Analysis
-
max time kernel
71s -
max time network
75s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03/06/2024, 10:37
Static task
static1
Behavioral task
behavioral1
Sample
Orbit.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Orbit.exe
Resource
win10v2004-20240426-en
General
-
Target
Orbit.exe
-
Size
8.1MB
-
MD5
e340071c8d67dc28ac37891829293bee
-
SHA1
9e2e1a3df0d69ce2553dbe92a2ca7f361ef90b97
-
SHA256
e0724bdad96e96e0b3cc0f23b4f02359015a9fba4d1ac3ec8bbd71d0b938f9fc
-
SHA512
7c432701ae9c00977bb121539b18f556e82fee2f6f50b19cbe3b17992761399d81fb8a0ccbd893456a2b49a6d6c78edfffda7b1b2e9e76305659019ae8fcb46f
-
SSDEEP
196608:4j1UUL2OM8Wb0guhegLM2GFxpBkSIZ7YW:m1/2OM8hegLMTpBkSY7Y
Malware Config
Signatures
-
Downloads MZ/PE file
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 14 raw.githubusercontent.com 15 raw.githubusercontent.com 21 raw.githubusercontent.com 30 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1596 msedge.exe 1596 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 2784 identity_helper.exe 2784 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1332 Orbit.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1332 wrote to memory of 4368 1332 Orbit.exe 92 PID 1332 wrote to memory of 4368 1332 Orbit.exe 92 PID 4368 wrote to memory of 2392 4368 msedge.exe 93 PID 4368 wrote to memory of 2392 4368 msedge.exe 93 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 680 4368 msedge.exe 94 PID 4368 wrote to memory of 1596 4368 msedge.exe 95 PID 4368 wrote to memory of 1596 4368 msedge.exe 95 PID 4368 wrote to memory of 5052 4368 msedge.exe 96 PID 4368 wrote to memory of 5052 4368 msedge.exe 96 PID 4368 wrote to memory of 5052 4368 msedge.exe 96 PID 4368 wrote to memory of 5052 4368 msedge.exe 96 PID 4368 wrote to memory of 5052 4368 msedge.exe 96 PID 4368 wrote to memory of 5052 4368 msedge.exe 96 PID 4368 wrote to memory of 5052 4368 msedge.exe 96 PID 4368 wrote to memory of 5052 4368 msedge.exe 96 PID 4368 wrote to memory of 5052 4368 msedge.exe 96 PID 4368 wrote to memory of 5052 4368 msedge.exe 96 PID 4368 wrote to memory of 5052 4368 msedge.exe 96 PID 4368 wrote to memory of 5052 4368 msedge.exe 96 PID 4368 wrote to memory of 5052 4368 msedge.exe 96 PID 4368 wrote to memory of 5052 4368 msedge.exe 96 PID 4368 wrote to memory of 5052 4368 msedge.exe 96 PID 4368 wrote to memory of 5052 4368 msedge.exe 96 PID 4368 wrote to memory of 5052 4368 msedge.exe 96 PID 4368 wrote to memory of 5052 4368 msedge.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\Orbit.exe"C:\Users\Admin\AppData\Local\Temp\Orbit.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.orbituniverse.com/2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd844c46f8,0x7ffd844c4708,0x7ffd844c47183⤵PID:2392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,8606297356675765935,15130963745997188076,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:23⤵PID:680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,8606297356675765935,15130963745997188076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2552 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,8606297356675765935,15130963745997188076,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:83⤵PID:5052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8606297356675765935,15130963745997188076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:13⤵PID:3448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8606297356675765935,15130963745997188076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:13⤵PID:2064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,8606297356675765935,15130963745997188076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:83⤵PID:2620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,8606297356675765935,15130963745997188076,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8606297356675765935,15130963745997188076,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:13⤵PID:2888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8606297356675765935,15130963745997188076,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:13⤵PID:1304
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2520
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ecdc2754d7d2ae862272153aa9b9ca6e
SHA1c19bed1c6e1c998b9fa93298639ad7961339147d
SHA256a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7
SHA512cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2
-
Filesize
152B
MD52daa93382bba07cbc40af372d30ec576
SHA1c5e709dc3e2e4df2ff841fbde3e30170e7428a94
SHA2561826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30
SHA51265635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b
-
Filesize
5KB
MD583873943c5e7719e3e96810cbb7eae77
SHA13665f951525695166aece892a332ef4ca0afc1f0
SHA25675993a7b4ac0bbf2bf6667f86799cb052046f274a255ee34b82e8b0608d3429b
SHA51251f28064e4400ac73a2d9a424376972a9c1ccc37f057bcc0e68b743800291565044fcae30da2182960c57efca9f49580585d5d00fcb517a982e6f21f822ce666
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Temp\Orbit.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
264KB
MD582c6fb898bbfd0e6404729b2cf84d2ed
SHA1b6dda7e507118aab605dab5469c587ccb28af303
SHA256eec9ca1610d7ce1930e14ef3eb1496d67987cb7db580b50badfc99fbc8fefaf7
SHA512fd291cab836ddbe6440e06fce177f927f758fec71e82c92324c62b92b987eb3f8806631a000eca3da28b2c27e4a128d190427dd52465ee5e420461b350d07050
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e