Analysis
-
max time kernel
77s -
max time network
82s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26-12-2024 18:03
General
-
Target
Extra_Moge.rar
-
Size
2.6MB
-
MD5
a123deba315e0b3ad1e18b0990d448da
-
SHA1
ee7a5da1d184004850118d2bf843680d9e4cc187
-
SHA256
5607ca389a6be944820b7b4bd30406e3ed83a262da29ccfe15be9238a0c174ec
-
SHA512
6069f82471d0eefc72056344e1f36abfed65a13eebfc1f680ab6d268b91e01315c828ff616d8c97d47c32c4443b118719dc113cee0aaa8b0e848f107d3be63e3
-
SSDEEP
49152:sKUQ5CPOePuefaUu+JAcHgRpJBUmDIIYxQFN53KyEn/P0bVNure:sKUQ5CP1PdfWXFMiFLtMRe
Malware Config
Extracted
orcus
Extra Moge
31.44.184.52:15288
sudo_7p2chwc9jshuy0noeroo9kyd53z5e34p
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%appdata%\generatoruploadsto\wpbase.exe
-
reconnect_delay
10000
-
registry_keyname
Sudik
-
taskscheduler_taskname
sudik
-
watchdog_path
AppData\aga.exe
Signatures
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
Orcus main payload 1 IoCs
-
Orcurs Rat Executable 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Drops desktop.ini file(s) 7 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 51 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of FindShellTrayWindow 51 IoCs
-
Suspicious use of SendNotifyMessage 48 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Extra_Moge.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\Extra Moge.exe"C:\Users\Admin\Desktop\Extra Moge.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\generatoruploadsto\wpbase.exe"C:\Users\Admin\AppData\Roaming\generatoruploadsto\wpbase.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Roaming\generatoruploadsto\wpbase.exeC:\Users\Admin\AppData\Roaming\generatoruploadsto\wpbase.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\generatoruploadsto\wpbase.exeC:\Users\Admin\AppData\Roaming\generatoruploadsto\wpbase.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Roaming\generatoruploadsto\wpbase.exeC:\Users\Admin\AppData\Roaming\generatoruploadsto\wpbase.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50672db2ef13237d5cb85075ff4915942
SHA1ad8b4d3eb5e40791c47d48b22e273486f25f663f
SHA2560a933408890369b5a178f9c30aa93d2c94f425650815cf8e8310de4e90a3b519
SHA51284ad10ba5b695567d33a52f786405a5544aa49d8d23631ba9edf3afa877c5dbd81570d15bcf74bce5d9fb1afad2117d0a4ef913b396c0d923afefe615619c84b
-
Filesize
1KB
MD5663b8d5469caa4489d463aa9bc18124f
SHA1e57123a7d969115853ea631a3b33826335025d28
SHA2567b4fa505452f0b8ac74bb31f5a03b13342836318018fb18d224ae2ff11b1a7e8
SHA51245e373295125a629fcc0b19609608d969c9106514918bfac5d6b8e340e407434577b825741b8fa6a043c8f3f5c1a030ba8857da5f4e8ef15a551ce3c5fe03b55
-
Filesize
64KB
MD5987a07b978cfe12e4ce45e513ef86619
SHA122eec9a9b2e83ad33bedc59e3205f86590b7d40c
SHA256f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8
SHA51239b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa
-
Filesize
1024KB
MD5664533d240d6e6107e9d879ad060e259
SHA1db48d0d90abfbfff8c4a7aff34e61849470d9553
SHA25623eff4a1262b9885c6c6d2ee79c474ac16005a461adc06147c5f729592205104
SHA5120ae87a4f97c7055cfb7925a9dc5ee561fb03a5c7c510470273320345f19b1d6acd63c78a36e6faf0fe7032bf7a43f7c8b1f29357de59a6e5e76ae0f9f26f23e7
-
Filesize
68KB
MD5a252ca192635a90bc939b81efc7e2b2b
SHA1024c20fd8421afd71bec9bb38e59783747febd21
SHA256716cef82b9ff2dc7c521766f531d25a3837d3a201ce21c11586cf5da27717d96
SHA512bfddc262d7d427eca649baa3570f84d4a6b09fd82706d7d8c01d443f1ea2d806a4621afead5284380451f5500b4b560fe0b114e693981bf7a8a31fd88d3fd1c1
-
Filesize
498B
MD590be2701c8112bebc6bd58a7de19846e
SHA1a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD56a53e43d70562efcb2aeb2f61319692b
SHA148efbd8ad12f7fd82f9be9adff3acf638482dd94
SHA256b375d5da78b105a9d88cfe1a58a0681af7f87dc4aa135fe8e4aa17ee0c8e6a1f
SHA512d08e5157dd2fd9084e213d15b77b5997a09b7b119ef601850cc8bfd88e400f85357265d2d2aa1bc0782325b801153e071e5b259223109e7ce6fb9f66d991c903
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
3.0MB
MD505ed43bd2c5b96fde7765f9353e8fa88
SHA16ba4dfa2aaddd6052428d53362e093296817d8ca
SHA256c538b2b2c972b5d45a1eac86eca74ddbc71dd6fded8b2f551b11520cccaac041
SHA5121d62abc291709cc972f45b46a2ccf44d1b4b69b275c6cc4923d2ae20b4089888a5a769582794512b2e392e1a9285c381a59df9cfc463930e4cc698917133d1fe
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
96KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
312KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
368KB
-
Filesize
3.0MB
-
Filesize
56KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
4KB