bbf1e1d379603905b586ee24ce5e87d66ec78c9aa41c74f44535d6354d96eb4c

Resubmissions

09/08/2024, 15:30

240809-sxpmlawdnc 6

09/08/2024, 15:28

240809-swkx1sscpr 6

Analysis

max time kernel
141s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Orbit.exe
Size

6.1MB
MD5

2d15b36030de4a3a75976fd7c18367eb
SHA1

ead7f524c4c9be2e102cfbca5e69316de2432151
SHA256

bbf1e1d379603905b586ee24ce5e87d66ec78c9aa41c74f44535d6354d96eb4c
SHA512

84f881cdfc38b77df3c2c45477f832f99c9b10be5f570368e5e393ba3c45799b5c8a2a5f8683b1f705273c4371f7b229e6fb4fd951e1d4880bf3d598708fe838
SSDEEP

98304:+nfOVKp6kgjGYkbkg5ZNSU7h+5ysm9LCq61NEh7Cho:+fOIGyYkYg5Zo4+5sqEh7Cho

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
17	discord.com
20	discord.com
21	discord.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3100	Orbit.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{C154A5A4-8432-4F19-A4E3-AF4CBA09CABC}	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3100	Orbit.exe
3100	Orbit.exe
4308	msedge.exe
4308	msedge.exe
4460	msedge.exe
4460	msedge.exe
1720	msedge.exe
1720	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4460	msedge.exe
4460	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 4460	3100	Orbit.exe	87
PID 3100 wrote to memory of 4460	3100	Orbit.exe	87
PID 4460 wrote to memory of 4556	4460	msedge.exe	88
PID 4460 wrote to memory of 4556	4460	msedge.exe	88
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4192	4460	msedge.exe	89
PID 4460 wrote to memory of 4308	4460	msedge.exe	90
PID 4460 wrote to memory of 4308	4460	msedge.exe	90
PID 4460 wrote to memory of 4376	4460	msedge.exe	91
PID 4460 wrote to memory of 4376	4460	msedge.exe	91
PID 4460 wrote to memory of 4376	4460	msedge.exe	91
PID 4460 wrote to memory of 4376	4460	msedge.exe	91
PID 4460 wrote to memory of 4376	4460	msedge.exe	91
PID 4460 wrote to memory of 4376	4460	msedge.exe	91
PID 4460 wrote to memory of 4376	4460	msedge.exe	91
PID 4460 wrote to memory of 4376	4460	msedge.exe	91
PID 4460 wrote to memory of 4376	4460	msedge.exe	91
PID 4460 wrote to memory of 4376	4460	msedge.exe	91
PID 4460 wrote to memory of 4376	4460	msedge.exe	91
PID 4460 wrote to memory of 4376	4460	msedge.exe	91
PID 4460 wrote to memory of 4376	4460	msedge.exe	91
PID 4460 wrote to memory of 4376	4460	msedge.exe	91
PID 4460 wrote to memory of 4376	4460	msedge.exe	91
PID 4460 wrote to memory of 4376	4460	msedge.exe	91
PID 4460 wrote to memory of 4376	4460	msedge.exe	91
PID 4460 wrote to memory of 4376	4460	msedge.exe	91

C:\Users\Admin\AppData\Local\Temp\Orbit.exe
"C:\Users\Admin\AppData\Local\Temp\Orbit.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.com/oauth2/authorize?client_id=1249396591333212170&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Fredirect&scope=identify+guilds+guilds.members.read
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc5d7146f8,0x7ffc5d714708,0x7ffc5d714718
    3⤵
    PID:4556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,16091099133907384350,11896754113628275381,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
    3⤵
    PID:4192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,16091099133907384350,11896754113628275381,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,16091099133907384350,11896754113628275381,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
    3⤵
    PID:4376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16091099133907384350,11896754113628275381,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
    3⤵
    PID:4708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16091099133907384350,11896754113628275381,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
    3⤵
    PID:2716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2052,16091099133907384350,11896754113628275381,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4228 /prefetch:8
    3⤵
    PID:3792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2052,16091099133907384350,11896754113628275381,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4936 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:1720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3248

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
6c675c3aff1abee32e30c5c5e037a953

SHA1
ab42e3f441a3864f59ea7515ca069699415669cb

SHA256
46ca2f74871ac409175d2c1c319077344b58855d69d7b1f75e4e2f1c34a54db2

SHA512
93daa8b1ac01cd20084a586d0f268686793ffb1b1929e6806785caee1611a0df92c95f3d1876005b2ddbd9b8fdbe4d25b125acd718258021eeea8f48a8585870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
469B

MD5
a7fae645189ba72925d9f4315df9fcd9

SHA1
a68e2d207f0bb18c7102d1fbbe6fb46b93477f25

SHA256
ab91ffd481b1bf7029f9f53bcc421dbdca34951d47307d30b9c384a7588ba67e

SHA512
c8d70a5bdd8372e936cce0dafa429dcf408a095118a5916974af0e26109223af41b2553edb711e773220582e5f0a1bc7b914398600fe8f297246c32cdb56aa62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
40bd8ffbdccc26df755ac5e3f4ae9437

SHA1
f766118bd85da5e314b56ebec616c22851105a00

SHA256
33b94469a052f562e86f6cd11efde60cf856fdb3aa74030bdfb4ea6f24201d5d

SHA512
a6da9aa78968982a13d644b929bed29b31051fe4f66e4a8777a570ffd3f326fd4c5cd676d940d3207b26d42d60873f9a70ef08a34386a88934aecfdef637847e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fa2431df611ac1d6b4a49035914e5cb7

SHA1
e0afe26b2df5b6e01a050d1e848b3240a47ed777

SHA256
7bdf8d11cf4afdef8507cfba16aa1622ccec85f4118ef100cb04dbe4119be6f3

SHA512
c9be4df063571ab28dc98e327202a657ae3f937e856d6cce2ba369dbf5e9e38c82df183c6f7d483e8b65228646fadf966962a3646a65fd4e20dc19dffddba0a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
531b852a6e251fd121b4eb8dbfa717ad

SHA1
5aa7664eca9e7a69ec70ba16a8b25dda11c21ff0

SHA256
d40afe192feb0577a44c4bcb848b4cdbbc19948d9a6676b5520ccaf8a0f856c7

SHA512
491cd068b0acc2a8bb75b72951dbcf9fa6edad3694b3be4a872f85d17f9930a9f4fcb663c2e4e61028d0392151e44b9acb95abc964d3a2b23399254b1d1b98cf

Download Submit
memory/3100-1-0x00007FFC7B6F0000-0x00007FFC7B6F2000-memory.dmp

Filesize
8KB

Download
memory/3100-3-0x0000000140000000-0x0000000140BC7000-memory.dmp

Filesize
11.8MB

Download
memory/3100-2-0x00007FFC7B700000-0x00007FFC7B702000-memory.dmp

Filesize
8KB

Download
memory/3100-0-0x0000000140260000-0x00000001405A7000-memory.dmp

Filesize
3.3MB

Download
memory/3100-219-0x0000000140260000-0x00000001405A7000-memory.dmp

Filesize
3.3MB

Download
memory/3100-220-0x0000000140000000-0x0000000140BC7000-memory.dmp

Filesize
11.8MB

Download