Overview

overview

10

Static

static

10

snos.exe

windows10-2004-x64

10

Resubmissions

03-10-2024 21:19

241003-z6m9fsxcjn 10

03-10-2024 21:14

241003-z3g82azhmb 10

03-10-2024 21:10

241003-z1h3jszglg 10

03-10-2024 21:03

241003-zv1emszeje 10

Analysis

  • max time kernel
    158s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2024 21:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    snos.exe

  • Size

    916KB

  • MD5

    defc2abbed64bb0a53c7b9fa04d9d114

  • SHA1

    926cbb5e1d9ea1249aa034afa5d0e510322b5ee6

  • SHA256

    4a5b24522b79e54b2c901946eb492dac5bf83631681a2d99b1f6b303268e0580

  • SHA512

    00084691a0ae0c52aac630a1fca9bca0fb245ad4597c99b12016119ce289500002c6b23e47bfcd2bc220c26068615c972b8e5551b0b3dd721fd06c6387e0d842

  • SSDEEP

    24576:NVWC4MROxnFD3krXYf1rrcI0AilFEvxHPdmoo6:NqMiJtrrcI0AilFEvxHP

Score
10/10
orcusdiscoveryratspywarestealer

Malware Config

Extracted

Family

orcus

C2

45.200.148.205:10134

Mutex

2857e61aa1024db89df5be17078af5ab

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    false

  • install_path

    %programfiles%\sistemwinhost\winhost1235.exe

  • reconnect_delay

    10000

  • registry_keyname

    registry

  • taskscheduler_taskname

    registre

  • watchdog_path

    AppData\Servicemanagaer.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus main payload 1 IoCs
  • Orcurs Rat Executable 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\snos.exe
    "C:\Users\Admin\AppData\Local\Temp\snos.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4952
    • C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe" --install
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:3572
    • C:\Program Files (x86)\sistemwinhost\winhost1235.exe
      "C:\Program Files (x86)\sistemwinhost\winhost1235.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4216
      • C:\Users\Admin\AppData\Roaming\Servicemanagaer.exe
        "C:\Users\Admin\AppData\Roaming\Servicemanagaer.exe" /launchSelfAndExit "C:\Program Files (x86)\sistemwinhost\winhost1235.exe" 4216 /protectFile
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2420
        • C:\Users\Admin\AppData\Roaming\Servicemanagaer.exe
          "C:\Users\Admin\AppData\Roaming\Servicemanagaer.exe" /watchProcess "C:\Program Files (x86)\sistemwinhost\winhost1235.exe" 4216 "/protectFile"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2448
  • C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe"
    1⤵
    • Executes dropped EXE
    PID:4512
  • C:\Program Files (x86)\sistemwinhost\winhost1235.exe
    "C:\Program Files (x86)\sistemwinhost\winhost1235.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:2524
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Nice rat.txt
    1⤵
      PID:4556

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\sistemwinhost\winhost1235.exe
      Filesize

      916KB

      MD5

      defc2abbed64bb0a53c7b9fa04d9d114

      SHA1

      926cbb5e1d9ea1249aa034afa5d0e510322b5ee6

      SHA256

      4a5b24522b79e54b2c901946eb492dac5bf83631681a2d99b1f6b303268e0580

      SHA512

      00084691a0ae0c52aac630a1fca9bca0fb245ad4597c99b12016119ce289500002c6b23e47bfcd2bc220c26068615c972b8e5551b0b3dd721fd06c6387e0d842

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Servicemanagaer.exe.log
      Filesize

      425B

      MD5

      4eaca4566b22b01cd3bc115b9b0b2196

      SHA1

      e743e0792c19f71740416e7b3c061d9f1336bf94

      SHA256

      34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

      SHA512

      bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\winhost1235.exe.log
      Filesize

      1KB

      MD5

      0672db2ef13237d5cb85075ff4915942

      SHA1

      ad8b4d3eb5e40791c47d48b22e273486f25f663f

      SHA256

      0a933408890369b5a178f9c30aa93d2c94f425650815cf8e8310de4e90a3b519

      SHA512

      84ad10ba5b695567d33a52f786405a5544aa49d8d23631ba9edf3afa877c5dbd81570d15bcf74bce5d9fb1afad2117d0a4ef913b396c0d923afefe615619c84b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Servicemanagaer.exe
      Filesize

      9KB

      MD5

      913967b216326e36a08010fb70f9dba3

      SHA1

      7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

      SHA256

      8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

      SHA512

      c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

      Download Submit

    • C:\Windows\SysWOW64\WindowsInput.exe
      Filesize

      21KB

      MD5

      e6fcf516d8ed8d0d4427f86e08d0d435

      SHA1

      c7691731583ab7890086635cb7f3e4c22ca5e409

      SHA256

      8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

      SHA512

      c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

      Download Submit

    • C:\Windows\SysWOW64\WindowsInput.exe.config
      Filesize

      357B

      MD5

      a2b76cea3a59fa9af5ea21ff68139c98

      SHA1

      35d76475e6a54c168f536e30206578babff58274

      SHA256

      f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

      SHA512

      b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

      Download Submit

    • memory/2420-69-0x0000000000D40000-0x0000000000D48000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3572-24-0x0000000002510000-0x0000000002522000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3572-30-0x00007FFBCA440000-0x00007FFBCAF01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3572-26-0x00007FFBCA440000-0x00007FFBCAF01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3572-25-0x0000000002570000-0x00000000025AC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3572-22-0x00007FFBCA443000-0x00007FFBCA445000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3572-23-0x0000000000470000-0x000000000047C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4216-50-0x0000000005C20000-0x0000000005C6E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/4216-53-0x0000000006530000-0x0000000006548000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4216-76-0x00000000081D0000-0x00000000087E8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4216-81-0x00000000087F0000-0x00000000089B2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4216-77-0x0000000007BB0000-0x0000000007BC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4216-55-0x0000000006D20000-0x0000000006D2A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4216-80-0x0000000007DB0000-0x0000000007EBA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4216-79-0x0000000007C50000-0x0000000007C9C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4216-78-0x0000000007C10000-0x0000000007C4C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4216-51-0x0000000005CB0000-0x0000000005CC8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4216-75-0x00000000074C0000-0x0000000007526000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4216-54-0x00000000066F0000-0x0000000006700000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4512-33-0x000000001A830000-0x000000001A93A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4512-32-0x00007FFBCA440000-0x00007FFBCAF01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4512-83-0x00007FFBCA440000-0x00007FFBCAF01000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4952-49-0x0000000075150000-0x0000000075900000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4952-2-0x0000000004C60000-0x0000000004C6E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4952-0-0x000000007515E000-0x000000007515F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4952-3-0x0000000075150000-0x0000000075900000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4952-7-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4952-5-0x0000000005290000-0x0000000005834000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4952-4-0x0000000004C70000-0x0000000004CCC000-memory.dmp

      Filesize

      368KB

      Download

    • memory/4952-8-0x0000000005250000-0x0000000005272000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4952-6-0x0000000004E00000-0x0000000004E92000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4952-1-0x0000000000210000-0x00000000002FA000-memory.dmp

      Filesize

      936KB

      Download