Resubmissions
26-10-2024 23:19
241026-3a1rfsxrgm 1026-10-2024 23:18
241026-3absbs1fnl 1026-10-2024 23:16
241026-29dkjaymaw 10Analysis
-
max time kernel
289s -
max time network
298s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
26-10-2024 23:16
Behavioral task
behavioral1
Sample
test.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
test.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
test.exe
Resource
win11-20241007-en
General
-
Target
test.exe
-
Size
3.0MB
-
MD5
7b3150ddd3df859f8f6f36cb041b23f7
-
SHA1
c3934ab76025c17cab3d309a96c1e32df9ad9d65
-
SHA256
675a8aa47c9032b3588c440435744c3a01c04edc4ea204631eee0b53f0405a8f
-
SHA512
a1fe1559965a5eac9a6eef26bbcd559d8a3aa1719f81c35e4106ca0664805cde9566e7bd163fc63a27e356e034b64ef6af5a0f4a299997352bdf4b51e6b6d214
-
SSDEEP
49152:ONJEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmYXdrZz:ONJtODUKTslWp2MpbfGGilIJPypSbxEw
Malware Config
Extracted
orcus
Index1337z-43991.portmap.host:43991
be9b19219c62425cbffd5b98125d81a6
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/memory/4228-24-0x0000000001470000-0x000000000147A000-memory.dmp disable_win_def -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Orcus.exe -
Orcus family
-
Orcus main payload 1 IoCs
resource yara_rule behavioral2/files/0x00290000000451ad-172.dat family_orcus -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" test.exe -
Orcurs Rat Executable 2 IoCs
resource yara_rule behavioral2/files/0x00290000000451ad-172.dat orcus behavioral2/memory/3032-175-0x00000000007E0000-0x0000000000ADC000-memory.dmp orcus -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation test.exe Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation Orcus.exe -
Executes dropped EXE 1 IoCs
pid Process 3032 Orcus.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" Orcus.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" test.exe -
pid Process 3336 powershell.exe 1580 powershell.exe 4988 powershell.exe 3384 powershell.exe 2064 powershell.exe 232 powershell.exe 4380 powershell.exe 3892 powershell.exe 3408 powershell.exe 2280 powershell.exe 3396 powershell.exe 4444 powershell.exe 868 powershell.exe 636 powershell.exe 2780 powershell.exe 4532 powershell.exe 568 powershell.exe 4424 powershell.exe 1840 powershell.exe 3084 powershell.exe 4596 powershell.exe 3156 powershell.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 2 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" Orcus.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Orcus\Orcus.exe test.exe File created C:\Program Files\Orcus\Orcus.exe.config test.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2408 powershell.exe 2408 powershell.exe 3084 powershell.exe 4444 powershell.exe 3084 powershell.exe 868 powershell.exe 4444 powershell.exe 3384 powershell.exe 4596 powershell.exe 4596 powershell.exe 4596 powershell.exe 2064 powershell.exe 2064 powershell.exe 3892 powershell.exe 3892 powershell.exe 232 powershell.exe 232 powershell.exe 868 powershell.exe 868 powershell.exe 3408 powershell.exe 3408 powershell.exe 3336 powershell.exe 3336 powershell.exe 636 powershell.exe 636 powershell.exe 3384 powershell.exe 3384 powershell.exe 2064 powershell.exe 232 powershell.exe 3892 powershell.exe 3408 powershell.exe 636 powershell.exe 3336 powershell.exe 2400 powershell.exe 2400 powershell.exe 2780 powershell.exe 2280 powershell.exe 3396 powershell.exe 3396 powershell.exe 4532 powershell.exe 4532 powershell.exe 4380 powershell.exe 4380 powershell.exe 1580 powershell.exe 1580 powershell.exe 2780 powershell.exe 