Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
200s -
max time network
208s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
28/05/2024, 12:35
Behavioral task
behavioral1
Sample
11.exe
Resource
win11-20240426-en
General
-
Target
11.exe
-
Size
3.0MB
-
MD5
43c28623704ec7dcb908347eeefba65e
-
SHA1
96a5529786a22108c20287e5bb8dda5241435d53
-
SHA256
d8f7ae1fdf4d2ceec1b8eeb8f88c6fbfe48c42ac79deaab79474a647ebed8868
-
SHA512
362482c3179bf8b5dd8eb255af6d8d3b4233a934d082ea9241fb725f7c6101e28962d7c4749c9af886218d6c25ad3f60557eb759a1d00db079e4439058a24ce5
-
SSDEEP
49152:APZonuvKFmwLGZeM9/dFQMDjjzKCkElU+fPONM6WAypQxb1o9JnCm2WncFf0I74q:APCFmwLvEeMDjnpHfP56xypSb1o9JCm
Malware Config
Extracted
orcus
Zombie Nigger
192.168.100.3:4444
954b6020281f40579bd830bb66bf6d92
-
autostart_method
TaskScheduler
-
enable_keylogger
false
-
install_path
C:\Windows\System32\System32BootManger\scvhost.exe
-
reconnect_delay
10000
-
registry_keyname
update
-
taskscheduler_taskname
system32
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcurs Rat Executable 2 IoCs
resource yara_rule behavioral1/memory/4852-1-0x000002D2F07F0000-0x000002D2F0AEA000-memory.dmp orcus behavioral1/files/0x000100000002a9d1-35.dat orcus -
Executes dropped EXE 4 IoCs
pid Process 1992 WindowsInput.exe 1764 WindowsInput.exe 4064 scvhost.exe 4904 scvhost.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsInput.exe.config 11.exe File created C:\Windows\SysWOW64\WindowsInput.InstallState WindowsInput.exe File created C:\Windows\System32\System32BootManger\scvhost.exe 11.exe File opened for modification C:\Windows\System32\System32BootManger\scvhost.exe 11.exe File created C:\Windows\System32\System32BootManger\scvhost.exe.config 11.exe File created C:\Windows\SysWOW64\WindowsInput.exe 11.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs msinfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs msinfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID msinfo32.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msinfo32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msinfo32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease msinfo32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4316 msedge.exe 4316 msedge.exe 1692 msedge.exe 1692 msedge.exe 1680 identity_helper.exe 1680 identity_helper.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4536 msinfo32.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe 1692 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4852 wrote to memory of 1992 4852 11.exe 76 PID 4852 wrote to memory of 1992 4852 11.exe 76 PID 4852 wrote to memory of 4064 4852 11.exe 78 PID 4852 wrote to memory of 4064 4852 11.exe 78 PID 1692 wrote to memory of 4440 1692 msedge.exe 93 PID 1692 wrote to memory of 4440 1692 msedge.exe 93 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 2276 1692 msedge.exe 94 PID 1692 wrote to memory of 4316 1692 msedge.exe 95 PID 1692 wrote to memory of 4316 1692 msedge.exe 95 PID 1692 wrote to memory of 3696 1692 msedge.exe 96 PID 1692 wrote to memory of 3696 1692 msedge.exe 96 PID 1692 wrote to memory of 3696 1692 msedge.exe 96 PID 1692 wrote to memory of 3696 1692 msedge.exe 96 PID 1692 wrote to memory of 3696 1692 msedge.exe 96 PID 1692 wrote to memory of 3696 1692 msedge.exe 96 PID 1692 wrote to memory of 3696 1692 msedge.exe 96 PID 1692 wrote to memory of 3696 1692 msedge.exe 96 PID 1692 wrote to memory of 3696 1692 msedge.exe 96 PID 1692 wrote to memory of 3696 1692 msedge.exe 96 PID 1692 wrote to memory of 3696 1692 msedge.exe 96 PID 1692 wrote to memory of 3696 1692 msedge.exe 96 PID 1692 wrote to memory of 3696 1692 msedge.exe 96 PID 1692 wrote to memory of 3696 1692 msedge.exe 96 PID 1692 wrote to memory of 3696 1692 msedge.exe 96 PID 1692 wrote to memory of 3696 1692 msedge.exe 96 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\11.exe"C:\Users\Admin\AppData\Local\Temp\11.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1992
-
-
C:\Windows\System32\System32BootManger\scvhost.exe"C:\Windows\System32\System32BootManger\scvhost.exe"2⤵
- Executes dropped EXE
PID:4064
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
PID:1764
-
