Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/05/2024, 01:18
Behavioral task
behavioral1
Sample
7735b9fa1bf55cf0c008e81deb1353cf6465a6a0513f00670fc3eb4254562763.exe
Resource
win7-20240221-en
General
-
Target
7735b9fa1bf55cf0c008e81deb1353cf6465a6a0513f00670fc3eb4254562763.exe
-
Size
915KB
-
MD5
f37bc9964f10880e3e89528cc4d1f677
-
SHA1
3657ae613f45ae0609b0bea854104f1bd398b038
-
SHA256
7735b9fa1bf55cf0c008e81deb1353cf6465a6a0513f00670fc3eb4254562763
-
SHA512
a4dea6d511b8fd167f130a8e85a549a7f80869ca8584fd129437b991bab227823852b8e5274ec082714e0bf5388aefbd7a5f6ff17f15335ecb2b3ba634c0b450
-
SSDEEP
24576:lBB4MROxnF033dkrrcI0AilFEvxHPmooo:lQMi+SrrcI0AilFEvxHP
Malware Config
Extracted
orcus
100.114.145.122:7777
58040c8e707f46aeaa354c0509774164
-
autostart_method
TaskScheduler
-
enable_keylogger
true
-
install_path
%programfiles%\userprofile
-
reconnect_delay
10000
-
registry_keyname
svchostt
-
taskscheduler_taskname
svchostt
-
watchdog_path
AppData\powershell.exe
Signatures
-
Orcus main payload 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023298-22.dat family_orcus -
Orcurs Rat Executable 2 IoCs
resource yara_rule behavioral2/memory/1424-1-0x0000000000280000-0x000000000036A000-memory.dmp orcus behavioral2/files/0x0007000000023298-22.dat orcus -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\userprofile 7735b9fa1bf55cf0c008e81deb1353cf6465a6a0513f00670fc3eb4254562763.exe File opened for modification C:\Program Files (x86)\userprofile 7735b9fa1bf55cf0c008e81deb1353cf6465a6a0513f00670fc3eb4254562763.exe File created C:\Program Files (x86)\userprofile.config 7735b9fa1bf55cf0c008e81deb1353cf6465a6a0513f00670fc3eb4254562763.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings 7735b9fa1bf55cf0c008e81deb1353cf6465a6a0513f00670fc3eb4254562763.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings OpenWith.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2604 OpenWith.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7735b9fa1bf55cf0c008e81deb1353cf6465a6a0513f00670fc3eb4254562763.exe"C:\Users\Admin\AppData\Local\Temp\7735b9fa1bf55cf0c008e81deb1353cf6465a6a0513f00670fc3eb4254562763.exe"1⤵
- Drops file in Program Files directory
- Modifies registry class
PID:1424
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
915KB
MD5f37bc9964f10880e3e89528cc4d1f677
SHA13657ae613f45ae0609b0bea854104f1bd398b038
SHA2567735b9fa1bf55cf0c008e81deb1353cf6465a6a0513f00670fc3eb4254562763
SHA512a4dea6d511b8fd167f130a8e85a549a7f80869ca8584fd129437b991bab227823852b8e5274ec082714e0bf5388aefbd7a5f6ff17f15335ecb2b3ba634c0b450