2780 powershell.exe 3396 powershell.exe 568 powershell.exe 568 powershell.exe 4424 powershell.exe 4424 powershell.exe 1840 powershell.exe 1840 powershell.exe 3156 powershell.exe 3156 powershell.exe 4988 powershell.exe 4988 powershell.exe 3156 powershell.exe 404 taskmgr.exe 404 taskmgr.exe 4532 powershell.exe 4532 powershell.exe 2280 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2408 powershell.exe Token: SeIncreaseQuotaPrivilege 2408 powershell.exe Token: SeSecurityPrivilege 2408 powershell.exe Token: SeTakeOwnershipPrivilege 2408 powershell.exe Token: SeLoadDriverPrivilege 2408 powershell.exe Token: SeSystemProfilePrivilege 2408 powershell.exe Token: SeSystemtimePrivilege 2408 powershell.exe Token: SeProfSingleProcessPrivilege 2408 powershell.exe Token: SeIncBasePriorityPrivilege 2408 powershell.exe Token: SeCreatePagefilePrivilege 2408 powershell.exe Token: SeBackupPrivilege 2408 powershell.exe Token: SeRestorePrivilege 2408 powershell.exe Token: SeShutdownPrivilege 2408 powershell.exe Token: SeDebugPrivilege 2408 powershell.exe Token: SeSystemEnvironmentPrivilege 2408 powershell.exe Token: SeRemoteShutdownPrivilege 2408 powershell.exe Token: SeUndockPrivilege 2408 powershell.exe Token: SeManageVolumePrivilege 2408 powershell.exe Token: 33 2408 powershell.exe Token: 34 2408 powershell.exe Token: 35 2408 powershell.exe Token: 36 2408 powershell.exe Token: SeDebugPrivilege 3084 powershell.exe Token: SeDebugPrivilege 4444 powershell.exe Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 3384 powershell.exe Token: SeDebugPrivilege 4596 powershell.exe Token: SeDebugPrivilege 2064 powershell.exe Token: SeDebugPrivilege 3892 powershell.exe Token: SeDebugPrivilege 232 powershell.exe Token: SeDebugPrivilege 3408 powershell.exe Token: SeDebugPrivilege 3336 powershell.exe Token: SeDebugPrivilege 636 powershell.exe Token: SeIncreaseQuotaPrivilege 3084 powershell.exe Token: SeSecurityPrivilege 3084 powershell.exe Token: SeTakeOwnershipPrivilege 3084 powershell.exe Token: SeLoadDriverPrivilege 3084 powershell.exe Token: SeSystemProfilePrivilege 3084 powershell.exe Token: SeSystemtimePrivilege 3084 powershell.exe Token: SeProfSingleProcessPrivilege 3084 powershell.exe Token: SeIncBasePriorityPrivilege 3084 powershell.exe Token: SeCreatePagefilePrivilege 3084 powershell.exe Token: SeBackupPrivilege 3084 powershell.exe Token: SeRestorePrivilege 3084 powershell.exe Token: SeShutdownPrivilege 3084 powershell.exe Token: SeDebugPrivilege 3084 powershell.exe Token: SeSystemEnvironmentPrivilege 3084 powershell.exe Token: SeRemoteShutdownPrivilege 3084 powershell.exe Token: SeUndockPrivilege 3084 powershell.exe Token: SeManageVolumePrivilege 3084 powershell.exe Token: 33 3084 powershell.exe Token: 34 3084 powershell.exe Token: 35 3084 powershell.exe Token: 36 3084 powershell.exe Token: SeIncreaseQuotaPrivilege 4444 powershell.exe Token: SeSecurityPrivilege 4444 powershell.exe Token: SeTakeOwnershipPrivilege 4444 powershell.exe Token: SeLoadDriverPrivilege 4444 powershell.exe Token: SeSystemProfilePrivilege 4444 powershell.exe Token: SeSystemtimePrivilege 4444 powershell.exe Token: SeProfSingleProcessPrivilege 4444 powershell.exe Token: SeIncBasePriorityPrivilege 4444 powershell.exe Token: SeCreatePagefilePrivilege 4444 powershell.exe Token: SeBackupPrivilege 4444 powershell.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 3032 Orcus.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 3032 Orcus.exe -
Suspicious use of SendNotifyMessage 33 IoCs
