orcus | 554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631.exe
Size

16.5MB
MD5

ded6f7fee10797b02f8876dad0c84ae6
SHA1

ca2e5e3aa7463fc33444b7a4de5dfa33b3efc83d
SHA256

554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631
SHA512

565fbd16d8b6ee43b61ea8f5e0d5284c9823119b6f7740aa182ecd18c032b2148e8a8ef88661fcd8a89d25e4e0bfaf9fdfc4104d6c76cbfaeab85984babbaca2
SSDEEP

393216:z0EjcTK84e3km6NsyYSzOshouIkPftRL54lRC9l1dy1JC:wE4CsAsyYSawouTtRL/y

Score

10^/10

orcus funpay discovery rat spyware stealer upx

Malware Config

Extracted

Family

orcus

Botnet

FunPay

31.44.184.52:44657

Mutex

sudo_vm3jypee5e4wpgyaqsjreb4akskikm0b

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%appdata%\privategamebase\Discord.exe
reconnect_delay
10000
registry_keyname
Sudik
taskscheduler_taskname
sudik
watchdog_path
AppData\aga.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015f1b-40.dat	family_orcus

Orcurs Rat Executable 10 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015f1b-40.dat	orcus
behavioral1/memory/2840-43-0x0000000000400000-0x0000000001480000-memory.dmp	orcus
behavioral1/memory/2892-47-0x00000000011C0000-0x0000000001504000-memory.dmp	orcus
behavioral1/memory/2540-76-0x0000000000830000-0x0000000000B74000-memory.dmp	orcus
behavioral1/memory/2276-134-0x0000000000400000-0x0000000000744000-memory.dmp	orcus
behavioral1/memory/2276-133-0x0000000000400000-0x0000000000744000-memory.dmp	orcus
behavioral1/memory/2276-130-0x0000000000400000-0x0000000000744000-memory.dmp	orcus
behavioral1/memory/2276-128-0x0000000000400000-0x0000000000744000-memory.dmp	orcus
behavioral1/memory/2276-135-0x0000000000400000-0x0000000000744000-memory.dmp	orcus
behavioral1/memory/580-209-0x0000000000DD0000-0x0000000001114000-memory.dmp	orcus

Executes dropped EXE 9 IoCs

pid	Process
2596	SandeLLo CHECKER.exe
2788	Built.exe
1244	Built.exe
2892	Discord.exe
2540	Discord.exe
2776	Discord.exe
1212	Process not Found
580	Discord.exe
2976	Discord.exe

Loads dropped DLL 9 IoCs

pid	Process
2840	554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631.exe
2840	554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631.exe
2788	Built.exe
1244	Built.exe
2840	554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631.exe
2892	Discord.exe
2372	MsiExec.exe
2372	MsiExec.exe
2372	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	SandeLLo CHECKER.exe
File opened (read-only)	\??\W:	SandeLLo CHECKER.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	SandeLLo CHECKER.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	SandeLLo CHECKER.exe
File opened (read-only)	\??\L:	SandeLLo CHECKER.exe
File opened (read-only)	\??\Q:	SandeLLo CHECKER.exe
File opened (read-only)	\??\V:	SandeLLo CHECKER.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	SandeLLo CHECKER.exe
File opened (read-only)	\??\T:	SandeLLo CHECKER.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	SandeLLo CHECKER.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	SandeLLo CHECKER.exe
File opened (read-only)	\??\N:	SandeLLo CHECKER.exe
File opened (read-only)	\??\R:	SandeLLo CHECKER.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	SandeLLo CHECKER.exe
File opened (read-only)	\??\S:	SandeLLo CHECKER.exe
File opened (read-only)	\??\Y:	SandeLLo CHECKER.exe
File opened (read-only)	\??\H:	SandeLLo CHECKER.exe
File opened (read-only)	\??\O:	SandeLLo CHECKER.exe
File opened (read-only)	\??\P:	SandeLLo CHECKER.exe
File opened (read-only)	\??\U:	SandeLLo CHECKER.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	SandeLLo CHECKER.exe
File opened (read-only)	\??\B:	SandeLLo CHECKER.exe
File opened (read-only)	\??\G:	SandeLLo CHECKER.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2540 set thread context of 2276	2540	Discord.exe	36

