Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19-12-2024 01:02
General
-
Target
945be953a3c727167f2d0bf08830062d404e28c3e61c57458a1ce91b7d97aff7.exe
-
Size
924KB
-
MD5
da40621730da7f04a2b9548e1de7fb53
-
SHA1
9bd5431b68e24146252c98a00f92da2ef00a1f31
-
SHA256
945be953a3c727167f2d0bf08830062d404e28c3e61c57458a1ce91b7d97aff7
-
SHA512
997ecf148b2950a51b26d8f90be80cb84a730f3a2bd7534880217f92a7916ffeb6482d70a89f0cc2f4fdda10c6ef41b69af5cb4405c96f66b0ffa3944280d5b5
-
SSDEEP
24576:Dzra4MROxnFE3KrXpprZlI0AilFEvxHi6j:Dz1MiuQpprZlI0AilFEvxHi
Malware Config
Extracted
orcus
С новым годом
192.168.0.47:10134
b5f1e47ccf614de682f6a6dee499b151
-
autostart_method
TaskScheduler
-
enable_keylogger
true
-
install_path
%programfiles%\OperaaGx\OperaaGx.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
OperaaGx
-
watchdog_path
AppData\OperaaGx.exe
Signatures
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
Orcus main payload 1 IoCs
-
Orcurs Rat Executable 2 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Drops file in System32 directory 3 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\945be953a3c727167f2d0bf08830062d404e28c3e61c57458a1ce91b7d97aff7.exe"C:\Users\Admin\AppData\Local\Temp\945be953a3c727167f2d0bf08830062d404e28c3e61c57458a1ce91b7d97aff7.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\draqbtoj.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E23.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2E22.tmp"3⤵
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Program Files\OperaaGx\OperaaGx.exe"C:\Program Files\OperaaGx\OperaaGx.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\OperaaGx.exe"C:\Users\Admin\AppData\Roaming\OperaaGx.exe" /launchSelfAndExit "C:\Program Files\OperaaGx\OperaaGx.exe" 516 /protectFile3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\OperaaGx.exe"C:\Users\Admin\AppData\Roaming\OperaaGx.exe" /watchProcess "C:\Program Files\OperaaGx\OperaaGx.exe" 516 "/protectFile"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
-
C:\Program Files\OperaaGx\OperaaGx.exe"C:\Program Files\OperaaGx\OperaaGx.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
924KB
MD5da40621730da7f04a2b9548e1de7fb53
SHA19bd5431b68e24146252c98a00f92da2ef00a1f31
SHA256945be953a3c727167f2d0bf08830062d404e28c3e61c57458a1ce91b7d97aff7
SHA512997ecf148b2950a51b26d8f90be80cb84a730f3a2bd7534880217f92a7916ffeb6482d70a89f0cc2f4fdda10c6ef41b69af5cb4405c96f66b0ffa3944280d5b5
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
1KB
MD5fff7778d1e2736a54354c503f04caa93
SHA16396baef42519c375af4e6618623275969a75d2e
SHA2560dfe5eb7d3a416660a6f07596dede0ccf93d4cba7f0ea2269ef93151e0459ad4
SHA512bc06b5328339787a1309af090371c371a01be8f7000b3cdc69d6991bf980e63ba15eafdcabcb63321cf67c91e0dde6b1aa011fc457636f9b446481e8731f781c
-
Filesize
76KB
MD584dfea04b42c3f2572e41559dfbe4072
SHA1a0d2ed56740b689244d406b76996a4c5ddb0700c
SHA2561cee537fb179e85abb4aaabd23d88ccb6b850d971023caa059f0a0d5c114f86e
SHA5126800562d596a89e56b79c7047c85d8e912b6db3352bbdcad600b7f840178556f50987aae8c09bdf337da0be8095fa9828a46079b15a4629a9fbbeb86ee98f5e0
-
Filesize
9KB
MD5913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
Filesize
1KB
MD5a62d24af9cb9649603c9aac919e4a788
SHA13195950a465fb691bda5afd9124ce349cef09222
SHA256cb0db5d0c93f619b89b06ffc68e9b0f35d2301c0998df7a9044b07d5d36b0905
SHA512c22315703a4b06ff117a74b562ceedf3f095f764fcc298f8b6a468c5e6a23eac3d683057ba5f885d2105225ccb189c3f5e45198d21b9cece3d16a672962e3786
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
676B
MD55320aa488c49c382a47e8d4a7c8479a1
SHA183154f1d4589f5b0a5f23f00262d7ec0c9933049
SHA2569e841f40dd2c8e4302ca0268ecf568d20d593f074e55ad3e14e8e03ffc9621a9
SHA51225aa6c53a4f0d85a4a8ba11f1ed9715bc03e6ce04ac02bbea75c0f1bc1abfdff658fdce3b4ae903914c66e8036618885fa363e6a980d9e9cd041115f923a79a8
-
Filesize
208KB
MD5313f5e5ea882a83f1a2268af2776b7e9
SHA15c5d887d1ada9b19236c8541969dd1c14cad3b99
SHA25655a632c5397e15a126ecf0394f0722d816266238eb2da7b3105c31f3dcac5e4e
SHA5123904ddf01d6c1c7056b72f7837bb4fe9c96bcbef1896c8fd1fc76070e261b7b7bb75ea26c0c3cb9cd55bf5d77a744270780ccad429cfd0029bb09b01d5710ea2
-
Filesize
349B
MD57a63698decdc2486d4d03260c5da965c
SHA199a0371983149e6732a3dbbabda400f1d3750c0d
SHA256fcae017b663e0a9f097b2285119469eae22c77361c2739d896ab136bf09af311
SHA512971a3ed21f05a24d370e23725ee13c2cf16a61fdabed322c8ce839f530106c7cf343833b0f383a7a8c6033de9c956c891b02f2165b9b81ad407e73f60111c88b
-
Filesize
32KB
-
Filesize
312KB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
952KB
-
Filesize
1.8MB
-
Filesize
1.0MB
-
Filesize
8KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
5.7MB
-
Filesize
128KB
-
Filesize
392KB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
292KB
-
Filesize
120KB
-
Filesize
960KB
-
Filesize
4KB
-
Filesize
448KB
-
Filesize
9.6MB
-
Filesize
72KB
-
Filesize
88KB
-
Filesize
9.6MB
-
Filesize
368KB
-
Filesize
624KB
-
Filesize
4.8MB
-
Filesize
9.6MB
-
Filesize
56KB
-
Filesize
9.6MB
-
Filesize
9.6MB