Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
574s -
max time network
601s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-ja -
resource tags
arch:x64arch:x86image:win10v2004-20240802-jalocale:ja-jpos:windows10-2004-x64systemwindows -
submitted
19/09/2024, 20:42
Behavioral task
behavioral1
Sample
example.exe
Resource
win7-20240708-ja
General
-
Target
example.exe
-
Size
903KB
-
MD5
de87df65430d0f19436429db542fe5b0
-
SHA1
bd4026365cbb6d4a7ea8b17a8fea83ab2e7a6037
-
SHA256
d55cb8d9ad30078be362414186e4e065394430c3c0b0fa83f06922f59d288a63
-
SHA512
325a50723fbcf82df0a22bc7c68177bd7f9df25a155f204439a27d9aafcd089a8963020b4f8800da8bd444ec7481b5976f717ef7630aa2588dc9cb95c6c46c02
-
SSDEEP
12288:sTUZ/Y95eo6L4ce7dG1lFlWcYT70pxnnaaoawZRVcTqSA+9rZNrI0AilFEvxHvBO:CqI4MROxnFMLqrZlI0AilFEvxHi5B
Malware Config
Extracted
orcus
text-eating.gl.at.ply.gg:52982
8fd8dcabe5d849ad96f2d6e189ef12c1
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcus main payload 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023461-36.dat family_orcus -
Orcurs Rat Executable 2 IoCs
resource yara_rule behavioral2/files/0x0008000000023461-36.dat orcus behavioral2/memory/2496-45-0x0000000000C70000-0x0000000000D58000-memory.dmp orcus -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation example.exe -
Executes dropped EXE 1 IoCs
pid Process 2496 Orcus.exe -
Loads dropped DLL 1 IoCs
pid Process 2496 Orcus.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini example.exe File opened for modification C:\Windows\assembly\Desktop.ini example.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.bmp" Orcus.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Orcus\Orcus.exe example.exe File opened for modification C:\Program Files\Orcus\Orcus.exe example.exe File created C:\Program Files\Orcus\Orcus.exe.config example.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly example.exe File created C:\Windows\assembly\Desktop.ini example.exe File opened for modification C:\Windows\assembly\Desktop.ini example.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Orcus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Orcus.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\WallpaperStyle = "1" Orcus.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\TileWallpaper = "1" Orcus.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4672 WINWORD.EXE 4672 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2496 Orcus.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe 2496 Orcus.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2496 Orcus.exe 2496 Orcus.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 4672 WINWORD.EXE 4672 WINWORD.EXE 4672 WINWORD.EXE 4672 WINWORD.EXE 4672 WINWORD.EXE 4672 WINWORD.EXE 4672 WINWORD.EXE 4672 WINWORD.EXE 4672 WINWORD.EXE 4672 WINWORD.EXE 4672 WINWORD.EXE 4672 WINWORD.EXE 4672 WINWORD.EXE 4672 WINWORD.EXE 4672 WINWORD.EXE 4672 WINWORD.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4556 wrote to memory of 4424 4556 example.exe 83 PID 4556 wrote to memory of 4424 4556 example.exe 83 PID 4424 wrote to memory of 4848 4424 csc.exe 85 PID 4424 wrote to memory of 4848 4424 csc.exe 85 PID 4556 wrote to memory of 2496 4556 example.exe 91 PID 4556 wrote to memory of 2496 4556 example.exe 91 PID 2496 wrote to memory of 4764 2496 Orcus.exe 101 PID 2496 wrote to memory of 4764 2496 Orcus.exe 101 PID 2496 wrote to memory of 3996 2496 Orcus.exe 103 PID 2496 wrote to memory of 3996 2496 Orcus.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\example.exe"C:\Users\Admin\AppData\Local\Temp\example.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dgfswzum.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA21D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA21C.tmp"3⤵PID:4848
-
-
-
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Checks processor information in registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{91939e66-fadc-4fa5-8ee2-fab0755f33ea}.bat""3⤵PID:4764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{e1380002-1ea4-4582-acc0-56c7da2d9786}.bat""3⤵PID:3996
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\RenameCompress.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4672
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵PID:1424
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5016
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
903KB
MD5de87df65430d0f19436429db542fe5b0
SHA1bd4026365cbb6d4a7ea8b17a8fea83ab2e7a6037
SHA256d55cb8d9ad30078be362414186e4e065394430c3c0b0fa83f06922f59d288a63
SHA512325a50723fbcf82df0a22bc7c68177bd7f9df25a155f204439a27d9aafcd089a8963020b4f8800da8bd444ec7481b5976f717ef7630aa2588dc9cb95c6c46c02
