Analysis
-
max time kernel
220s -
max time network
225s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
30-07-2024 04:06
Behavioral task
behavioral1
Sample
OrbitExecutor/Orbit.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral2
Sample
OrbitExecutor/bin/api.dll
Resource
win10v2004-20240709-en
General
-
Target
OrbitExecutor/Orbit.exe
-
Size
628KB
-
MD5
1e420dfa64720d837db1e455dc9ee2ac
-
SHA1
6fc393cc32b0034383d2e8852573deb4a0344d0f
-
SHA256
96b235e33183fa716d4a07a65be9955026e2b3228cdc9402f716eee6adc7bdf1
-
SHA512
cc231d4f126c650eb98791a402816c82a825fd434b38429915bfe1185393aa1223f16ae69c01d197fdb386c60d924e2016a92c714efe6b7e4b108bb30454bd1e
-
SSDEEP
12288:1yNvYJ94KY+q7Wk4VUjtQSOSyQgEQEJJU+kFGUYlYr:I1J0yYVkeSytNEJJU+47
Malware Config
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Loads dropped DLL 1 IoCs
Processes:
Orbit.exepid process 4472 Orbit.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Orbit.exedescription pid process target process PID 4472 set thread context of 2068 4472 Orbit.exe MSBuild.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3036 2068 WerFault.exe MSBuild.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Orbit.exeMSBuild.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Orbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
MSBuild.exepid process 2068 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 2068 MSBuild.exe Token: SeBackupPrivilege 2068 MSBuild.exe Token: SeSecurityPrivilege 2068 MSBuild.exe Token: SeSecurityPrivilege 2068 MSBuild.exe Token: SeSecurityPrivilege 2068 MSBuild.exe Token: SeSecurityPrivilege 2068 MSBuild.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Orbit.exedescription pid process target process PID 4472 wrote to memory of 2068 4472 Orbit.exe MSBuild.exe PID 4472 wrote to memory of 2068 4472 Orbit.exe MSBuild.exe PID 4472 wrote to memory of 2068 4472 Orbit.exe MSBuild.exe PID 4472 wrote to memory of 2068 4472 Orbit.exe MSBuild.exe PID 4472 wrote to memory of 2068 4472 Orbit.exe MSBuild.exe PID 4472 wrote to memory of 2068 4472 Orbit.exe MSBuild.exe PID 4472 wrote to memory of 2068 4472 Orbit.exe MSBuild.exe PID 4472 wrote to memory of 2068 4472 Orbit.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\OrbitExecutor\Orbit.exe"C:\Users\Admin\AppData\Local\Temp\OrbitExecutor\Orbit.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 27803⤵
- Program crash
PID:3036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2068 -ip 20681⤵PID:2720
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
627KB
MD53d1fd85897344a19d1530eabb990f426
SHA1189d0625a4e57eed3dc80177c95f9786b4f53dc1
SHA2569253ae4acf96dfb95e3b875a2f463d3bdc0b59c4f215d41bc0c86badd0fcc7c9
SHA5123cf1c417b7b177af7894732ac97268d1bdc84375f13bfc04e745fcc7e18aeb2f8407e38aaaa623d9d42f2eb4feba982efd10f3529d79b344ef072250e83e7a05