Analysis

  • max time kernel
    111s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-07-2024 17:31

General

  • Target

    Wave.exe

  • Size

    3.0MB

  • MD5

    df016abe8bfe2653c1dca38309260358

  • SHA1

    253c95a2b7f13d39b9a03ba9a52785258e439340

  • SHA256

    328b42682ffc73069ed31d0a9360aaf75e756cc2e51a280ef9849b9e836a990d

  • SHA512

    3fcb697b369444ff62c84dd7b562f685b035e87ed9beab9c603bb2c35d03d57db7f28d1ccc8ed2ffaf606802fc6e3a4e1535f627d9fe8e0a68514f27219762ec

  • SSDEEP

    49152:B1HS7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpbu/nRFfjI7L0qb:BUHTPJg8z1mKnypSbRxo9JCm

Malware Config

Extracted

Family

orcus

Botnet

Wave

C2

31.44.184.52:15288

Mutex

sudo_76v3ne68zd8b3j6xeaptqbdkmamvwu08

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %appdata%\securedatalifeasync\universal_.exe

  • reconnect_delay

    10000

  • registry_keyname

    Sudik

  • taskscheduler_taskname

    sudik

  • watchdog_path

    AppData\aga.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

  • Orcus main payload 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Orcurs Rat Executable 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Wave.exe
    "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3356
    • C:\Users\Admin\AppData\Roaming\securedatalifeasync\universal_.exe
      "C:\Users\Admin\AppData\Roaming\securedatalifeasync\universal_.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5080
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
        3⤵
          PID:4920
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
          3⤵
          • Checks computer location settings
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2880
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{b9dce45c-bd12-422c-932b-e6ddab9e9309}.bat" "
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2368
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              5⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2500
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo j "
              5⤵
              • System Location Discovery: System Language Discovery
              PID:752
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe""
              5⤵
              • System Location Discovery: System Language Discovery
              PID:960
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo j "
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4344
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" del C:\Users\Admin\AppData\Local\Temp\{b9dce45c-bd12-422c-932b-e6ddab9e9309}.bat"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4192
    • C:\Users\Admin\AppData\Roaming\securedatalifeasync\universal_.exe
      C:\Users\Admin\AppData\Roaming\securedatalifeasync\universal_.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1064
    • C:\Users\Admin\AppData\Roaming\securedatalifeasync\universal_.exe
      C:\Users\Admin\AppData\Roaming\securedatalifeasync\universal_.exe
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1612

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\universal_.exe.log

      Filesize

      1KB

      MD5

      663b8d5469caa4489d463aa9bc18124f

      SHA1

      e57123a7d969115853ea631a3b33826335025d28

      SHA256

      7b4fa505452f0b8ac74bb31f5a03b13342836318018fb18d224ae2ff11b1a7e8

      SHA512

      45e373295125a629fcc0b19609608d969c9106514918bfac5d6b8e340e407434577b825741b8fa6a043c8f3f5c1a030ba8857da5f4e8ef15a551ce3c5fe03b55

    • C:\Users\Admin\AppData\Local\Temp\{b9dce45c-bd12-422c-932b-e6ddab9e9309}.bat

      Filesize

      195B

      MD5

      53659d38a149822e8b5108240f1f4f28

      SHA1

      0cfc03162b97fb0b225159463568df903665e3c1

      SHA256

      f06714618bc94bc1ea676aa45ddadd9bc62997ea2dbcf0d4389e9de040a7c0b0

      SHA512

      df14fd5340c969be07965f551bdd350fd77b297dbb903a4c040e362b9fa702b02455e27fff6c3828ac2d323544618f8debbf00bd2088d095a83a350031313d6e

    • C:\Users\Admin\AppData\Roaming\securedatalifeasync\universal_.exe

      Filesize

      3.0MB

      MD5

      df016abe8bfe2653c1dca38309260358

      SHA1

      253c95a2b7f13d39b9a03ba9a52785258e439340

      SHA256

      328b42682ffc73069ed31d0a9360aaf75e756cc2e51a280ef9849b9e836a990d

      SHA512

      3fcb697b369444ff62c84dd7b562f685b035e87ed9beab9c603bb2c35d03d57db7f28d1ccc8ed2ffaf606802fc6e3a4e1535f627d9fe8e0a68514f27219762ec

