Overview

overview

10

Static

static

10

bb16e46d06...31.exe

windows7-x64

10

bb16e46d06...31.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2024 01:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bb16e46d068bc395bdcb7f3cc338ee03381a102f524316b5935fb5cb4d113031.exe

  • Size

    3.0MB

  • MD5

    5cc99251e0b8789e36ad013b38c75632

  • SHA1

    7aae31f2e5cf63e7e3a0d926f0f3c186565ebdc6

  • SHA256

    bb16e46d068bc395bdcb7f3cc338ee03381a102f524316b5935fb5cb4d113031

  • SHA512

    4be001412f90ce660b6e673e3eaf301cffa53a81b4b548d1b322bec976fd2d3a43b101299824c25cba5cd4d761ee5cf8b8940c23433910be11671a27f524bee4

  • SSDEEP

    49152:3gt1ZeM9/3EgHcyH4Z9fVTB4krLzS+HAypQxbOqUo9JnCmuxI3lGnlFreInnczWL:3gtGjzD5rfLgypSbKo9JCmn3E

Score
10/10
orcusbabylondiscoverypersistenceratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

Babylon

C2

vimeworldserverstat.serveminecraft.net:443

Mutex

a19e8216786644dc8db8ae5307f5d5be

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %appdata%\Microsoft Edge\UpdateService.exe

  • reconnect_delay

    10000

  • registry_keyname

    Microsoft Edge Update Service

  • taskscheduler_taskname

    Microsoft Edge Update Service

  • watchdog_path

    AppData\EdgeUpdate.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus family
    orcus
  • Orcurs Rat Executable 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb16e46d068bc395bdcb7f3cc338ee03381a102f524316b5935fb5cb4d113031.exe
    "C:\Users\Admin\AppData\Local\Temp\bb16e46d068bc395bdcb7f3cc338ee03381a102f524316b5935fb5cb4d113031.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4856
    • C:\Users\Admin\AppData\Roaming\Microsoft Edge\UpdateService.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft Edge\UpdateService.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3984
      • C:\Users\Admin\AppData\Roaming\EdgeUpdate.exe
        "C:\Users\Admin\AppData\Roaming\EdgeUpdate.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Roaming\Microsoft Edge\UpdateService.exe" 3984
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3912
        • C:\Users\Admin\AppData\Roaming\EdgeUpdate.exe
          "C:\Users\Admin\AppData\Roaming\EdgeUpdate.exe" /watchProcess "C:\Users\Admin\AppData\Roaming\Microsoft Edge\UpdateService.exe" 3984
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1392

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\EdgeUpdate.exe
    Filesize

    9KB

    MD5

    7796236d80b9e55f9571418e05a9578b

    SHA1

    14039d2800ca54c49c817b1fa35bdf45024ceab7

    SHA256

    02ea168ca6eb5b6211d7525ada5e100323d41155620ca40a149038b61fdb6cc5

    SHA512

    604b70f61bc0d8348b05921d46ce8aaa411a46ffa82ae516b4ba5e4df66759712e71bed77971a7c501e97b5f5d8a22440a29837fa7ce8e0a55ed5ee811e32cd5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\EdgeUpdate.exe.config
    Filesize

    157B

    MD5

    7efa291047eb1202fde7765adac4b00d

    SHA1

    22d4846caff5e45c18e50738360579fbbed2aa8d

    SHA256

    807fb6eeaa7c77bf53831d8a4422a53a5d8ccd90e6bbc17c655c0817460407b6

    SHA512

    159c95eb1e817ba2d281f39c3939dd963ab62c0cd29bf66ca3beb0aff53f4617d47f48474e58319130ae4146a044a42fc75f63c343330c1b6d2be7034b9fa724

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft Edge\UpdateService.exe
    Filesize

    3.0MB

    MD5

    5cc99251e0b8789e36ad013b38c75632

    SHA1

    7aae31f2e5cf63e7e3a0d926f0f3c186565ebdc6

    SHA256

    bb16e46d068bc395bdcb7f3cc338ee03381a102f524316b5935fb5cb4d113031

    SHA512

    4be001412f90ce660b6e673e3eaf301cffa53a81b4b548d1b322bec976fd2d3a43b101299824c25cba5cd4d761ee5cf8b8940c23433910be11671a27f524bee4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft Edge\UpdateService.exe.config
    Filesize

    349B

    MD5

    89817519e9e0b4e703f07e8c55247861

    SHA1

    4636de1f6c997a25c3190f73f46a3fd056238d78

    SHA256

    f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

    SHA512

    b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

    Download Submit

  • memory/3912-45-0x00000000006F0000-0x00000000006F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3984-27-0x0000023375250000-0x00000233752A8000-memory.dmp

    Filesize

    352KB

    Download

  • memory/3984-29-0x000002335C5F0000-0x000002335C600000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3984-53-0x00007FFC0E1E0000-0x00007FFC0ECA1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3984-52-0x00007FFC0E1E0000-0x00007FFC0ECA1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3984-24-0x00007FFC0E1E0000-0x00007FFC0ECA1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3984-25-0x00007FFC0E1E0000-0x00007FFC0ECA1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3984-28-0x0000023374E10000-0x0000023374E28000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3984-51-0x0000023375E50000-0x0000023376012000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3984-26-0x000002335C720000-0x000002335C732000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3984-50-0x0000023375B70000-0x0000023375C7A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3984-49-0x0000023375A20000-0x0000023375A5C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3984-48-0x00000233759C0000-0x00000233759D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4856-1-0x000001F52C720000-0x000001F52CA26000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4856-2-0x000001F52E770000-0x000001F52E7CC000-memory.dmp

    Filesize

    368KB

    Download

  • memory/4856-3-0x000001F52CDD0000-0x000001F52CDDE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4856-5-0x000001F52CEA0000-0x000001F52CEB2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4856-0-0x00007FFC0E1E3000-0x00007FFC0E1E5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4856-23-0x00007FFC0E1E0000-0x00007FFC0ECA1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4856-4-0x00007FFC0E1E0000-0x00007FFC0ECA1000-memory.dmp

    Filesize

    10.8MB

    Download