Overview

overview

7

Static

static

3

13b606c1ea...18.exe

windows7-x64

7

13b606c1ea...18.exe

windows10-2004-x64

7

$APPDATA/o...er.exe

windows7-x64

3

$APPDATA/o...er.exe

windows10-2004-x64

3

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$TEMPfolde...l3.dll

windows7-x64

3

$TEMPfolde...l3.dll

windows10-2004-x64

3

$TEMPfolde...r4.dll

windows7-x64

3

$TEMPfolde...r4.dll

windows10-2004-x64

3

$TEMPfolde...c4.dll

windows7-x64

3

$TEMPfolde...c4.dll

windows10-2004-x64

3

$TEMPfolde...s4.dll

windows7-x64

3

$TEMPfolde...s4.dll

windows10-2004-x64

3

$TEMPfolde...s3.dll

windows7-x64

3

$TEMPfolde...s3.dll

windows10-2004-x64

3

$TEMPfolde...bi.dll

windows7-x64

3

$TEMPfolde...bi.dll

windows10-2004-x64

3

$TEMPfolde...m3.dll

windows7-x64

3

$TEMPfolde...m3.dll

windows10-2004-x64

3

$TEMPfolde...l3.dll

windows7-x64

3

$TEMPfolde...l3.dll

windows10-2004-x64

3

$TEMPfolde...on.exe

windows7-x64

7

$TEMPfolde...on.exe

windows10-2004-x64

7

$TEMPfolde...e3.dll

windows7-x64

3

$TEMPfolde...e3.dll

windows10-2004-x64

3

$TEMPfolde...n3.dll

windows7-x64

3

$TEMPfolde...n3.dll

windows10-2004-x64

3

$TEMPfolde...e3.dll

windows7-x64

3

$TEMPfolde...e3.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    92s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-10-2024 14:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $TEMPfolder/ortmp/orion.exe

  • Size

    1.1MB

  • MD5

    7166f7850b8bb5ef1c3d6eedd2f7fb6a

  • SHA1

    c56ab5c922b13fde7888c4573e14e1f85868f58e

  • SHA256

    16ab8660e4579f91f8be9d6363bd492593ec6c27763da2179f34f1f4799fbc70

  • SHA512

    59785782fa896435dc34d466cb1850525b35bb0831ff24ec8cfdadc2fa591b5ece7dea2f488c39e9fb91db06c8c6c0261569b1098903c53a833f0ce4f398011f

  • SSDEEP

    24576:6jySynMq8niqpQSV+KpP76O985l1YSQlkU0vJ+x2Tc/p/IP:mySxp9TNGxvA/p/IP

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$TEMPfolder\ortmp\orion.exe
    "C:\Users\Admin\AppData\Local\Temp\$TEMPfolder\ortmp\orion.exe"
    1⤵
    • Checks BIOS information in registry
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3352

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System32\dnsapi.dll
    Filesize

    808KB

    MD5

    348a68340a0a3b773e071c9ad76482fc

    SHA1

    878ffebcef1998e6b0dd4e12e7925152dae590a2

    SHA256

    f0d77df045fa24246691c96e3d0e7713cf2e9a5324419d4a614bf07751b02749

    SHA512

    d26364402521228458c8fff0f1df304556e23da9aaa66386db18a5fd1eec59445552e6aaaca554ca0bd253716853b86b55d7398c59375d66d36877b8e898ab55

    Download Submit