Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
19-12-2024 01:02
General
-
Target
945be953a3c727167f2d0bf08830062d404e28c3e61c57458a1ce91b7d97aff7.exe
-
Size
924KB
-
MD5
da40621730da7f04a2b9548e1de7fb53
-
SHA1
9bd5431b68e24146252c98a00f92da2ef00a1f31
-
SHA256
945be953a3c727167f2d0bf08830062d404e28c3e61c57458a1ce91b7d97aff7
-
SHA512
997ecf148b2950a51b26d8f90be80cb84a730f3a2bd7534880217f92a7916ffeb6482d70a89f0cc2f4fdda10c6ef41b69af5cb4405c96f66b0ffa3944280d5b5
-
SSDEEP
24576:Dzra4MROxnFE3KrXpprZlI0AilFEvxHi6j:Dz1MiuQpprZlI0AilFEvxHi
Malware Config
Extracted
orcus
С новым годом
192.168.0.47:10134
b5f1e47ccf614de682f6a6dee499b151
-
autostart_method
TaskScheduler
-
enable_keylogger
true
-
install_path
%programfiles%\OperaaGx\OperaaGx.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
OperaaGx
-
watchdog_path
AppData\OperaaGx.exe
Signatures
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
Orcus main payload 1 IoCs
-
Orcurs Rat Executable 2 IoCs
-
Executes dropped EXE 6 IoCs
-
Drops file in System32 directory 3 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\945be953a3c727167f2d0bf08830062d404e28c3e61c57458a1ce91b7d97aff7.exe"C:\Users\Admin\AppData\Local\Temp\945be953a3c727167f2d0bf08830062d404e28c3e61c57458a1ce91b7d97aff7.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gmnyzn8o.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE754.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE753.tmp"3⤵
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Program Files\OperaaGx\OperaaGx.exe"C:\Program Files\OperaaGx\OperaaGx.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\OperaaGx.exe"C:\Users\Admin\AppData\Roaming\OperaaGx.exe" /launchSelfAndExit "C:\Program Files\OperaaGx\OperaaGx.exe" 2376 /protectFile3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\OperaaGx.exe"C:\Users\Admin\AppData\Roaming\OperaaGx.exe" /watchProcess "C:\Program Files\OperaaGx\OperaaGx.exe" 2376 "/protectFile"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\taskeng.exetaskeng.exe {0E6D8458-8148-4D29-9EDA-CE16BADD8A14} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\OperaaGx\OperaaGx.exe"C:\Program Files\OperaaGx\OperaaGx.exe"2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
924KB
MD5da40621730da7f04a2b9548e1de7fb53
SHA19bd5431b68e24146252c98a00f92da2ef00a1f31
SHA256945be953a3c727167f2d0bf08830062d404e28c3e61c57458a1ce91b7d97aff7
SHA512997ecf148b2950a51b26d8f90be80cb84a730f3a2bd7534880217f92a7916ffeb6482d70a89f0cc2f4fdda10c6ef41b69af5cb4405c96f66b0ffa3944280d5b5
-
Filesize
1KB
MD575f3d72b217a267d2f1da906dec0c371
SHA1126a516fd04b84ef19fa9ce096ebd14878d37418
SHA25629e39ab58d3f3dd1c9bc35783fd7c62e22f42ae0636cb3d58842cf205b288504
SHA512e5ba82a7dffbe493a860c6df6528636edf57dacf785b5d08f309123eb2ee1299244c22b34c247424b8db6f94f65406ba8732af08f40642877be2e3e298a9a7d6
-
Filesize
76KB
MD58e3a81b965d7589fd28c6beac7981d51
SHA16f0b0481b9665056218f59182318d778fd1d1aa9
SHA25675b9c79f45797ca0c85aa4d1a886ddd642933b2a1a35f476dfc26a65ad84dc72
SHA512aa350d6f5591b73639d45b7e1958e9f7ccc652cb9a0c85d450f80d3b5ef8f4ffc0b1a12a4045f98c67dbead75831846d01b6135bad7de3ea941a0cf2dcc49497
-
Filesize
9KB
MD5913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
Filesize
1KB
MD5caf292701820aed44b56185566259bb6
SHA17b164be2bc81aa21fba0e431c997ba5652399261
SHA256ce5dbe446531781d97e80c73fe2e03218a8a89ee7941c09b1e8ec620b91d0afc
SHA512b1da4c1c58bdd42dda60cc6fa680f69b8c4806a7899dd380762a4ee893e4fac4a931c1e0af7cda713d2af3829f1f3da2392aa828dd5f0e1898fc28d3180078a8
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
676B
MD5ad0c3827458aa49be1cc47ea9c64f432
SHA1cb523aae44b3b885998515e917be06d2ed963e9c
SHA256ff521b43feff1470ce9efdcdfe9c198bf9568a047f5739436bd8fbe5940ee31a
SHA5126e017aaf01fc59ae878995ff9b038dd71cbe35b383000e4e477f39775307a0fba9bc3a8c4dc69980ee85eca10330dfb4e89e2dee5555a0e7cc3533748abf22d2
-
Filesize
208KB
MD541493ec1f94f08b8271fc4fbd58e2bac
SHA1afa65054296564e2cc423779da50778ebe8e8a4f
SHA25610296d9428c14982778b8b7d3670d246f05d1b1da07664df1de5593174501343
SHA512ca2340de3cfb87fb48e3d57fe51e49eb8c56e7fb53bf1b68124c6d50b2c813ff8eb8b2fff05919c25d7366d9323319bfadba5a3200a6178753c4f8880498e90c
-
Filesize
349B
MD537d96165335e5fb1d2d8e10369b06321
SHA140758391dc863c93c6a7b31263390c89b956ff34
SHA2569165e21db554f7d5ecc9392d94bdc49234f479a5bc235375e579c85411290fa5
SHA51214a3d7ad7542e56ce6018d86ed1f48043b6722e60320ef5fc2e6092fedcd488e443ccb7e65098cfbf260a366b905c8b1dc1720d73ee59e22ee3cab2436313bb2
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
56KB
-
Filesize
9.6MB
-
Filesize
368KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
88KB
-
Filesize
72KB
-
Filesize
952KB
-
Filesize
312KB
-
Filesize
96KB
-
Filesize
64KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
48KB