pid Process 3032 Orcus.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe 404 taskmgr.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 4228 wrote to memory of 1776 4228 test.exe 84 PID 4228 wrote to memory of 1776 4228 test.exe 84 PID 1776 wrote to memory of 4380 1776 csc.exe 86 PID 1776 wrote to memory of 4380 1776 csc.exe 86 PID 4228 wrote to memory of 2408 4228 test.exe 87 PID 4228 wrote to memory of 2408 4228 test.exe 87 PID 4228 wrote to memory of 3084 4228 test.exe 90 PID 4228 wrote to memory of 3084 4228 test.exe 90 PID 4228 wrote to memory of 4444 4228 test.exe 92 PID 4228 wrote to memory of 4444 4228 test.exe 92 PID 4228 wrote to memory of 3384 4228 test.exe 94 PID 4228 wrote to memory of 3384 4228 test.exe 94 PID 4228 wrote to memory of 868 4228 test.exe 96 PID 4228 wrote to memory of 868 4228 test.exe 96 PID 4228 wrote to memory of 4596 4228 test.exe 98 PID 4228 wrote to memory of 4596 4228 test.exe 98 PID 4228 wrote to memory of 2064 4228 test.exe 100 PID 4228 wrote to memory of 2064 4228 test.exe 100 PID 4228 wrote to memory of 3892 4228 test.exe 102 PID 4228 wrote to memory of 3892 4228 test.exe 102 PID 4228 wrote to memory of 232 4228 test.exe 104 PID 4228 wrote to memory of 232 4228 test.exe 104 PID 4228 wrote to memory of 3336 4228 test.exe 106 PID 4228 wrote to memory of 3336 4228 test.exe 106 PID 4228 wrote to memory of 3408 4228 test.exe 107 PID 4228 wrote to memory of 3408 4228 test.exe 107 PID 4228 wrote to memory of 636 4228 test.exe 109 PID 4228 wrote to memory of 636 4228 test.exe 109 PID 4228 wrote to memory of 3032 4228 test.exe 112 PID 4228 wrote to memory of 3032 4228 test.exe 112 PID 3032 wrote to memory of 2400 3032 Orcus.exe 113 PID 3032 wrote to memory of 2400 3032 Orcus.exe 113 PID 3032 wrote to memory of 2780 3032 Orcus.exe 115 PID 3032 wrote to memory of 2780 3032 Orcus.exe 115 PID 3032 wrote to memory of 4532 3032 Orcus.exe 117 PID 3032 wrote to memory of 4532 3032 Orcus.exe 117 PID 3032 wrote to memory of 2280 3032 Orcus.exe 119 PID 3032 wrote to memory of 2280 3032 Orcus.exe 119 PID 3032 wrote to memory of 3396 3032 Orcus.exe 121 PID 3032 wrote to memory of 3396 3032 Orcus.exe 121 PID 3032 wrote to memory of 4380 3032 Orcus.exe 123 PID 3032 wrote to memory of 4380 3032 Orcus.exe 123 PID 3032 wrote to memory of 1580 3032 Orcus.exe 125 PID 3032 wrote to memory of 1580 3032 Orcus.exe 125 PID 3032 wrote to memory of 568 3032 Orcus.exe 127 PID 3032 wrote to memory of 568 3032 Orcus.exe 127 PID 3032 wrote to memory of 4424 3032 Orcus.exe 129 PID 3032 wrote to memory of 4424 3032 Orcus.exe 129 PID 3032 wrote to memory of 1840 3032 Orcus.exe 131 PID 3032 wrote to memory of 1840 3032 Orcus.exe 131 PID 3032 wrote to memory of 3156 3032 Orcus.exe 133 PID 3032 wrote to memory of 3156 3032 Orcus.exe 133 PID 3032 wrote to memory of 4988 3032 Orcus.exe 135 PID 3032 wrote to memory of 4988 3032 Orcus.exe 135 -
System policy modification 1 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" Orcus.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4228 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rtcgrppr.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE540.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE53F.tmp"3⤵PID:4380
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 62⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 02⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 62⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 62⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 22⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:636
-
-
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3032 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 63⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 03⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 63⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 63⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 23⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4988
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:404
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD57b3150ddd3df859f8f6f36cb041b23f7
SHA1c3934ab76025c17cab3d309a96c1e32df9ad9d65
SHA256675a8aa47c9032b3588c440435744c3a01c04edc4ea204631eee0b53f0405a8f
SHA512a1fe1559965a5eac9a6eef26bbcd559d8a3aa1719f81c35e4106ca0664805cde9566e7bd163fc63a27e356e034b64ef6af5a0f4a299997352bdf4b51e6b6d214
-
Filesize
349B
MD589817519e9e0b4e703f07e8c55247861
SHA14636de1f6c997a25c3190f73f46a3fd056238d78
SHA256f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13
SHA512b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD50f1bf4207c100442afb6f174495b7e10
SHA177ab64a201e4c57bbda4f0c3306bee76e9513b44
SHA256c7787523a0e006d3ef2401f20248f6cfa69769804d402b75e04fcec463741f4d
SHA51229bdea5620c07bae69fa2bbd9c198b7309dbd275a1251ee306e2eb28584d0c40f3d112b4c91b281fe722e711ceef0f4cdf0bd72118a54e263f6500bcf9040d94
-
Filesize
1KB
MD55e22dd1cda88782a1f52f76e748ef957
SHA13231826619a06fa541e2bfb21da445bd7013b5ac
SHA25673302eedcdcfa0f9639f0d00e50c19f7ff4b7bab9df431cfee38e4b94bd4ecec
SHA51275039c01812a7c0bef9fc2d0b4b8867c9acf2daf6a8ade8171d8edc7c0a2ff11488554d30397fee424922346394f14eef7518943db769c35e6916bee26f16498
-
Filesize
64B
MD5feadc4e1a70c13480ef147aca0c47bc0
SHA1d7a5084c93842a290b24dacec0cd3904c2266819
SHA2565b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac
SHA512c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23
-
Filesize
64B
MD5d8b9a260789a22d72263ef3bb119108c
SHA1376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b
-
Filesize
1KB
MD5f16b9d85d5011afe1a885bba22738007
SHA1d8049d1228dec8de0926edbf13e5e5cafe4919a2
SHA256bb87182ee2adb4c1f68864fdee0fd4d614894ff91811c2adc083652255ac2c79
SHA5123b81d45d9ceb1d2bfd9e0c734d24d54caeb6bb660dc40c4fd294a34e8e193724018ded3f821ec90fe0ad3b4550d79302dfe2fef300cce5a1ddd92c47db159e05
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
76KB
MD55d03837965d61d36f074f5e43655de8a
SHA1c8de04df8f05b89b17717f67d68aee64c6b38a1b
SHA256ef9fdfc59b1822a9dda285ea7d4acaa5b4aa9516643af7138f50c268b6e82fed
SHA51270314a3b73bbd63f66a47c5f9c34ecae7ad6d73bb0f581840578cc0557e66fa5d9333caa1af5415b96881314f15ef88d543a68a0ab331e11d793c21e90a201c0
-
Filesize
676B
MD549f9f9888ef393b40d04e2d4ca0e717b
SHA18be6d52617239d8f43f20a6a73efbddd6dcaa3bb
SHA2564a6b55a4f5d04d714107a5a7823535ff9c85ac9a4ec050dcbc0777dc3b61fb7a
SHA5126a9261cc57554162d58d6535c7b7fb24f3b9558ce40b92d433c932d5aa5a99f7a14a6b080e1ebdda322238c3345fa87f0e71779899e9470405e23d43de03fe6c
-
Filesize
208KB
MD5900544393c63f9f37ef224e55b5ca0f4
SHA109639f80f287273a83543124d16acbf55b510d1d
SHA256e8bf18a6eb79394e7ef791b6fb4cfc3cab343e1ccffb95624c0a4efb8b54beaa
SHA512594167581ca7224cd4c51e4139371cfdeed841329b87d1a47c302d93cc7de3654a5b83ae6808d225f2996d6eaa92e56855fc3488d3df9c60ff2b98e4599f2386
-
Filesize
349B
MD59f460bdb40344296a3a009af83df4e53
SHA197cc87e98d349514e9df48624bdfbbad50fce0a9
SHA256a62aad7d8d4d6bb7f44ac0286cbd2769480177886596d651c66f07cad12175a2
SHA512ae2bb908abdac1ff68e76fb42129a1812ca1c897256fbdfbde5fbc2fdf751d48d64757929326cf4122f76d635b4156698434978e07ae7b50041f057629518da1