Resubmissions
03-10-2024 21:19
241003-z6m9fsxcjn 1003-10-2024 21:14
241003-z3g82azhmb 1003-10-2024 21:10
241003-z1h3jszglg 1003-10-2024 21:03
241003-zv1emszeje 10Analysis
-
max time kernel
430s -
max time network
1149s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
03-10-2024 21:19
General
-
Target
snos.exe
-
Size
916KB
-
MD5
defc2abbed64bb0a53c7b9fa04d9d114
-
SHA1
926cbb5e1d9ea1249aa034afa5d0e510322b5ee6
-
SHA256
4a5b24522b79e54b2c901946eb492dac5bf83631681a2d99b1f6b303268e0580
-
SHA512
00084691a0ae0c52aac630a1fca9bca0fb245ad4597c99b12016119ce289500002c6b23e47bfcd2bc220c26068615c972b8e5551b0b3dd721fd06c6387e0d842
-
SSDEEP
24576:NVWC4MROxnFD3krXYf1rrcI0AilFEvxHPdmoo6:NqMiJtrrcI0AilFEvxHP
Malware Config
Extracted
orcus
45.200.148.205:10134
2857e61aa1024db89df5be17078af5ab
-
autostart_method
TaskScheduler
-
enable_keylogger
false
-
install_path
%programfiles%\sistemwinhost\winhost1235.exe
-
reconnect_delay
10000
-
registry_keyname
registry
-
taskscheduler_taskname
registre
-
watchdog_path
AppData\Servicemanagaer.exe
Signatures
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus main payload 1 IoCs
-
Orcurs Rat Executable 2 IoCs
-
Executes dropped EXE 7 IoCs
-
Drops file in System32 directory 4 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\snos.exe"C:\Users\Admin\AppData\Local\Temp\snos.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Program Files (x86)\sistemwinhost\winhost1235.exe"C:\Program Files (x86)\sistemwinhost\winhost1235.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Servicemanagaer.exe"C:\Users\Admin\AppData\Roaming\Servicemanagaer.exe" /launchSelfAndExit "C:\Program Files (x86)\sistemwinhost\winhost1235.exe" 4700 /protectFile3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Servicemanagaer.exe"C:\Users\Admin\AppData\Roaming\Servicemanagaer.exe" /watchProcess "C:\Program Files (x86)\sistemwinhost\winhost1235.exe" 4700 "/protectFile"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --uninstall3⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{7f0de462-2ad5-49ad-9e40-383a4ff80492}.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo j "4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del "C:\Program Files (x86)\sistemwinhost\winhost1235.exe""4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo j "4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del C:\Users\Admin\AppData\Local\Temp\{7f0de462-2ad5-49ad-9e40-383a4ff80492}.bat"4⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Program Files (x86)\sistemwinhost\winhost1235.exe"C:\Program Files (x86)\sistemwinhost\winhost1235.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
916KB
MD5defc2abbed64bb0a53c7b9fa04d9d114
SHA1926cbb5e1d9ea1249aa034afa5d0e510322b5ee6
SHA2564a5b24522b79e54b2c901946eb492dac5bf83631681a2d99b1f6b303268e0580
SHA51200084691a0ae0c52aac630a1fca9bca0fb245ad4597c99b12016119ce289500002c6b23e47bfcd2bc220c26068615c972b8e5551b0b3dd721fd06c6387e0d842
-
Filesize
2KB
MD50d48e80035a2b861e6d380b3065c3434
SHA149dbfea360a21b0d4708c29b56ad61c137e77a07
SHA25660256d3546a7af694283a7067a4632e3969c845a0d7620af0495760674f5f858
SHA5122b77a2268602964069eea7dd625df29b35581bef015af4d3bbc3c8cecb48d34fbee60dcadb16f1a3e4d0bf34a0a6de394d60687edb7f005a82b6083b810f8544
-
Filesize
425B
MD5bb27934be8860266d478c13f2d65f45e
SHA1a69a0e171864dcac9ade1b04fc0313e6b4024ccb
SHA25685ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4
SHA51287dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb
-
Filesize
1KB
MD523095077e59941121be408de05f8843b
SHA16a85a4fb6a47e96b4c65f8849647ff486273b513
SHA25649cc85a6bad5faf998eae8f1156e4a3cdd0273ff30a7828f5545689eb22e3fe5
SHA51205644cd4aa2128e4c40993e4033ae3102705ee27c157d8376180c81e58b61c2801ca8deed6a256c79bc409e40f9ab5c66e2b2492f6c60871fb575eb6cce73211
-
Filesize
191B
MD544bd3e7628ce70d53bef004a039fc63b
SHA1fb13d12ee2c28e8f8d04572f8bb89ef34129e72f
SHA256238a5810ef84f37388dbd475104c75646aeca04917b3df3b4ee0ae7e8861d049
SHA51285c7b2f6a6cc3917b66f6ac81a270ed9677cc5a6106d8975f5af792d568c5cf9b9ce0c3768dbebecbe13233bff5c3c562e73f3c889f873697093c55f8bfd8415
-
Filesize
9KB
MD5913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
Filesize
7KB
MD5362ce475f5d1e84641bad999c16727a0
SHA16b613c73acb58d259c6379bd820cca6f785cc812
SHA2561f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899
SHA5127630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
936KB
-
Filesize
56KB
-
Filesize
7.7MB
-
Filesize
368KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
136KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
1.0MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
312KB
-
Filesize
96KB
-
Filesize
304KB
-
Filesize
1.0MB
-
Filesize
240KB
-
Filesize
408KB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
1.8MB
-
Filesize
10.8MB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
48KB
-
Filesize
10.8MB