e3b1599e3ec5862347b24336ca0e228d45a0becb6f6da45f619dd8e03e75854a

Resubmissions

16/06/2024, 16:01

240616-tgan6stdpl 6

16/06/2024, 15:46

240616-s7tz3atarn 8

Analysis

max time kernel
124s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 15:46

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Orbit.exe
Size

2.0MB
MD5

5de2a10bbf43eea7059747b139f9f728
SHA1

ee56319da9bb880fcc369002c2c628c76910d38a
SHA256

e3b1599e3ec5862347b24336ca0e228d45a0becb6f6da45f619dd8e03e75854a
SHA512

c206193015d0c663f737b421f77438ff4a62bc4d7cf5016b86a3632ed0ba0f48df6c0ac4e7929fb9f89d37a302ac744c2a0e289c9e669a75537fdd0d4fa8a902
SSDEEP

49152:oKn5Sz1xoQrp2OJChuMb14Z+cjDvkui9XZlXR0RcEnAUwn:W/Nr8py+cjDvkui9XHXmREUwn

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 23 IoCs

Web Service

T1102

flow	ioc
110	raw.githubusercontent.com
117	raw.githubusercontent.com
119	raw.githubusercontent.com
125	raw.githubusercontent.com
67	raw.githubusercontent.com
93	raw.githubusercontent.com
107	raw.githubusercontent.com
127	raw.githubusercontent.com
141	raw.githubusercontent.com
61	raw.githubusercontent.com
85	raw.githubusercontent.com
99	raw.githubusercontent.com
88	raw.githubusercontent.com
135	raw.githubusercontent.com
1	raw.githubusercontent.com
2	raw.githubusercontent.com
59	raw.githubusercontent.com
79	raw.githubusercontent.com
96	raw.githubusercontent.com
105	raw.githubusercontent.com
55	raw.githubusercontent.com
73	raw.githubusercontent.com
77	raw.githubusercontent.com

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "206"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1028	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 4960	2772	Orbit.exe	86
PID 2772 wrote to memory of 4960	2772	Orbit.exe	86
PID 4960 wrote to memory of 4496	4960	cmd.exe	87
PID 4960 wrote to memory of 4496	4960	cmd.exe	87
PID 2772 wrote to memory of 4952	2772	Orbit.exe	92
PID 2772 wrote to memory of 4952	2772	Orbit.exe	92
PID 2772 wrote to memory of 4440	2772	Orbit.exe	93
PID 2772 wrote to memory of 4440	2772	Orbit.exe	93
PID 2772 wrote to memory of 3252	2772	Orbit.exe	94
PID 2772 wrote to memory of 3252	2772	Orbit.exe	94
PID 2772 wrote to memory of 4368	2772	Orbit.exe	95
PID 2772 wrote to memory of 4368	2772	Orbit.exe	95
PID 2772 wrote to memory of 4644	2772	Orbit.exe	96
PID 2772 wrote to memory of 4644	2772	Orbit.exe	96
PID 2772 wrote to memory of 2072	2772	Orbit.exe	97
PID 2772 wrote to memory of 2072	2772	Orbit.exe	97
PID 2772 wrote to memory of 2612	2772	Orbit.exe	98
PID 2772 wrote to memory of 2612	2772	Orbit.exe	98
PID 2772 wrote to memory of 3612	2772	Orbit.exe	99
PID 2772 wrote to memory of 3612	2772	Orbit.exe	99
PID 2772 wrote to memory of 4540	2772	Orbit.exe	100
PID 2772 wrote to memory of 4540	2772	Orbit.exe	100
PID 2772 wrote to memory of 4580	2772	Orbit.exe	101
PID 2772 wrote to memory of 4580	2772	Orbit.exe	101
PID 2772 wrote to memory of 4992	2772	Orbit.exe	102
PID 2772 wrote to memory of 4992	2772	Orbit.exe	102
PID 2772 wrote to memory of 3704	2772	Orbit.exe	103
PID 2772 wrote to memory of 3704	2772	Orbit.exe	103
PID 2772 wrote to memory of 1724	2772	Orbit.exe	104
PID 2772 wrote to memory of 1724	2772	Orbit.exe	104
PID 2772 wrote to memory of 2384	2772	Orbit.exe	105
PID 2772 wrote to memory of 2384	2772	Orbit.exe	105
PID 2772 wrote to memory of 4320	2772	Orbit.exe	106
PID 2772 wrote to memory of 4320	2772	Orbit.exe	106
PID 2772 wrote to memory of 3728	2772	Orbit.exe	107
PID 2772 wrote to memory of 3728	2772	Orbit.exe	107
PID 2772 wrote to memory of 3488	2772	Orbit.exe	108
PID 2772 wrote to memory of 3488	2772	Orbit.exe	108
PID 2772 wrote to memory of 2976	2772	Orbit.exe	109
PID 2772 wrote to memory of 2976	2772	Orbit.exe	109
PID 2772 wrote to memory of 3584	2772	Orbit.exe	110
PID 2772 wrote to memory of 3584	2772	Orbit.exe	110
PID 2772 wrote to memory of 2440	2772	Orbit.exe	111
PID 2772 wrote to memory of 2440	2772	Orbit.exe	111
PID 2772 wrote to memory of 392	2772	Orbit.exe	112
PID 2772 wrote to memory of 392	2772	Orbit.exe	112
PID 2772 wrote to memory of 4972	2772	Orbit.exe	113
PID 2772 wrote to memory of 4972	2772	Orbit.exe	113
PID 2772 wrote to memory of 4792	2772	Orbit.exe	114
PID 2772 wrote to memory of 4792	2772	Orbit.exe	114
PID 4792 wrote to memory of 1224	4792	cmd.exe	116
PID 4792 wrote to memory of 1224	4792	cmd.exe	116
PID 4792 wrote to memory of 3528	4792	cmd.exe	117
PID 4792 wrote to memory of 3528	4792	cmd.exe	117
PID 4792 wrote to memory of 2312	4792	cmd.exe	118
PID 4792 wrote to memory of 2312	4792	cmd.exe	118
PID 4792 wrote to memory of 3044	4792	cmd.exe	119
PID 4792 wrote to memory of 3044	4792	cmd.exe	119
PID 4792 wrote to memory of 2920	4792	cmd.exe	120
PID 4792 wrote to memory of 2920	4792	cmd.exe	120
PID 4792 wrote to memory of 2532	4792	cmd.exe	121
PID 4792 wrote to memory of 2532	4792	cmd.exe	121
PID 4792 wrote to memory of 4968	4792	cmd.exe	122
PID 4792 wrote to memory of 4968	4792	cmd.exe	122

