Overview

overview

7

Static

static

3

06956d4e14...18.exe

windows7-x64

7

06956d4e14...18.exe

windows10-2004-x64

7

$APPDATA/o...er.exe

windows7-x64

1

$APPDATA/o...er.exe

windows10-2004-x64

1

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$TEMPfolde...l3.dll

windows7-x64

1

$TEMPfolde...l3.dll

windows10-2004-x64

1

$TEMPfolde...r4.dll

windows7-x64

1

$TEMPfolde...r4.dll

windows10-2004-x64

3

$TEMPfolde...c4.dll

windows7-x64

1

$TEMPfolde...c4.dll

windows10-2004-x64

3

$TEMPfolde...s4.dll

windows7-x64

3

$TEMPfolde...s4.dll

windows10-2004-x64

3

$TEMPfolde...s3.dll

windows7-x64

1

$TEMPfolde...s3.dll

windows10-2004-x64

3

$TEMPfolde...bi.dll

windows7-x64

3

$TEMPfolde...bi.dll

windows10-2004-x64

3

$TEMPfolde...m3.dll

windows7-x64

1

$TEMPfolde...m3.dll

windows10-2004-x64

1

$TEMPfolde...l3.dll

windows7-x64

3

$TEMPfolde...l3.dll

windows10-2004-x64

3

$TEMPfolde...on.exe

windows7-x64

7

$TEMPfolde...on.exe

windows10-2004-x64

7

$TEMPfolde...e3.dll

windows7-x64

1

$TEMPfolde...e3.dll

windows10-2004-x64

3

$TEMPfolde...n3.dll

windows7-x64

3

$TEMPfolde...n3.dll

windows10-2004-x64

3

$TEMPfolde...e3.dll

windows7-x64

3

$TEMPfolde...e3.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29-04-2024 02:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $TEMPfolder/ortmp/orion.exe

  • Size

    1.1MB

  • MD5

    be84f2d7a82cafeaa173428f0370a46b

  • SHA1

    d1775cd2bf9da213b013d4b6eabd0e8764a35c0e

  • SHA256

    51b3f447940a700e264e0eb0ac4a90e137421a958928bb1ce709534d59990699

  • SHA512

    79ce4c7769d1d22fe36b65baad8dc9523e47511a808a5bdcb1620f8c66cacb05f9ecc3a83fdc6a6a859f3402b00705bb0ffae25b4fdd3de6c1abee2eda734575

  • SSDEEP

    24576:FjiSynMq8nwn5QS1+KpPr6+dZ5l1YSQlm5loSGTc/p/tb:hiSK59jm/jA/p/tb

Score
7/10
persistence

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$TEMPfolder\ortmp\orion.exe
    "C:\Users\Admin\AppData\Local\Temp\$TEMPfolder\ortmp\orion.exe"
    1⤵
    • Checks BIOS information in registry
    • Adds Run key to start application
    • Drops file in System32 directory
    • Enumerates system info in registry
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads