General
-
Target
https://cdn.discordapp.com/attachments/1300886873148756050/1300960864043663533/winws.exe?ex=6722bdb8&is=67216c38&hm=6421a3d612c9b6c41279c7a97310aba4b86dbc69dc16a3bc8027d28cde7073e8&
-
Sample
241029-275w1a1hjg
Malware Config
Extracted
orcus
Roblox
89.23.100.155:1337
52641f3c61234743ba12f855fdae3135
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%AppData%\Windows\Helper\WinHelper32.exe
-
reconnect_delay
10000
-
registry_keyname
WinHelper32.exe
-
taskscheduler_taskname
WinHelper32
-
watchdog_path
AppData\WinHelperWatchdog.exe
Targets
-
-
Target
https://cdn.discordapp.com/attachments/1300886873148756050/1300960864043663533/winws.exe?ex=6722bdb8&is=67216c38&hm=6421a3d612c9b6c41279c7a97310aba4b86dbc69dc16a3bc8027d28cde7073e8&
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
Orcus main payload
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
DCRat payload
-
Orcurs Rat Executable
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Hijack Execution Flow: Executable Installer File Permissions Weakness
Possible Turn off User Account Control's privilege elevation for standard users.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
8Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
4Remote System Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1