C:\Users\Admin\AppData\Local\Temp\Orbit.exe
"C:\Users\Admin\AppData\Local\Temp\Orbit.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c tar --version >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\system32\tar.exe
    tar --version
    3⤵
    PID:4496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4972
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c cd C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata &&for %f in (*.zip) do tar -xf "%f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Windows\system32\tar.exe
    tar -xf "ar_baggage.zip"
    3⤵
    PID:1224
- - C:\Windows\system32\tar.exe
    tar -xf "ar_shoots.zip"
    3⤵
    PID:3528
- - C:\Windows\system32\tar.exe
    tar -xf "cs_italy.zip"
    3⤵
    PID:2312
- - C:\Windows\system32\tar.exe
    tar -xf "cs_office.zip"
    3⤵
    PID:3044
- - C:\Windows\system32\tar.exe
    tar -xf "de_ancient.zip"
    3⤵
    PID:2920
- - C:\Windows\system32\tar.exe
    tar -xf "de_anubis.zip"
    3⤵
    PID:2532
- - C:\Windows\system32\tar.exe
    tar -xf "de_dust2.zip"
    3⤵
    PID:4968
- - C:\Windows\system32\tar.exe
    tar -xf "de_inferno.zip"
    3⤵
    PID:4880
- - C:\Windows\system32\tar.exe
    tar -xf "de_mirage.zip"
    3⤵
    PID:4920
- - C:\Windows\system32\tar.exe
    tar -xf "de_nuke.zip"
    3⤵
    PID:5060
- - C:\Windows\system32\tar.exe
    tar -xf "de_overpass.zip"
    3⤵
    PID:2460
- - C:\Windows\system32\tar.exe
    tar -xf "de_vertigo.zip"
    3⤵
    PID:3852

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa396c855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\ar_baggage.zip

Filesize
483KB

MD5
1a7aecb88db37d06dad1c8ab9f102df7

SHA1
78d85c02d7a81baef6134ae77e34ddc6a75d600c

SHA256
c525c1c9eb0a701edaccbd71993678c1016988e5daa8f8f7ae30be3f680d0526

SHA512
85d57e8bf3a7e4c6a77ce107937e8bc4a6d84791048c850f6dc14c2538bf03a7fd9deff594148018c717f591e67583d4abffc3acacaa5a69b613005fa999fd54

Download Submit
C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\ar_shoots.zip

Filesize
269KB

MD5
7753954d59822d62d1416028fa9f0334

SHA1
b27cdcb4a2510ddd53c6bff2b2c01fee910018ee

SHA256
ffa5291ac0181712635364eab37da95afb50890c5e2540a95cfa4f2610f419d7

SHA512
3e1231684e42662895171ea91fc1e9ed5f619a06aac621e71d663b5e99eb83eca1aad1d28384ae259bb95e20eedabb46886612159213671df7fd7d1f9c6888f9

Download Submit
C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\cs_italy.zip

Filesize
10.1MB

MD5
b5f84092a17259d5e045974be7d20c5b

SHA1
b718c6f6417d40063b34f3351bc7c8b187376bb1

SHA256
6feb86a2ccc6bbaa4d51b1e66e3b8d571b1093a1e65e99ca8de0374a6fb0c469

SHA512
fa6c3add17c3f0ece11f0a07cd0a7fab620c129f7adf6cc7d7f782cc04d762e698576fe8f193d2aecfb5a420b0452320d338ffbc1a7ef3b727e0234215e37dff