C:\Windows\System32\System32BootManger\scvhost.exeC:\Windows\System32\System32BootManger\scvhost.exe1⤵
- Executes dropped EXE
PID:4904
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:3152
-
C:\Windows\system32\msinfo32.exe"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\ApproveEdit.nfo"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:4536
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe85413cb8,0x7ffe85413cc8,0x7ffe85413cd82⤵PID:4440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,6961846427466672341,16506576821346399814,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:22⤵PID:2276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,6961846427466672341,16506576821346399814,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,6961846427466672341,16506576821346399814,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:82⤵PID:3696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6961846427466672341,16506576821346399814,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵PID:3760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6961846427466672341,16506576821346399814,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:4444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6961846427466672341,16506576821346399814,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:12⤵PID:1528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,6961846427466672341,16506576821346399814,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:12⤵PID:1372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,6961846427466672341,16506576821346399814,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1680
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2556
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD58ff8bdd04a2da5ef5d4b6a687da23156
SHA1247873c114f3cc780c3adb0f844fc0bb2b440b6d
SHA25609b7b20bfec9608a6d737ef3fa03f95dcbeaca0f25953503a321acac82a5e5ae
SHA5125633ad84b5a003cd151c4c24b67c1e5de965fdb206b433ca759d9c62a4785383507cbd5aca92089f6e0a50a518c6014bf09a0972b4311464aa6a26f76648345e
-
Filesize
152B
MD51e4ed4a50489e7fc6c3ce17686a7cd94
SHA1eac4e98e46efc880605a23a632e68e2c778613e7
SHA256fc9e8224722cb738d8b32420c05006de87161e1d28bc729b451759096f436c1a
SHA5125c4e637ac4da37ba133cb1fba8fa2ff3e24fc4ca15433a94868f2b6e0259705634072e5563da5f7cf1fd783fa8fa0c584c00f319f486565315e87cdea8ed1c28
-
Filesize
5KB
MD5d602e771f118150c0691b8c2244e0de3
SHA1252ec276ab8014432d1ab3bbe8d66e4c7e9017ce
SHA256c254ca78d99e85648f709f72a73b07036435e52c0ea87e943fc53db3a1cf6708
SHA512e1a28864b2cfb5938eb5d61a0ed28db8d1ca73f853b93c8ef61e772cc28148d566678436f65e92659524517dd26279b13fe8fa28c01f0a1e7b5b09f74a6a6744
-
Filesize
5KB
MD591d024fba418caa24e57fbc4cff5b110
SHA1b4f9ed79676996570ceed3b238a9e1896864bb23
SHA25606ebb71375870c866bfecb0ad89c4a0a4e613558bfee20f59496ff69ae55ff99
SHA51280e02c8b19c79bfe4027db1f0c3c782b48fce8c2eafe878b48bf627867d35ccdf2af4e8af8e94f235c760654331fd6a0cd58da06053e54af1ef41df0c088a362
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD540d8a342821fb13de76de483b003e89a
SHA138cf3d37ab6bdf7a60805d16eb45a36259accff3
SHA256f563081e572e9483080b3239b9aa916c5153b82cc186880a01fe5767463f0cd8
SHA512a44f1847dca5c79455ab7c0963445cd5dda830f2d53d2c44c5d9b81d2b9b2472907e6f630be8b7a286743a44cd2baeaa06cbacff15e7ebc5faae0a1373e43104
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
21KB
MD5b7b8815f40cfcfafe94eedef0f9626f7
SHA19309f5f229845c27332d6a98d1e1f864400755c6
SHA2564a8878876c87cd8d74f90b4947449c6d72bed6d8d70e1643b2e2572a64c0d8a8
SHA512b5224ec900b13f3da823c1948e1cdad4a9d855ea6da0e07b28b1c412dfcbda84dab829ccc4f414bef35902bc587cc3b2a3d4ce2b60f958081c6ce1ff6be8d12f
-
Filesize
349B
MD589817519e9e0b4e703f07e8c55247861
SHA14636de1f6c997a25c3190f73f46a3fd056238d78
SHA256f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13
SHA512b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3
-
Filesize
3.0MB
MD543c28623704ec7dcb908347eeefba65e
SHA196a5529786a22108c20287e5bb8dda5241435d53
SHA256d8f7ae1fdf4d2ceec1b8eeb8f88c6fbfe48c42ac79deaab79474a647ebed8868
SHA512362482c3179bf8b5dd8eb255af6d8d3b4233a934d082ea9241fb725f7c6101e28962d7c4749c9af886218d6c25ad3f60557eb759a1d00db079e4439058a24ce5