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00050000000193a2-37.dat	upx
behavioral1/memory/1244-46-0x000007FEF5B90000-0x000007FEF6179000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SandeLLo CHECKER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	SandeLLo CHECKER.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	SandeLLo CHECKER.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	SandeLLo CHECKER.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	SandeLLo CHECKER.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2892	Discord.exe
2540	Discord.exe
2540	Discord.exe
2276	installutil.exe
2276	installutil.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2596	SandeLLo CHECKER.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2892	Discord.exe
Token: SeDebugPrivilege	2540	Discord.exe
Token: SeDebugPrivilege	2276	installutil.exe
Token: SeRestorePrivilege	2324	msiexec.exe
Token: SeTakeOwnershipPrivilege	2324	msiexec.exe
Token: SeSecurityPrivilege	2324	msiexec.exe
Token: SeCreateTokenPrivilege	2596	SandeLLo CHECKER.exe
Token: SeAssignPrimaryTokenPrivilege	2596	SandeLLo CHECKER.exe
Token: SeLockMemoryPrivilege	2596	SandeLLo CHECKER.exe
Token: SeIncreaseQuotaPrivilege	2596	SandeLLo CHECKER.exe
Token: SeMachineAccountPrivilege	2596	SandeLLo CHECKER.exe
Token: SeTcbPrivilege	2596	SandeLLo CHECKER.exe
Token: SeSecurityPrivilege	2596	SandeLLo CHECKER.exe
Token: SeTakeOwnershipPrivilege	2596	SandeLLo CHECKER.exe
Token: SeLoadDriverPrivilege	2596	SandeLLo CHECKER.exe
Token: SeSystemProfilePrivilege	2596	SandeLLo CHECKER.exe
Token: SeSystemtimePrivilege	2596	SandeLLo CHECKER.exe
Token: SeProfSingleProcessPrivilege	2596	SandeLLo CHECKER.exe
Token: SeIncBasePriorityPrivilege	2596	SandeLLo CHECKER.exe
Token: SeCreatePagefilePrivilege	2596	SandeLLo CHECKER.exe
Token: SeCreatePermanentPrivilege	2596	SandeLLo CHECKER.exe
Token: SeBackupPrivilege	2596	SandeLLo CHECKER.exe
Token: SeRestorePrivilege	2596	SandeLLo CHECKER.exe
Token: SeShutdownPrivilege	2596	SandeLLo CHECKER.exe
Token: SeDebugPrivilege	2596	SandeLLo CHECKER.exe
Token: SeAuditPrivilege	2596	SandeLLo CHECKER.exe
Token: SeSystemEnvironmentPrivilege	2596	SandeLLo CHECKER.exe
Token: SeChangeNotifyPrivilege	2596	SandeLLo CHECKER.exe
Token: SeRemoteShutdownPrivilege	2596	SandeLLo CHECKER.exe
Token: SeUndockPrivilege	2596	SandeLLo CHECKER.exe
Token: SeSyncAgentPrivilege	2596	SandeLLo CHECKER.exe
Token: SeEnableDelegationPrivilege	2596	SandeLLo CHECKER.exe
Token: SeManageVolumePrivilege	2596	SandeLLo CHECKER.exe
Token: SeImpersonatePrivilege	2596	SandeLLo CHECKER.exe
Token: SeCreateGlobalPrivilege	2596	SandeLLo CHECKER.exe
Token: SeCreateTokenPrivilege	2596	SandeLLo CHECKER.exe
Token: SeAssignPrimaryTokenPrivilege	2596	SandeLLo CHECKER.exe
Token: SeLockMemoryPrivilege	2596	SandeLLo CHECKER.exe
Token: SeIncreaseQuotaPrivilege	2596	SandeLLo CHECKER.exe
Token: SeMachineAccountPrivilege	2596	SandeLLo CHECKER.exe
Token: SeTcbPrivilege	2596	SandeLLo CHECKER.exe
Token: SeSecurityPrivilege	2596	SandeLLo CHECKER.exe
Token: SeTakeOwnershipPrivilege	2596	SandeLLo CHECKER.exe
Token: SeLoadDriverPrivilege	2596	SandeLLo CHECKER.exe
Token: SeSystemProfilePrivilege	2596	SandeLLo CHECKER.exe
Token: SeSystemtimePrivilege	2596	SandeLLo CHECKER.exe
Token: SeProfSingleProcessPrivilege	2596	SandeLLo CHECKER.exe
Token: SeIncBasePriorityPrivilege	2596	SandeLLo CHECKER.exe
Token: SeCreatePagefilePrivilege	2596	SandeLLo CHECKER.exe
Token: SeCreatePermanentPrivilege	2596	SandeLLo CHECKER.exe
Token: SeBackupPrivilege	2596	SandeLLo CHECKER.exe
Token: SeRestorePrivilege	2596	SandeLLo CHECKER.exe
Token: SeShutdownPrivilege	2596	SandeLLo CHECKER.exe
Token: SeDebugPrivilege	2596	SandeLLo CHECKER.exe
Token: SeAuditPrivilege	2596	SandeLLo CHECKER.exe
Token: SeSystemEnvironmentPrivilege	2596	SandeLLo CHECKER.exe
Token: SeChangeNotifyPrivilege	2596	SandeLLo CHECKER.exe
Token: SeRemoteShutdownPrivilege	2596	SandeLLo CHECKER.exe
Token: SeUndockPrivilege	2596	SandeLLo CHECKER.exe
Token: SeSyncAgentPrivilege	2596	SandeLLo CHECKER.exe
Token: SeEnableDelegationPrivilege	2596	SandeLLo CHECKER.exe
Token: SeManageVolumePrivilege	2596	SandeLLo CHECKER.exe
Token: SeImpersonatePrivilege	2596	SandeLLo CHECKER.exe
Token: SeCreateGlobalPrivilege	2596	SandeLLo CHECKER.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2596	SandeLLo CHECKER.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2596	2840	554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631.exe	30
