Overview

overview

10

Static

static

10

snos.exe

windows7-x64

10

snos.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2024 21:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    snos.exe

  • Size

    916KB

  • MD5

    defc2abbed64bb0a53c7b9fa04d9d114

  • SHA1

    926cbb5e1d9ea1249aa034afa5d0e510322b5ee6

  • SHA256

    4a5b24522b79e54b2c901946eb492dac5bf83631681a2d99b1f6b303268e0580

  • SHA512

    00084691a0ae0c52aac630a1fca9bca0fb245ad4597c99b12016119ce289500002c6b23e47bfcd2bc220c26068615c972b8e5551b0b3dd721fd06c6387e0d842

  • SSDEEP

    24576:NVWC4MROxnFD3krXYf1rrcI0AilFEvxHPdmoo6:NqMiJtrrcI0AilFEvxHP

Score
10/10
orcusdiscoveryratspywarestealer

Malware Config

Extracted

Family

orcus

C2

45.200.148.205:10134

Mutex

2857e61aa1024db89df5be17078af5ab

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    false

  • install_path

    %programfiles%\sistemwinhost\winhost1235.exe

  • reconnect_delay

    10000

  • registry_keyname

    registry

  • taskscheduler_taskname

    registre

  • watchdog_path

    AppData\Servicemanagaer.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus main payload 1 IoCs
  • Orcurs Rat Executable 3 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\snos.exe
    "C:\Users\Admin\AppData\Local\Temp\snos.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe" --install
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:2356
    • C:\Program Files (x86)\sistemwinhost\winhost1235.exe
      "C:\Program Files (x86)\sistemwinhost\winhost1235.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Users\Admin\AppData\Roaming\Servicemanagaer.exe
        "C:\Users\Admin\AppData\Roaming\Servicemanagaer.exe" /launchSelfAndExit "C:\Program Files (x86)\sistemwinhost\winhost1235.exe" 2604 /protectFile
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3064
        • C:\Users\Admin\AppData\Roaming\Servicemanagaer.exe
          "C:\Users\Admin\AppData\Roaming\Servicemanagaer.exe" /watchProcess "C:\Program Files (x86)\sistemwinhost\winhost1235.exe" 2604 "/protectFile"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1484
      • C:\Windows\SysWOW64\WindowsInput.exe
        "C:\Windows\SysWOW64\WindowsInput.exe" --uninstall
        3⤵
        • Executes dropped EXE
        PID:1660
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\{47774f00-dd74-4de6-a515-de13786e43a1}.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1564
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2464
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo j "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1492
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" del "C:\Program Files (x86)\sistemwinhost\winhost1235.exe""
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1984
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo j "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:776
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" del C:\Users\Admin\AppData\Local\Temp\{47774f00-dd74-4de6-a515-de13786e43a1}.bat"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1148
  • C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe"
    1⤵
    • Executes dropped EXE
    PID:1264
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {91853232-3896-44DA-9426-9853A79801A6} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Program Files (x86)\sistemwinhost\winhost1235.exe
      "C:\Program Files (x86)\sistemwinhost\winhost1235.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CabCBF8.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{47774f00-dd74-4de6-a515-de13786e43a1}.bat
    Filesize

    191B

    MD5

    f133cad1e864958bb59294a000a3692a

    SHA1

    f2d97bebd60f82c6c051af270934777c210a46ce

    SHA256

    e9d6413336a1acb9ce052c29517dc3d74e82c4aa8f54fdb7e4653f0851c59e03

    SHA512

    e09ea0d3cf45a16c4a29ed06bcf6aeb093b8e200750ddd8a8c528e224cd34a66e19e2c48c8cb8de55461b3842313e3e4e2cde64d96398d395f44e39af6a824e5

    Download Submit

  • C:\Windows\SysWOW64\WindowsInput.InstallState
    Filesize

    7KB

    MD5

    362ce475f5d1e84641bad999c16727a0

    SHA1

    6b613c73acb58d259c6379bd820cca6f785cc812

    SHA256

    1f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899

    SHA512

    7630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b

    Download Submit

  • C:\Windows\SysWOW64\WindowsInput.exe.config
    Filesize

    357B

    MD5

    a2b76cea3a59fa9af5ea21ff68139c98

    SHA1

    35d76475e6a54c168f536e30206578babff58274

    SHA256

    f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

    SHA512

    b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

    Download Submit

  • \Program Files (x86)\sistemwinhost\winhost1235.exe
    Filesize

    916KB

    MD5

    defc2abbed64bb0a53c7b9fa04d9d114

    SHA1

    926cbb5e1d9ea1249aa034afa5d0e510322b5ee6

    SHA256

    4a5b24522b79e54b2c901946eb492dac5bf83631681a2d99b1f6b303268e0580

    SHA512

    00084691a0ae0c52aac630a1fca9bca0fb245ad4597c99b12016119ce289500002c6b23e47bfcd2bc220c26068615c972b8e5551b0b3dd721fd06c6387e0d842

    Download Submit

  • \Users\Admin\AppData\Roaming\Servicemanagaer.exe
    Filesize

    9KB

    MD5

    913967b216326e36a08010fb70f9dba3

    SHA1

    7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

    SHA256

    8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

    SHA512

    c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

    Download Submit

  • \Windows\SysWOW64\WindowsInput.exe
    Filesize

    21KB

    MD5

    e6fcf516d8ed8d0d4427f86e08d0d435

    SHA1

    c7691731583ab7890086635cb7f3e4c22ca5e409

    SHA256

    8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

    SHA512

    c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

    Download Submit

  • memory/1152-32-0x00000000748F0000-0x0000000074FDE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1152-5-0x00000000003F0000-0x0000000000402000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1152-4-0x00000000748F0000-0x0000000074FDE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1152-3-0x0000000002030000-0x000000000208C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/1152-2-0x00000000002F0000-0x00000000002FE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1152-0-0x00000000748FE000-0x00000000748FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1152-1-0x00000000008E0000-0x00000000009CA000-memory.dmp

    Filesize

    936KB

    Download

  • memory/1264-21-0x00000000009A0000-0x00000000009AC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2356-19-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2356-16-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2356-15-0x00000000008B0000-0x00000000008BC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2356-13-0x000007FEF5CD3000-0x000007FEF5CD4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2604-33-0x0000000001100000-0x00000000011EA000-memory.dmp

    Filesize

    936KB

    Download

  • memory/2604-34-0x0000000000CD0000-0x0000000000D1E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2604-35-0x0000000000F40000-0x0000000000F58000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2604-36-0x0000000000F60000-0x0000000000F70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3064-47-0x0000000000ED0000-0x0000000000ED8000-memory.dmp

    Filesize

    32KB

    Download