Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

d9b37247cd...bb.exe

windows7-x64

10

d9b37247cd...bb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    31/05/2024, 03:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9b37247cd2a319a02ca98c3ba5840ee6301762ffe42d8120b1b9438d98842bb.exe

  • Size

    7.9MB

  • MD5

    40d8affb6ac665933393a3d59dfe75b1

  • SHA1

    c82b3e41bba68330f8e84afafec7ba3e32a31d30

  • SHA256

    d9b37247cd2a319a02ca98c3ba5840ee6301762ffe42d8120b1b9438d98842bb

  • SHA512

    4ce3b870b455ffaa6913c196ffa7c683b7aedb42effa00b0bedd6f24a3143e710e88a970fd8ef22eff1ebe4052de0c75834dda643045c61d4606964c3345b5d1

  • SSDEEP

    49152:d6uqqS//zu5mxqLMl3MGbsxHochKABPIF+2Rq+2eysxZjIwKqxlv:

Score
10/10
orcusratspywarestealer

Malware Config

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
  • Detects executables containing common artifacts observed in infostealers 1 IoCs
  • Detects executables manipulated with Fody 1 IoCs
  • Orcurs Rat Executable 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9b37247cd2a319a02ca98c3ba5840ee6301762ffe42d8120b1b9438d98842bb.exe
    "C:\Users\Admin\AppData\Local\Temp\d9b37247cd2a319a02ca98c3ba5840ee6301762ffe42d8120b1b9438d98842bb.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Users\Admin\AppData\Roaming\defaultdatalifejs\publiclocal.exe
      "C:\Users\Admin\AppData\Roaming\defaultdatalifejs\publiclocal.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2496
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {23485906-3ABA-4919-92CC-06D9F4692831} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Users\Admin\AppData\Roaming\defaultdatalifejs\publiclocal.exe
      C:\Users\Admin\AppData\Roaming\defaultdatalifejs\publiclocal.exe
      2⤵
      • Executes dropped EXE
      PID:2564
    • C:\Users\Admin\AppData\Roaming\defaultdatalifejs\publiclocal.exe
      C:\Users\Admin\AppData\Roaming\defaultdatalifejs\publiclocal.exe
      2⤵
      • Executes dropped EXE
      PID:1692
    • C:\Users\Admin\AppData\Roaming\defaultdatalifejs\publiclocal.exe
      C:\Users\Admin\AppData\Roaming\defaultdatalifejs\publiclocal.exe
      2⤵
      • Executes dropped EXE
      PID:2024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\defaultdatalifejs\publiclocal.exe
    Filesize

    7.9MB

    MD5

    40d8affb6ac665933393a3d59dfe75b1

    SHA1

    c82b3e41bba68330f8e84afafec7ba3e32a31d30

    SHA256

    d9b37247cd2a319a02ca98c3ba5840ee6301762ffe42d8120b1b9438d98842bb

    SHA512

    4ce3b870b455ffaa6913c196ffa7c683b7aedb42effa00b0bedd6f24a3143e710e88a970fd8ef22eff1ebe4052de0c75834dda643045c61d4606964c3345b5d1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\defaultdatalifejs\publiclocal.exe.config
    Filesize

    357B

    MD5

    a2b76cea3a59fa9af5ea21ff68139c98

    SHA1

    35d76475e6a54c168f536e30206578babff58274

    SHA256

    f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

    SHA512

    b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

    Download Submit

  • memory/2496-23-0x0000000004EC0000-0x0000000004ED8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2496-21-0x0000000000570000-0x0000000000582000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2496-46-0x0000000074050000-0x000000007473E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2496-45-0x0000000074050000-0x000000007473E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2496-44-0x00000000086E0000-0x00000000086E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2496-43-0x0000000007C90000-0x0000000007C9E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2496-24-0x0000000005190000-0x00000000051A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2496-19-0x0000000000BD0000-0x00000000013C4000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/2496-18-0x0000000074050000-0x000000007473E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2496-22-0x0000000000A20000-0x0000000000A6E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2496-20-0x0000000074050000-0x000000007473E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2920-1-0x00000000010D0000-0x00000000018C4000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/2920-4-0x0000000000340000-0x000000000034E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2920-0-0x000000007405E000-0x000000007405F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2920-17-0x0000000074050000-0x000000007473E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2920-2-0x00000000061D0000-0x00000000064CE000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2920-6-0x00000000003E0000-0x00000000003F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2920-5-0x0000000000490000-0x00000000004EC000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2920-3-0x0000000074050000-0x000000007473E000-memory.dmp

    Filesize

    6.9MB

    Download