PID 2840 wrote to memory of 2596	2840	554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631.exe	30
PID 2840 wrote to memory of 2596	2840	554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631.exe	30
PID 2840 wrote to memory of 2596	2840	554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631.exe	30
PID 2840 wrote to memory of 2596	2840	554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631.exe	30
PID 2840 wrote to memory of 2596	2840	554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631.exe	30
PID 2840 wrote to memory of 2596	2840	554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631.exe	30
PID 2840 wrote to memory of 2788	2840	554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631.exe	31
PID 2840 wrote to memory of 2788	2840	554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631.exe	31
PID 2840 wrote to memory of 2788	2840	554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631.exe	31
PID 2840 wrote to memory of 2788	2840	554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631.exe	31
PID 2788 wrote to memory of 1244	2788	Built.exe	32
PID 2788 wrote to memory of 1244	2788	Built.exe	32
PID 2788 wrote to memory of 1244	2788	Built.exe	32
PID 2840 wrote to memory of 2892	2840	554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631.exe	33
PID 2840 wrote to memory of 2892	2840	554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631.exe	33
PID 2840 wrote to memory of 2892	2840	554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631.exe	33
PID 2840 wrote to memory of 2892	2840	554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631.exe	33
PID 2840 wrote to memory of 2892	2840	554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631.exe	33
PID 2840 wrote to memory of 2892	2840	554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631.exe	33
PID 2840 wrote to memory of 2892	2840	554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631.exe	33
PID 2892 wrote to memory of 2540	2892	Discord.exe	34
PID 2892 wrote to memory of 2540	2892	Discord.exe	34
PID 2892 wrote to memory of 2540	2892	Discord.exe	34
PID 2892 wrote to memory of 2540	2892	Discord.exe	34
PID 2892 wrote to memory of 2540	2892	Discord.exe	34
PID 2892 wrote to memory of 2540	2892	Discord.exe	34
PID 2892 wrote to memory of 2540	2892	Discord.exe	34
PID 2948 wrote to memory of 2776	2948	taskeng.exe	37
PID 2948 wrote to memory of 2776	2948	taskeng.exe	37
PID 2948 wrote to memory of 2776	2948	taskeng.exe	37
PID 2948 wrote to memory of 2776	2948	taskeng.exe	37
PID 2948 wrote to memory of 2776	2948	taskeng.exe	37
PID 2948 wrote to memory of 2776	2948	taskeng.exe	37
PID 2948 wrote to memory of 2776	2948	taskeng.exe	37
PID 2540 wrote to memory of 2276	2540	Discord.exe	36
PID 2540 wrote to memory of 2276	2540	Discord.exe	36
PID 2540 wrote to memory of 2276	2540	Discord.exe	36
PID 2540 wrote to memory of 2276	2540	Discord.exe	36
PID 2540 wrote to memory of 2276	2540	Discord.exe	36
PID 2540 wrote to memory of 2276	2540	Discord.exe	36
PID 2540 wrote to memory of 2276	2540	Discord.exe	36
PID 2540 wrote to memory of 2276	2540	Discord.exe	36
PID 2540 wrote to memory of 2276	2540	Discord.exe	36
PID 2540 wrote to memory of 2276	2540	Discord.exe	36
PID 2540 wrote to memory of 2276	2540	Discord.exe	36
PID 2540 wrote to memory of 2276	2540	Discord.exe	36
PID 2324 wrote to memory of 2372	2324	msiexec.exe	39
PID 2324 wrote to memory of 2372	2324	msiexec.exe	39
PID 2324 wrote to memory of 2372	2324	msiexec.exe	39
PID 2324 wrote to memory of 2372	2324	msiexec.exe	39
PID 2324 wrote to memory of 2372	2324	msiexec.exe	39
PID 2324 wrote to memory of 2372	2324	msiexec.exe	39
PID 2324 wrote to memory of 2372	2324	msiexec.exe	39
PID 2948 wrote to memory of 580	2948	taskeng.exe	42
PID 2948 wrote to memory of 580	2948	taskeng.exe	42
PID 2948 wrote to memory of 580	2948	taskeng.exe	42
PID 2948 wrote to memory of 580	2948	taskeng.exe	42
PID 2948 wrote to memory of 580	2948	taskeng.exe	42
PID 2948 wrote to memory of 580	2948	taskeng.exe	42
PID 2948 wrote to memory of 580	2948	taskeng.exe	42
PID 2948 wrote to memory of 2976	2948	taskeng.exe	43
PID 2948 wrote to memory of 2976	2948	taskeng.exe	43
PID 2948 wrote to memory of 2976	2948	taskeng.exe	43

