Overview

overview

7

Static

static

3

06956d4e14...18.exe

windows7-x64

7

06956d4e14...18.exe

windows10-2004-x64

7

$APPDATA/o...er.exe

windows7-x64

1

$APPDATA/o...er.exe

windows10-2004-x64

1

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$TEMPfolde...l3.dll

windows7-x64

1

$TEMPfolde...l3.dll

windows10-2004-x64

1

$TEMPfolde...r4.dll

windows7-x64

1

$TEMPfolde...r4.dll

windows10-2004-x64

3

$TEMPfolde...c4.dll

windows7-x64

1

$TEMPfolde...c4.dll

windows10-2004-x64

3

$TEMPfolde...s4.dll

windows7-x64

3

$TEMPfolde...s4.dll

windows10-2004-x64

3

$TEMPfolde...s3.dll

windows7-x64

1

$TEMPfolde...s3.dll

windows10-2004-x64

3

$TEMPfolde...bi.dll

windows7-x64

3

$TEMPfolde...bi.dll

windows10-2004-x64

3

$TEMPfolde...m3.dll

windows7-x64

1

$TEMPfolde...m3.dll

windows10-2004-x64

1

$TEMPfolde...l3.dll

windows7-x64

3

$TEMPfolde...l3.dll

windows10-2004-x64

3

$TEMPfolde...on.exe

windows7-x64

7

$TEMPfolde...on.exe

windows10-2004-x64

7

$TEMPfolde...e3.dll

windows7-x64

1

$TEMPfolde...e3.dll

windows10-2004-x64

3

$TEMPfolde...n3.dll

windows7-x64

3

$TEMPfolde...n3.dll

windows10-2004-x64

3

$TEMPfolde...e3.dll

windows7-x64

3

$TEMPfolde...e3.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    134s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-04-2024 02:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $TEMPfolder/ortmp/orion.exe

  • Size

    1.1MB

  • MD5

    be84f2d7a82cafeaa173428f0370a46b

  • SHA1

    d1775cd2bf9da213b013d4b6eabd0e8764a35c0e

  • SHA256

    51b3f447940a700e264e0eb0ac4a90e137421a958928bb1ce709534d59990699

  • SHA512

    79ce4c7769d1d22fe36b65baad8dc9523e47511a808a5bdcb1620f8c66cacb05f9ecc3a83fdc6a6a859f3402b00705bb0ffae25b4fdd3de6c1abee2eda734575

  • SSDEEP

    24576:FjiSynMq8nwn5QS1+KpPr6+dZ5l1YSQlm5loSGTc/p/tb:hiSK59jm/jA/p/tb

Score
7/10
persistence

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$TEMPfolder\ortmp\orion.exe
    "C:\Users\Admin\AppData\Local\Temp\$TEMPfolder\ortmp\orion.exe"
    1⤵
    • Checks BIOS information in registry
    • Adds Run key to start application
    • Drops file in System32 directory
    • Enumerates system info in registry
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System32\dnsapi.dll
    Filesize

    808KB

    MD5

    6d7c9581a86119d5e6b33f5f292f2757

    SHA1

    c2c100bf56f9deaf5084fc1814429db34bab3e7d

    SHA256

    3ff11efc6200f40ff6befb5c59b2d35b7658f226c57e0c6a8a7a1e40a45c440c

    SHA512

    762d72281921e5d49e15a1afaae8a690f231e359e4df1a4554c183a00e391a44fb86c4c2b174822da4aee7dfdc973bb2b5c09cdb9ebd056718587b70851cfbfc

    Download Submit