Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
05-08-2024 13:05
General
-
Target
dickmedown.exe
-
Size
915KB
-
MD5
816e2bdaa95db7d567c96316888ced40
-
SHA1
b56a69a350eaed78a4f37fc78a3adedb0fcc48a4
-
SHA256
c63478d09c4947499eb077a2a9cca07a07e837841a19ca3c8d02dac158e5aaaf
-
SHA512
6de21c0fd00e074cc7e34efad8be696238a25d2910777379256468e0bc99caba2320cc7bc2ecc758f61c052b6eaa7f201ff57841289bc53504849299fefa365a
-
SSDEEP
12288:W0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCucpCwFuCQaUepPToIp7dG1lFlG:UU04MROxnFeUrrcI0AilFEvxHPqcoos
Malware Config
Extracted
orcus
free client from my cumslut
community-married.gl.at.ply.gg:14614
bef7c7ea99c940fd82bf56700ce32a12
-
autostart_method
TaskScheduler
-
enable_keylogger
false
-
install_path
%programfiles%\Windows6969\WindowsSexMachine.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus main payload 1 IoCs
-
Orcurs Rat Executable 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Drops file in System32 directory 4 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dickmedown.exe"C:\Users\Admin\AppData\Local\Temp\dickmedown.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Program Files (x86)\Windows6969\WindowsSexMachine.exe"C:\Program Files (x86)\Windows6969\WindowsSexMachine.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --uninstall3⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{75304c9b-6300-4ca3-a637-b435fa1103f7}.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo j "4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del "C:\Program Files (x86)\Windows6969\WindowsSexMachine.exe""4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo j "4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del C:\Users\Admin\AppData\Local\Temp\{75304c9b-6300-4ca3-a637-b435fa1103f7}.bat"4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Program Files (x86)\Windows6969\WindowsSexMachine.exe"C:\Program Files (x86)\Windows6969\WindowsSexMachine.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
915KB
MD5816e2bdaa95db7d567c96316888ced40
SHA1b56a69a350eaed78a4f37fc78a3adedb0fcc48a4
SHA256c63478d09c4947499eb077a2a9cca07a07e837841a19ca3c8d02dac158e5aaaf
SHA5126de21c0fd00e074cc7e34efad8be696238a25d2910777379256468e0bc99caba2320cc7bc2ecc758f61c052b6eaa7f201ff57841289bc53504849299fefa365a
-
Filesize
2KB
MD578ffbfd38b4ab75e03596bbb2d321e25
SHA11b99ba3cfa6389b8483b36b28836aca4773845e4
SHA2566a6a889f671eea1112a70756ae849bc1c32357ac2818bfa79db84bbbb9813a5d
SHA512e18ff531f792282d0efa0d4264daa36e2d0112ac6d06eabfeb98ffd78570583a602defe3e71332d8801294dc90a2af9a8cdc1e1d0b9c5d0264c584d775cf0243
-
Filesize
1KB
MD50672db2ef13237d5cb85075ff4915942
SHA1ad8b4d3eb5e40791c47d48b22e273486f25f663f
SHA2560a933408890369b5a178f9c30aa93d2c94f425650815cf8e8310de4e90a3b519
SHA51284ad10ba5b695567d33a52f786405a5544aa49d8d23631ba9edf3afa877c5dbd81570d15bcf74bce5d9fb1afad2117d0a4ef913b396c0d923afefe615619c84b
-
Filesize
195B
MD5eb5fe9ae1dcef1be216359171f576f11
SHA1dd94ae34258cc77a2caaa9e5778c68677042ff05
SHA256decee407d0bd42c0831769317756d73e9e1705e6f7dbc87a224e0b290108ce94
SHA512de67bef5f94f9d09465dd6841ffc0ed55363b0580e00db5f3776facc682b34c1d305accfd2c1f1242bde725c22f2bc22aeeead11c09661cc88fa35bff0064a2c
-
Filesize
7KB
MD5362ce475f5d1e84641bad999c16727a0
SHA16b613c73acb58d259c6379bd820cca6f785cc812
SHA2561f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899
SHA5127630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
1.0MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
10.8MB
-
Filesize
312KB
-
Filesize
6.1MB
-
Filesize
1.8MB
-
Filesize
1.0MB
-
Filesize
304KB
-
Filesize
240KB
-
Filesize
96KB
-
Filesize
96KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
408KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
136KB
-
Filesize
32KB
-
Filesize
368KB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
936KB