C:\Users\Admin\AppData\Local\Temp\554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631.exe
"C:\Users\Admin\AppData\Local\Temp\554ba820fd72b48db8cfd0c6f8c56e20675f993408df0504e2d80c2f68dbe631.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Users\Admin\AppData\Local\Temp\SandeLLo CHECKER.exe
  "C:\Users\Admin\AppData\Local\Temp\SandeLLo CHECKER.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2596
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1244
- C:\Users\Admin\AppData\Local\Temp\Discord.exe
  "C:\Users\Admin\AppData\Local\Temp\Discord.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe
    "C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2276

C:\Windows\system32\taskeng.exe
taskeng.exe {B4572D98-4037-46D7-A234-7CD182A91535} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe
  C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2776
- C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe
  C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:580
- C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe
  C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2976

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F324D45EF8AAC1C129714D171BD9D7DB C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d1b585c5fe0194a954d1ae1add94a5c

SHA1
ca5a0e47297d7fa0dbc043939973b6978c987ed6

SHA256
f61dc87dc761f6ad82d6deecf09fbd58bf3250c2280d2e7d6b81ea13c4ac02b3

SHA512
88274489e907aec7f0681ee21b4cc43a17ae4c9525c65d27ed9f175079e90928424e0ffc9c71e5d1b5485f3aaefe97901897cc749dd51e7fdc0e12f7dbee0f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2596\dialog.jpg

Filesize
36KB

MD5
abf1076064505dee794fa7aed67252b8

SHA1
358d4e501bb3007feece82a4039cc1050f23fab4

SHA256
fb0d133f05de6aa6a7a3491ae532191a60c438b35d9ff7bfec9e63131f6f0c73

SHA512
9a4680a8d186c1d7550b5e03cbdd095b0c88b2e0249a3af75fa0253d2c9a6f0aa1dd570ecf1a273683a14e6c7b5fb11678be3da439a3bf23eab790372e96e321

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6D36.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI70E9.tmp

Filesize
1.1MB

MD5
c04ed00ddcb3518e8cf6db24db294a50

SHA1
cc98cc3ab9c4371f85ea227d9f761bab4aa76baa

SHA256
3c21e1f3bb3ebeb5f0ff68658db8abd18b62f8b195288c4bf87936fc51f8ae9e

SHA512
736946a3130f294878ea51145960017babcc1b8ac2c96afd8b9e2a4d120f173afb84bbd04b6f0113f286d4bc671befecd4e92c582f1de1a0d5bc8738c3cae9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6DA6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27882\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F123046A-2CBF-4743-A59B-E3D2751B5780}\51B5780\SandeLLoCHECKER_Installer.msi

Filesize
3.9MB

MD5
e47c6582751cdc22d8c0eeac60de6d0b

SHA1
4c057d98754b09c95fcae46162673d1b241ccea4

SHA256
c645a247c399ae2e8ccf8f826415e7287b52080fcae3dac203e7e543fe792ccb

SHA512
2e2dc24e4cc1314f17506c0007f1e5c1200af1a2b14820968e7a1019c29b60913701beb5498a6c13e7cef938e98efa464b1cae2f5a8cc59c493caebfd158da5b