Download Submit
C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\cs_office.zip

Filesize
246KB

MD5
3b5bfa8aee49639403877987276acba7

SHA1
1d2ecb0b89797d4c06f1c690c4f5b808933c3689

SHA256
164021a97383eafa060d6d388033af828c55623a632e7c31e96b2932e0383d26

SHA512
92e14ca06428554ac3657a4aaafd5284f89b2aed22ec06789f42dca7c5b4afd529a276cf05bd0e8c6b679ba415521f3151ecd257b730474202ba87e0841f05e7

Download Submit
C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\de_ancient.zip

Filesize
387KB

MD5
e67f4c5ab4b7118ae8ff4667f6daa833

SHA1
af6be3b725758160cc6083b68349f2754316ec98

SHA256
7562244f01b7407e18c8741017a47c244267c34e34fe77c01c3556556b5fa3a1

SHA512
e95d6ec6cef68f4ff603479652a8e2fa45bce19fa574f90f500969bb12d9aa8335941f86d4644b22abb597707443ac72e1d92784e99c005634eab24389302cb8

Download Submit
C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\de_anubis.zip

Filesize
389KB

MD5
447dfeee7ac55585f34db28323c41a48

SHA1
2fb743d7b1ef5987f5710c4d9801df226c5e0d50

SHA256
8cc4c4e7d30d5dd9534f8c85d7e64634d28357b48c5f4786817e1f26eb63a995

SHA512
12825f9e091983844866f24ff6af54a68d64c098eb6f7bd0f39d2b7c51f29f9b04030f0c3dc8287a5491840757687659bfa97b0b9f12e404d8e46a55a81a0a35

Download Submit
C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\de_dust2.zip

Filesize
422KB

MD5
8d0f54f436716256fe99c45aae036ebd

SHA1
64f02c895730bcfc82611707ffdbbc0dd3842bee

SHA256
71b03cc10ad2d76b05a600a97c0d9a8818263326924db617fc690aded61cff88

SHA512
0ba13816601f637007651d2bc97dd80d12aa7e33d4f1e08939fad6ed0b6e0b263fe952a29f95fd3bb49020e68a081677322fe0c8c6bf01387a15485ea6627ef8

Download Submit
C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\de_inferno.zip

Filesize
24.3MB

MD5
f0509f493404a0d27519005650880664

SHA1
46b59417ec68683ca88e246886c44e8f66823e2b

SHA256
ddc3bd2a905ba4c23c2a1080b01a4c2f0fd60145b68abafc49e5b48533e1d532

SHA512
e2997573c9c409c5f7e7aa078206444dafc1748a2cd84db7d38606013169ba65d5aa46f1b2053d901a3f557452105a658ffdd81f03a8a16f30427e96c8f72d22

Download Submit
C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\de_mirage.zip

Filesize
377KB

MD5
c8bc0d117ea9509e9fecf0237a716980

SHA1
d531d942091f66e87950331401cb36d3f56b2070

SHA256
3d985f842eeffc1af925e9882c6e01352cda5ebef7a05f594cedc90a3ad1f177

SHA512
22d4141baf508654f1c8648d9d8d5bd59bb5d89d6f2c2d8f88e2a225b55e65a1a11bf08609ba5d9c6c08eb6ed4c02b4b696fead1ed487f326b624d0264719e1f

Download Submit
C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\de_nuke.zip

Filesize
366KB

MD5
8021f4cffc1e28ae097881ed80e9d08d

SHA1
69cc2922544b5b6865cf250fc2d74420d2124c6f

SHA256
49645408823b38826e790170336a42491382cfca6c670a8b374bc8d175145551

SHA512
6b8881c9e7af7f1170820a7bd415b77561e95ab038c4f9256768c43cf2ba7c4b83e1ed737ccb654a02108c3b01cb1763353e4764f94243b29aed0368abd4ba7e

Download Submit
C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\de_overpass.zip

Filesize
4.7MB

MD5
33af9c9e8449bc7b820878636abe597e

SHA1
c7d0a144f1720c52a38952e77302284f60264c12

SHA256
af765c85b088ed51e5e6b4e7a2ee421f3369e1ad1b3a27a9cf8e37429837798b

SHA512
7d17a337395a251310cd9199f5dcb506908ad9c2f3ad2453db93a68f8957814ae80d824193fb74ee1e174f2816801901957c242985828c66cc8a250bcb218a86

Download Submit
C:\Users\Admin\AppData\Roaming\Orbit\Orbit Mapdata\de_vertigo.zip

Filesize
176KB

MD5
26667b20975b6e711f028765afb41611

SHA1
5c336f6ec2355ac06f24960ef4597374bdd55468

SHA256
e4176d7e46187632622954e9ec22b43b7fc8ea80eac4cf0c62a8a41587e05f77

SHA512
99471e985d662412955ee8840aca5bca58e2e150eabf7eadc043441cc51acdb8e1b0a72aa3483ea86c4d564074eb0f2b02bcbacd2cfe6f9e258cd24f9549580d

Download Submit