceb3d406fa46869ab5721d0207138040c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
          Filesize

          1.2MB

          MD5

          a1acedb9f1e6382c280cd8475e9b7771

          SHA1

          f47637a40513b1b8d85ec58c3963d475962dc1f9

          SHA256

          c426b4aa9bc518897f6bb7297127f34279b940c92bd2639f5cf202e9d87ed995

          SHA512

          92bd758976a59a01941fd57de0e4f5d194c2555571b2b70db77f381ed6eca66bc6e00d294846339df387997de983352ae653c2e56d8bc92854cf8d4cf26355d2

          Download Submit

        • C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
          Filesize

          325KB

          MD5

          691b88ac72245024a1c4537d9381c774

          SHA1

          23d1ecd42eca0eabd81e9806617a33246b693163

          SHA256

          f50fb010534f442b0e28a8c6ce4e6d367485214ea0e3537e6c20fc2f9cb61bd9

          SHA512

          72264660f3ea4efbb48954602b5a9212520f0130c9d6776df8e0fe23121e7a3f94676ab4d2536a6d781e8924240620b9d275d716ff739790ff8956fd7ec96ca3

          Download Submit

        • memory/1284-0-0x0000000000090000-0x000000000033A000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/1284-1-0x00000000003D0000-0x00000000003D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2668-21-0x0000000001F80000-0x0000000001F90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2668-4-0x0000000000400000-0x00000000004EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/2668-14-0x0000000074150000-0x000000007483E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2668-15-0x0000000004870000-0x00000000048B0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2668-16-0x00000000003A0000-0x00000000003AE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2668-17-0x0000000000600000-0x000000000065C000-memory.dmp

          Filesize

          368KB

          Download

        • memory/2668-18-0x00000000003F0000-0x0000000000402000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2668-19-0x0000000000570000-0x0000000000578000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2668-20-0x0000000000660000-0x0000000000678000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2668-10-0x0000000000400000-0x00000000004EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/2668-22-0x0000000074150000-0x000000007483E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2668-23-0x0000000004870000-0x00000000048B0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2668-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2668-11-0x0000000000400000-0x00000000004EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/2668-2-0x0000000000400000-0x00000000004EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/2808-26-0x0000000000A50000-0x0000000000CFA000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/2832-37-0x0000000004800000-0x0000000004840000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2832-36-0x0000000074150000-0x000000007483E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2832-38-0x0000000074150000-0x000000007483E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2872-40-0x00000000010C0000-0x000000000136A000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/3032-43-0x0000000000090000-0x000000000017A000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3032-50-0x0000000000090000-0x000000000017A000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3032-52-0x0000000000750000-0x0000000000790000-memory.dmp

          Filesize

          256KB

          Download

        • memory/3032-51-0x0000000074150000-0x000000007483E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/3032-49-0x0000000000090000-0x000000000017A000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3032-53-0x0000000074150000-0x000000007483E000-memory.dmp

          Filesize

          6.9MB

          Download