Download Submit
C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
7.4MB

MD5
a4e90f8b6a74e5500c2635fe1b4c9f2c

SHA1
3d21ce3e3134bbb573fb4793cffd1d39cbc89304

SHA256
d4334aea8571ab83ae93969fa9b5a9a522aff3368511884378d0c5acf7c7ae52

SHA512
7464f3138ba3a958f841b0a223afa41ab78c4798f14cecac2a1e408b955fb374dc0badfc91d08235812d9047ab9870881449fbd40f005e18037f8c51bf066c7f

Download Submit
\Users\Admin\AppData\Local\Temp\Discord.exe

Filesize
3.2MB

MD5
90cd2e9c676fc284584653b5d4f95126

SHA1
4e1a138d45e7833d1eb4205606cdd7f4508bce5c

SHA256
5ccf3a06eeaa035c5b4b60f44e7820692c015208d62e415a3c224c009edde3df

SHA512
57166446c7743344914d2c1e089e066bc0ddddc29cb8e64e801f01c63f6287d524a3778a7d67070779e90ad31e7b0675f081dafbd32b34aa407e20706885a146

Download Submit
\Users\Admin\AppData\Local\Temp\MSI6FFE.tmp

Filesize
587KB

MD5
9e0aef52f6c03b2fea067342d9d4f22f

SHA1
d4431a858c8a7a79315829ec7aa82e838c2714f4

SHA256
42b8adafcb4e8496d9822a0c504f449e56456528a9251c153381d3f63d197e5b

SHA512
42858a6695d7906b3df4dc97f3b1fac737633a51ffb52e8ec8eddeb21f8cdb53c199bb698e54c4a931155eafd879de6fff114b84f298c84436b776e286ebeeb1

Download Submit
\Users\Admin\AppData\Local\Temp\MSI71C5.tmp

Filesize
709KB

MD5
eb7811666ac7be6477e23af68511424f

SHA1
1623579c5a3710dcc694a2fd49defa27d56d9175

SHA256
ad706739b04256b9215e80d2d030863a37f0d7fd0e4071d0a3a73d6704d8bd8f

SHA512
3055baa15c92f476513c66a423043dc4b8c5f83f47643ad77665d6a2f823f4655bf4ae241d8af4bc34d53630df1c35989f0b11b934a631960668fcc7a8c81a7b

Download Submit
\Users\Admin\AppData\Local\Temp\SandeLLo CHECKER.exe

Filesize
5.7MB

MD5
8a0591a6b534e32fa179f2d781b79026

SHA1
61e1aff6f862cbce0e1f6e9e70d186e5013d9846

SHA256
4df8350850592b587c4d2aaabddc8454bc4652df0082b85c3336139a9c6ea53e

SHA512
0a261afd07a152e0f4e7d4df8ad0d57c53e9690b0b4f7ed13614b60c55466bafa7ac70472f6b1b5b41e49b249f080ad3c4d440b655b631b17c3c7e1cea3055bd

Download Submit
memory/580-209-0x0000000000DD0000-0x0000000001114000-memory.dmp

Filesize
3.3MB

Download
memory/1244-46-0x000007FEF5B90000-0x000007FEF6179000-memory.dmp

Filesize
5.9MB

Download
memory/2276-124-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/2276-147-0x0000000000850000-0x0000000000868000-memory.dmp

Filesize
96KB

Download
memory/2276-148-0x0000000000880000-0x0000000000890000-memory.dmp

Filesize
64KB

Download
memory/2276-126-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/2276-134-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/2276-133-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/2276-132-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2276-130-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/2276-128-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/2276-135-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/2540-76-0x0000000000830000-0x0000000000B74000-memory.dmp

Filesize
3.3MB

Download
memory/2540-77-0x0000000000580000-0x0000000000592000-memory.dmp

Filesize
72KB

Download
memory/2540-78-0x00000000024B0000-0x00000000024FE000-memory.dmp

Filesize
312KB

Download
memory/2840-43-0x0000000000400000-0x0000000001480000-memory.dmp

Filesize
16.5MB

Download
memory/2892-65-0x00000000004A0000-0x00000000004B2000-memory.dmp

Filesize
72KB

Download
memory/2892-49-0x0000000000BE0000-0x0000000000C3C000-memory.dmp

Filesize
368KB

Download
memory/2892-48-0x0000000000310000-0x000000000031E000-memory.dmp

Filesize
56KB

Download
memory/2892-47-0x00000000011C0000-0x0000000001504000-memory.dmp

Filesize
3.3MB

Download