Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
200s -
max time network
208s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
-
submitted
28/05/2024, 12:35
General
-
Target
11.exe
-
Size
3.0MB
-
MD5
43c28623704ec7dcb908347eeefba65e
-
SHA1
96a5529786a22108c20287e5bb8dda5241435d53
-
SHA256
d8f7ae1fdf4d2ceec1b8eeb8f88c6fbfe48c42ac79deaab79474a647ebed8868
-
SHA512
362482c3179bf8b5dd8eb255af6d8d3b4233a934d082ea9241fb725f7c6101e28962d7c4749c9af886218d6c25ad3f60557eb759a1d00db079e4439058a24ce5
-
SSDEEP
49152:APZonuvKFmwLGZeM9/dFQMDjjzKCkElU+fPONM6WAypQxb1o9JnCm2WncFf0I74q:APCFmwLvEeMDjnpHfP56xypSb1o9JCm
Malware Config
Extracted
orcus
Zombie Nigger
192.168.100.3:4444
954b6020281f40579bd830bb66bf6d92
-
autostart_method
TaskScheduler
-
enable_keylogger
false
-
install_path
C:\Windows\System32\System32BootManger\scvhost.exe
-
reconnect_delay
10000
-
registry_keyname
update
-
taskscheduler_taskname
system32
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcurs Rat Executable 2 IoCs
-
Executes dropped EXE 4 IoCs
-
Drops file in System32 directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\11.exe"C:\Users\Admin\AppData\Local\Temp\11.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Windows\System32\System32BootManger\scvhost.exe"C:\Windows\System32\System32BootManger\scvhost.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
-
C:\Windows\System32\System32BootManger\scvhost.exeC:\Windows\System32\System32BootManger\scvhost.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Windows\system32\msinfo32.exe"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\ApproveEdit.nfo"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe85413cb8,0x7ffe85413cc8,0x7ffe85413cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,6961846427466672341,16506576821346399814,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,6961846427466672341,16506576821346399814,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,6961846427466672341,16506576821346399814,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6961846427466672341,16506576821346399814,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6961846427466672341,16506576821346399814,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6961846427466672341,16506576821346399814,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6961846427466672341,16506576821346399814,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,6961846427466672341,16506576821346399814,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD58ff8bdd04a2da5ef5d4b6a687da23156
SHA1247873c114f3cc780c3adb0f844fc0bb2b440b6d
SHA25609b7b20bfec9608a6d737ef3fa03f95dcbeaca0f25953503a321acac82a5e5ae
SHA5125633ad84b5a003cd151c4c24b67c1e5de965fdb206b433ca759d9c62a4785383507cbd5aca92089f6e0a50a518c6014bf09a0972b4311464aa6a26f76648345e
-
Filesize
152B
MD51e4ed4a50489e7fc6c3ce17686a7cd94
SHA1eac4e98e46efc880605a23a632e68e2c778613e7
SHA256fc9e8224722cb738d8b32420c05006de87161e1d28bc729b451759096f436c1a
SHA5125c4e637ac4da37ba133cb1fba8fa2ff3e24fc4ca15433a94868f2b6e0259705634072e5563da5f7cf1fd783fa8fa0c584c00f319f486565315e87cdea8ed1c28
-
Filesize
5KB
MD5d602e771f118150c0691b8c2244e0de3
SHA1252ec276ab8014432d1ab3bbe8d66e4c7e9017ce
SHA256c254ca78d99e85648f709f72a73b07036435e52c0ea87e943fc53db3a1cf6708
SHA512e1a28864b2cfb5938eb5d61a0ed28db8d1ca73f853b93c8ef61e772cc28148d566678436f65e92659524517dd26279b13fe8fa28c01f0a1e7b5b09f74a6a6744
-
Filesize
5KB
MD591d024fba418caa24e57fbc4cff5b110
SHA1b4f9ed79676996570ceed3b238a9e1896864bb23
SHA25606ebb71375870c866bfecb0ad89c4a0a4e613558bfee20f59496ff69ae55ff99
SHA51280e02c8b19c79bfe4027db1f0c3c782b48fce8c2eafe878b48bf627867d35ccdf2af4e8af8e94f235c760654331fd6a0cd58da06053e54af1ef41df0c088a362
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD540d8a342821fb13de76de483b003e89a
SHA138cf3d37ab6bdf7a60805d16eb45a36259accff3
SHA256f563081e572e9483080b3239b9aa916c5153b82cc186880a01fe5767463f0cd8
SHA512a44f1847dca5c79455ab7c0963445cd5dda830f2d53d2c44c5d9b81d2b9b2472907e6f630be8b7a286743a44cd2baeaa06cbacff15e7ebc5faae0a1373e43104
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
21KB
MD5b7b8815f40cfcfafe94eedef0f9626f7
SHA19309f5f229845c27332d6a98d1e1f864400755c6
SHA2564a8878876c87cd8d74f90b4947449c6d72bed6d8d70e1643b2e2572a64c0d8a8
SHA512b5224ec900b13f3da823c1948e1cdad4a9d855ea6da0e07b28b1c412dfcbda84dab829ccc4f414bef35902bc587cc3b2a3d4ce2b60f958081c6ce1ff6be8d12f
-
Filesize
349B
MD589817519e9e0b4e703f07e8c55247861
SHA14636de1f6c997a25c3190f73f46a3fd056238d78
SHA256f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13
SHA512b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3
-
Filesize
3.0MB
MD543c28623704ec7dcb908347eeefba65e
SHA196a5529786a22108c20287e5bb8dda5241435d53
SHA256d8f7ae1fdf4d2ceec1b8eeb8f88c6fbfe48c42ac79deaab79474a647ebed8868
SHA512362482c3179bf8b5dd8eb255af6d8d3b4233a934d082ea9241fb725f7c6101e28962d7c4749c9af886218d6c25ad3f60557eb759a1d00db079e4439058a24ce5
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
96KB
-
Filesize
352KB
-
Filesize
72KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
72KB
-
Filesize
10.8MB
-
Filesize
368KB
-
Filesize
56KB
-
Filesize
3.0MB