    • C:\Users\Admin\AppData\Roaming\securedatalifeasync\universal_.exe.config

      Filesize

      357B

      MD5

      a2b76cea3a59fa9af5ea21ff68139c98

      SHA1

      35d76475e6a54c168f536e30206578babff58274

      SHA256

      f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

      SHA512

      b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

    • memory/2244-37-0x0000000074470000-0x0000000074C20000-memory.dmp

      Filesize

      7.7MB

    • memory/2244-33-0x0000000074470000-0x0000000074C20000-memory.dmp

      Filesize

      7.7MB

    • memory/2244-29-0x0000000074470000-0x0000000074C20000-memory.dmp

      Filesize

      7.7MB

    • memory/2880-45-0x0000000007970000-0x0000000007F88000-memory.dmp

      Filesize

      6.1MB

    • memory/2880-47-0x0000000007400000-0x000000000743C000-memory.dmp

      Filesize

      240KB

    • memory/2880-53-0x0000000006B00000-0x0000000006B18000-memory.dmp

      Filesize

      96KB

    • memory/2880-52-0x0000000008400000-0x0000000008450000-memory.dmp

      Filesize

      320KB

    • memory/2880-51-0x0000000007720000-0x000000000772E000-memory.dmp

      Filesize

      56KB

    • memory/2880-50-0x0000000007F90000-0x0000000008152000-memory.dmp

      Filesize

      1.8MB

    • memory/2880-49-0x00000000075D0000-0x00000000076DA000-memory.dmp

      Filesize

      1.0MB

    • memory/2880-48-0x0000000007440000-0x000000000748C000-memory.dmp

      Filesize

      304KB

    • memory/2880-46-0x00000000073A0000-0x00000000073B2000-memory.dmp

      Filesize

      72KB

    • memory/2880-43-0x0000000006FF0000-0x0000000007056000-memory.dmp

      Filesize

      408KB

    • memory/2880-40-0x00000000069F0000-0x00000000069FA000-memory.dmp

      Filesize

      40KB

    • memory/2880-39-0x00000000066D0000-0x00000000066E0000-memory.dmp

      Filesize

      64KB

    • memory/2880-38-0x0000000005890000-0x00000000058A8000-memory.dmp

      Filesize

      96KB

    • memory/3356-24-0x0000000074470000-0x0000000074C20000-memory.dmp

      Filesize

      7.7MB

    • memory/3356-3-0x0000000005410000-0x000000000541E000-memory.dmp

      Filesize

      56KB

    • memory/3356-4-0x0000000005570000-0x00000000055CC000-memory.dmp

      Filesize

      368KB

    • memory/3356-2-0x0000000074470000-0x0000000074C20000-memory.dmp

      Filesize

      7.7MB

    • memory/3356-0-0x000000007447E000-0x000000007447F000-memory.dmp

      Filesize

      4KB

    • memory/3356-5-0x0000000005DF0000-0x0000000006394000-memory.dmp

      Filesize

      5.6MB

    • memory/3356-7-0x0000000005730000-0x0000000005742000-memory.dmp

      Filesize

      72KB

    • memory/3356-1-0x00000000007B0000-0x0000000000AB2000-memory.dmp

      Filesize

      3.0MB

    • memory/3356-6-0x0000000005840000-0x00000000058D2000-memory.dmp

      Filesize

      584KB

    • memory/5080-32-0x0000000074470000-0x0000000074C20000-memory.dmp

      Filesize

      7.7MB

    • memory/5080-25-0x0000000074470000-0x0000000074C20000-memory.dmp

      Filesize

      7.7MB

    • memory/5080-23-0x0000000074470000-0x0000000074C20000-memory.dmp

      Filesize

      7.7MB

    • memory/5080-26-0x00000000061D0000-0x000000000621E000-memory.dmp

      Filesize

      312KB

    • memory/5080-28-0x0000000006450000-0x00000000064EC000-memory.dmp

      Filesize

      624KB