Analysis
-
max time kernel
132s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 08:28
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral2
Sample
Chrome.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
Setup.exe
Resource
win10v2004-20240419-en
General
-
Target
Setup.exe
-
Size
22.2MB
-
MD5
34f2ef891525e09125f3ae9242e3977b
-
SHA1
9797f1bed2e1a6d414eaf24d1a272ec8b4d27ed9
-
SHA256
bf441553ee1ded29d0719a946eb12f2b69cf374814f82f4673eff46454bed183
-
SHA512
575ea4bb5a24e1008813a196d080c47f21bb15dbbb01072ed72ff953c70146fb580e2e36af2a76043688fadf0bbd8b26b2d47f89eedb8cfe44725993b582ba5a
-
SSDEEP
393216:tEKmSG9Yzv90ptmD3TwJZQ1wKun1EO54X1Ke6LE0CWVNseKnti5DpSKk:tEKa9Yzv9atK3MJSKJn1EO54sro0Ciqr
Malware Config
Signatures
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
Processes:
Setup.exedescription ioc process File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\Microsoft.Threading.Tasks.xml Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\Mono.Cecil.dll Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\Newtonsoft.Json.dll Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\Vestris.ResourceLib.xml Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\Read Me First.txt Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\GongSolutions.Wpf.DragDrop.dll Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\MahApps.Metro.xml Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\NLog.xml Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\Ookii.Dialogs.Wpf.dll Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\OxyPlot.pdb Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\starksoft.aspen.dll Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\Be.Windows.Forms.HexBox.dll Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\Exceptionless.Extras.xml Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\GongSolutions.Wpf.DragDrop.pdb Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\Orcus.Administration.StaticCommands.dll Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\OxyPlot.Wpf.xml Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\nUpdate.pdb Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\Orcus.Administration.exe Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\OxyPlot.Xps.pdb Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\OxyPlot.Xps.xml Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\How To Open Port All Tutorial.url Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\Be.Windows.Forms.HexBox.xml Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\FluentCommandLineParser.dll Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\MahApps.Metro.pdb Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\Ookii.Dialogs.Wpf.xml Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\OxyPlot.Wpf.dll Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\FluentCommandLineParser.pdb Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\starksoft.aspen.xml Setup.exe File created C:\Program Files (x86)\Ethical Hacking\Orcus Rat\Uninstall.ini Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\Orcus.Administration.Licensing.dll Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\Orcus.Shared.dll Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\starksoft.aspen.pdb Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\server\certificate.pfx Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\plugins\OrcusPatcher.orcplg Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\Uninstall.exe Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\FluentCommandLineParser.xml Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\ICSharpCode.AvalonEdit.xml Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\plugins\BuildPumper.orcplg Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\plugins\DisableWebcamLights.orcplg Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\server\database.sqlite Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\Exceptionless.Portable.xml Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\plugins\ApplicationAudioPack.orcplg Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\plugins\NotificationCenter.orcplg Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\OxyPlot.dll Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\AlphaChiTech.Virtualization.dll Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\Orcus.Administration.Plugins.pdb Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\Orcus.Shared.Utilities.dll Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\System.Windows.Interactivity.dll Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\plugins\GamerView.orcplg Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\Orcus.Administration.pdb Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\How To Setup a Rat.url Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\Sorzus.Wpf.Toolkit.dll Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\plugins\BSoDProtection.orcplg Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\plugins\Screamer.orcplg Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\Orcus.Administration.Commands.pdb Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\AlphaChiTech.Virtualization.pdb Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\Orcus.Administration.StaticCommands.pdb Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\license.orcus Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\plugins\ExtensionSpoofer.orcplg Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\log.txt Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\plugins\ServerStressTest.orcplg Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\settings.json Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\CSCore.dll Setup.exe File opened for modification C:\Program Files (x86)\Ethical Hacking\Orcus Rat\libraries\nUpdate.dll Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
taskmgr.exepid process 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 556 taskmgr.exe Token: SeSystemProfilePrivilege 556 taskmgr.exe Token: SeCreateGlobalPrivilege 556 taskmgr.exe Token: 33 556 taskmgr.exe Token: SeIncBasePriorityPrivilege 556 taskmgr.exe -
Suspicious use of FindShellTrayWindow 54 IoCs
Processes:
taskmgr.exepid process 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe -
Suspicious use of SendNotifyMessage 53 IoCs
Processes:
taskmgr.exepid process 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe 556 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Drops file in Program Files directory
PID:4496
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5040
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD570e207da89961cd32217eabbe3ac0791
SHA1305ba309e762a128ae098e5bf0241ba71f3a331e
SHA25683f968c6682b0e52b217daa6aa3da21be6967aa194a14631f43cc76c11a142e9
SHA5128d9de9a9b3ad265a1df7bd7ab790db639d6ef4b871275a5b2fbb72f9b324cc3158d2073de2de78692fa7ffe64e78e31e7d7f75cb3b50c0d6513da21094bad075
-
Filesize
8.0MB
MD54d6f877098bd5380b41801007b389edc
SHA1d5f4a5277f66158aa4073ec13e94a13fdda5e0a7
SHA256d9b13d7f25761fb923aa1b630760a7779b93b93ba4978e429f13c1b22051c1da
SHA5120204b530a7b8199efecb739823d0eb8fbb42b9e348aa3ec920c8ab4831f47cfccb51c00dcddc0fa05439134d60455fa6f98c28acaa98e9e9fea5ce7638b1deaf
-
Filesize
5.9MB
MD509f93824b1cd2e99c1558553490e57ca
SHA1f3caf991413a9638188af7a8840a360dd314e22b
SHA256699eb437404697f9c57b5124c7c4760339eb313348903fd1d3d3e9c4b0139e54
SHA5123c63f4b3dbf0ce43353c0668ec7f68f090b1d4a6a5458063dc052836e5c8b17a7299fcc7714dade54936640e1f96e4f224c86de60b9970b51f01f4656da6cf50