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
1KB
MD5459e8035f15f4a841241500e645f7726
SHA16a1c181759868eac2e18830d31ca30a6ec6404a7
SHA25637646e12898a36e51e00a8179e4c9030a90289fd9fa963fb6d539973f4ce6a70
SHA512f9be13fb85dc91f59727d122cf5a51aa1ecb2fef8d926c748e8e2e625cdae4bfc8f93bce4ed1fae8f82f5a7bd62a21880f11a4232b6147d7575c1df9873d5522
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
76KB
MD5fb1c718b027da5edbba5ad24655d858a
SHA14f222ce40a695a5b3f20ec6ca6cbaf06bae0a625
SHA256742f78e8f9fc07207d6bb1d7a719d05b0bfc0a2a7794df6066d91b5845ec3e85
SHA512405b564a4e5a82f0866a5516786a6efa4b0113e1c787e50c7b2c5f77d64d17c8764dacffdd25a1bd52225c72d0f4c59e0bcc7b396034e800b56482dd733621de
-
Filesize
103B
MD5ba019dae26b170d41d40b8fbf4cec751
SHA1a68501fb52b2e6bc913306fe2650d4275de37894
SHA25667918d6fdd118af0774b06faa3e1a88c4c5231a6d4b0c9df67a6cf061be5d130
SHA5127378fdcf5bace5fef6d7ab5408863a7164fd92c9b06afc7334015eaf1620f87b09cdfe0d9ba202e77524e7608f27ffb7fea9c7be3f38eac37092e89c1c29e652
-
Filesize
278B
MD5bc07e1ba82e3c01f506e35f8ce74f484
SHA10adcc4220725dcdeb6e1ea11cdf390b714f80e56
SHA256c3930ccffbe35ebb4d32d97b980f6e504262ce6e97e5159a2ead711f347ed789
SHA51226fefc020a9cc655977a383b8a4436dccbeae14b41630da19d185c4a85ca730130141b110195f94480aa3d216e19e248f237f27577cb1dbcbc12af1576b894ea
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5426493224afc3cb86d8693effd142a63
SHA135d110f1f1aa421aa8cb27b9f9d6d81202c359cd
SHA25680190f49c5f05eccb889801370475b82027b15a9b1b5b90017f3758603c3f0f2
SHA512ab8501fa32f32fa561446a9cc7077993c64b152d1f53d1b73960b0054f2450c2dd4bf7e51a7440f352591a00029a9b744d023183e293b165df442cf641c5b975
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD58ab7bded0a33cc7b0b5493f35673c18d
SHA17cb8dc38fc668d523294991913b253486a164b46
SHA256113b77d7fb440573984a9753cfc9e04a61db1b6a01d169ba19bae4eead6513da
SHA5129c3f99b8baad2012248f726b5347aab09f0a1d219cfec2cb474b71dfb950eff6b64d9b8ac47684f9a6a9c524b89f097d4b1a03daea505a1c88fc69f234bdbc08
-
Filesize
516KB
MD5dde3ec6e17bc518b10c99efbd09ab72e
SHA1a2306e60b74b8a01a0dbc1199a7fffca288f2033
SHA25660a5077b443273238e6629ce5fc3ff7ee3592ea2e377b8fc28bfe6e76bda64b8
SHA51209a528c18291980ca7c5ddca67625035bbb21b9d95ab0854670d28c59c4e7adc6d13a356fa1d2c9ad75d16b334ae9818e06ddb10408a3e776e4ef0d7b295f877
-
Filesize
125KB
MD52b44c70c49b70d797fbb748158b5d9bb
SHA193e00e6527e461c45c7868d14cf05c007e478081
SHA2563762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf
SHA512faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0
-
Filesize
271KB
MD598eb5ba5871acdeaebf3a3b0f64be449
SHA1c965284f60ef789b00b10b3df60ee682b4497de3
SHA256d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c
SHA512a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2
-
Filesize
338KB
MD5934da0e49208d0881c44fe19d5033840
SHA1a19c5a822e82e41752a08d3bd9110db19a8a5016
SHA25602da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7
SHA512de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59
-
Filesize
247KB
MD5ffb4b61cc11bec6d48226027c2c26704
SHA1fa8b9e344accbdc4dffa9b5d821d23f0716da29e
SHA256061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303
SHA51248aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9
-
Filesize
1.3MB
MD5ac6acc235ebef6374bed71b37e322874
SHA1a267baad59cd7352167636836bad4b971fcd6b6b
SHA256047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96
SHA51272ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081
-
Filesize
662KB
MD5b36cc7f7c7148a783fbed3493bc27954
SHA144b39651949a00cf2a5cbba74c3210b980ae81b4
SHA256c1ce9a872d33fb8757c59b5cd1f26c93b9eeec3e3cf57162c29a0783e6222a38
SHA512c987c689ecc2cc57350c74ee22b66cb543535bc17b790016ec6407c3d02c539a727f5c38e1451a201e8e7ccfcb4d4639780b6e68cd38b7e67b1b28034ad738a2
-
Filesize
676B
MD58fb29f242f88e9d1a39fccee453609e7
SHA1bf343caf5368d12c2f16754071f68684de225f60
SHA256c8a4f19779fb049a97ede3d85a10a4c98f7e907349daf3fb4fad5d748a63c8cb
SHA512d48c9d16d1d257422d6db7221347d6ae770bc31ad8961859ba9ccdb3a8db03d4e95c1a9c3f79d3c424b1f17b040780962c99a569eec73aebe0e9f5385ec7506b
-
Filesize
208KB
MD5ec2be20be7a53505df15fde341b1e504
SHA16c6cfe9dbfb6d0c749263bc3fd01be7449f4f9fa
SHA25611c7ad7b72dc5e909918953344c809b4c6130dec4d33ce5a366523f616f9f9f3
SHA51295e2fc972a384349feae3470eaf4c2a471b471ded27a527974c607e769359c4b88d6044067cf6ec046eb0df4dc9b8aabb80d082f3165a6fd07bf5826846c6b1b
-
Filesize
349B
MD5f02e18ebd7e1b52e560e5582c720b065
SHA1af07e15285058773ad46d0600d4db35c076cb6ac
SHA25649125d581b6366bb42efab83f2e90068b631ea1026c28f0a27b0d963bc016a1c
SHA5122964435fac357347b30979f7c87a7108e7d3962e3a74c5de5eec426e2f21435477bc17b7a46a3ab190b0dba29c4b967647e61bfc1d1b0a88aed7dfcbac02bb1a