Overview

overview

10

Static

static

10

Rc7- Crack...zz.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    63s
  • max time network
    65s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-07-2024 08:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Rc7- Cracked by Roque Exploitzz.exe

  • Size

    907KB

  • MD5

    5668bd983341f9ffd4726d887090b64c

  • SHA1

    1a150545d2fb65240101f9466b1043269b379f25

  • SHA256

    afb1bf7f37ba0ff0ccd8fa29c7089abc4975fef56155ab9f3c1535fea70b1f0d

  • SHA512

    0dcb2b2a1c2ee10c3b3727e3cfde698ec339569003bc3e18a6b76de65e7497080799d2e52fae234cb4e5ab518a296bf0d4f2f350f0571a1b39bc8b3e584c6ed1

  • SSDEEP

    24576:nhv4MROxnFj3IrkxrrcI0AilFEvxHPyooT:nKMi1UqrrcI0AilFEvxHP

Score
10/10
orcuspersistenceratspywarestealer

Malware Config

Extracted

Family

orcus

C2

wowthatsagoodmeme.ddns.net:10134

Mutex

4be6c8113962424a916b8095b89af0c9

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %appdata%\WlNDOWS DEFENDER\UPDATER.exe

  • reconnect_delay

    10000

  • registry_keyname

    Wlndows Defender

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\%appdata%/WlNDOWS DEFENDER/WlNDOWS DEFENDER UPDATER.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus main payload 1 IoCs
  • Orcurs Rat Executable 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 52 IoCs
  • Suspicious use of SendNotifyMessage 51 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Rc7- Cracked by Roque Exploitzz.exe
    "C:\Users\Admin\AppData\Local\Temp\Rc7- Cracked by Roque Exploitzz.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5028
    • C:\Users\Admin\AppData\Roaming\WlNDOWS DEFENDER\UPDATER.exe
      "C:\Users\Admin\AppData\Roaming\WlNDOWS DEFENDER\UPDATER.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3980
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2424
  • C:\Windows\system32\notepad.exe
    "C:\Windows\system32\notepad.exe"
    1⤵
      PID:2196

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\WlNDOWS DEFENDER\UPDATER.exe
      Filesize

      907KB

      MD5

      5668bd983341f9ffd4726d887090b64c

      SHA1

      1a150545d2fb65240101f9466b1043269b379f25

      SHA256

      afb1bf7f37ba0ff0ccd8fa29c7089abc4975fef56155ab9f3c1535fea70b1f0d

      SHA512

      0dcb2b2a1c2ee10c3b3727e3cfde698ec339569003bc3e18a6b76de65e7497080799d2e52fae234cb4e5ab518a296bf0d4f2f350f0571a1b39bc8b3e584c6ed1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\WlNDOWS DEFENDER\UPDATER.exe.config
      Filesize

      357B

      MD5

      a2b76cea3a59fa9af5ea21ff68139c98

      SHA1

      35d76475e6a54c168f536e30206578babff58274

      SHA256

      f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

      SHA512

      b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

      Download Submit

    • memory/2424-31-0x00000127BB9B0000-0x00000127BB9B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-37-0x00000127BB9B0000-0x00000127BB9B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-39-0x00000127BB9B0000-0x00000127BB9B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-38-0x00000127BB9B0000-0x00000127BB9B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-40-0x00000127BB9B0000-0x00000127BB9B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-41-0x00000127BB9B0000-0x00000127BB9B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-42-0x00000127BB9B0000-0x00000127BB9B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-43-0x00000127BB9B0000-0x00000127BB9B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-33-0x00000127BB9B0000-0x00000127BB9B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-32-0x00000127BB9B0000-0x00000127BB9B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3980-26-0x0000000005280000-0x00000000052CE000-memory.dmp

      Filesize

      312KB

      Download

    • memory/3980-27-0x0000000005300000-0x0000000005318000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3980-45-0x0000000074B50000-0x0000000075300000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3980-28-0x0000000005360000-0x0000000005370000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3980-29-0x0000000005F00000-0x00000000060C2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3980-30-0x0000000005EC0000-0x0000000005ECA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3980-25-0x0000000074B50000-0x0000000075300000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3980-44-0x0000000074B50000-0x0000000075300000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3980-23-0x0000000074B50000-0x0000000075300000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5028-7-0x0000000005700000-0x0000000005712000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5028-6-0x0000000005720000-0x00000000057B2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/5028-5-0x0000000005C00000-0x00000000061A4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/5028-4-0x0000000074B50000-0x0000000075300000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5028-3-0x00000000055F0000-0x000000000564C000-memory.dmp

      Filesize

      368KB

      Download

    • memory/5028-2-0x00000000054F0000-0x00000000054FE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/5028-1-0x0000000000B20000-0x0000000000C08000-memory.dmp

      Filesize

      928KB

      Download

    • memory/5028-24-0x0000000074B50000-0x0000000075300000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5028-0-0x0000000074B5E000-0x0000000074B5F000-memory.dmp

      Filesize

      4KB

      Download