Analysis Overview
SHA256
ba928c4d2ba59ab646e5a8178d5bada82704eb4819146b79139a378f3c2be8a7
Threat Level: Known bad
The file ba928c4d2ba59ab646e5a8178d5bada82704eb4819146b79139a378f3c2be8a7 was found to be: Known bad.
Malicious Activity Summary
Orcus family
Orcus
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-28 01:03
Signatures
Orcus family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-28 01:03
Reported
2025-01-28 01:06
Platform
win7-20241010-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Orcus
Orcus family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PDFReader.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ba928c4d2ba59ab646e5a8178d5bada82704eb4819146b79139a378f3c2be8a7.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ba928c4d2ba59ab646e5a8178d5bada82704eb4819146b79139a378f3c2be8a7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PDFReader.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PDFReader.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PDFReader.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PDFReader.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2240 wrote to memory of 2328 | N/A | C:\Users\Admin\AppData\Local\Temp\ba928c4d2ba59ab646e5a8178d5bada82704eb4819146b79139a378f3c2be8a7.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PDFReader.exe |
| PID 2240 wrote to memory of 2328 | N/A | C:\Users\Admin\AppData\Local\Temp\ba928c4d2ba59ab646e5a8178d5bada82704eb4819146b79139a378f3c2be8a7.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PDFReader.exe |
| PID 2240 wrote to memory of 2328 | N/A | C:\Users\Admin\AppData\Local\Temp\ba928c4d2ba59ab646e5a8178d5bada82704eb4819146b79139a378f3c2be8a7.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PDFReader.exe |
| PID 2240 wrote to memory of 2328 | N/A | C:\Users\Admin\AppData\Local\Temp\ba928c4d2ba59ab646e5a8178d5bada82704eb4819146b79139a378f3c2be8a7.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PDFReader.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ba928c4d2ba59ab646e5a8178d5bada82704eb4819146b79139a378f3c2be8a7.exe
"C:\Users\Admin\AppData\Local\Temp\ba928c4d2ba59ab646e5a8178d5bada82704eb4819146b79139a378f3c2be8a7.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PDFReader.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PDFReader.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.68.146:10131 | tcp | |
| N/A | 192.168.68.146:10131 | tcp | |
| N/A | 192.168.68.146:10131 | tcp | |
| N/A | 192.168.68.146:10131 | tcp | |
| N/A | 192.168.68.146:10131 | tcp | |
| N/A | 192.168.68.146:10131 | tcp | |
| N/A | 192.168.68.146:10131 | tcp | |
| N/A | 192.168.68.146:10131 | tcp | |
| N/A | 192.168.68.146:10131 | tcp | |
| N/A | 192.168.68.146:10131 | tcp | |
| N/A | 192.168.68.146:10131 | tcp | |
| N/A | 192.168.68.146:10131 | tcp |
Files
memory/2240-0-0x0000000074D4E000-0x0000000074D4F000-memory.dmp
memory/2240-1-0x0000000000E10000-0x0000000000F44000-memory.dmp
memory/2240-3-0x0000000074D40000-0x000000007542E000-memory.dmp
memory/2240-2-0x00000000004C0000-0x00000000004CA000-memory.dmp
memory/2240-4-0x0000000004480000-0x00000000044CC000-memory.dmp
memory/2240-5-0x00000000005B0000-0x00000000005B8000-memory.dmp
memory/2240-8-0x0000000004E20000-0x0000000004E6E000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\Windows\PDFReader.exe
| MD5 | 366809485bc0958ac26655a8158283a0 |
| SHA1 | e342bcae97887ae54af1a452bee924cf3ae0dbdc |
| SHA256 | ba928c4d2ba59ab646e5a8178d5bada82704eb4819146b79139a378f3c2be8a7 |
| SHA512 | c7e026768dc555ea15f86334e1ad3f00f314d223e49e291144ea262380856d31b2b57f696d185c5fe69c5c229dcaf4a001b13b81d1929415f50b001c79e03e15 |
memory/2328-15-0x0000000000040000-0x0000000000174000-memory.dmp
memory/2240-17-0x0000000074D40000-0x000000007542E000-memory.dmp
memory/2328-18-0x0000000074D40000-0x000000007542E000-memory.dmp
memory/2328-16-0x0000000074D40000-0x000000007542E000-memory.dmp
memory/2328-19-0x0000000000860000-0x0000000000870000-memory.dmp
memory/2328-20-0x0000000074D40000-0x000000007542E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-28 01:03
Reported
2025-01-28 01:06
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Orcus
Orcus family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ba928c4d2ba59ab646e5a8178d5bada82704eb4819146b79139a378f3c2be8a7.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PDFReader.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ba928c4d2ba59ab646e5a8178d5bada82704eb4819146b79139a378f3c2be8a7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PDFReader.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PDFReader.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PDFReader.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PDFReader.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4572 wrote to memory of 2624 | N/A | C:\Users\Admin\AppData\Local\Temp\ba928c4d2ba59ab646e5a8178d5bada82704eb4819146b79139a378f3c2be8a7.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PDFReader.exe |
| PID 4572 wrote to memory of 2624 | N/A | C:\Users\Admin\AppData\Local\Temp\ba928c4d2ba59ab646e5a8178d5bada82704eb4819146b79139a378f3c2be8a7.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PDFReader.exe |
| PID 4572 wrote to memory of 2624 | N/A | C:\Users\Admin\AppData\Local\Temp\ba928c4d2ba59ab646e5a8178d5bada82704eb4819146b79139a378f3c2be8a7.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PDFReader.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ba928c4d2ba59ab646e5a8178d5bada82704eb4819146b79139a378f3c2be8a7.exe
"C:\Users\Admin\AppData\Local\Temp\ba928c4d2ba59ab646e5a8178d5bada82704eb4819146b79139a378f3c2be8a7.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PDFReader.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PDFReader.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| N/A | 192.168.68.146:10131 | tcp | |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.51.23.in-addr.arpa | udp |
| N/A | 192.168.68.146:10131 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| N/A | 192.168.68.146:10131 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| N/A | 192.168.68.146:10131 | tcp | |
| N/A | 192.168.68.146:10131 | tcp | |
| N/A | 192.168.68.146:10131 | tcp | |
| N/A | 192.168.68.146:10131 | tcp | |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| N/A | 192.168.68.146:10131 | tcp | |
| N/A | 192.168.68.146:10131 | tcp | |
| N/A | 192.168.68.146:10131 | tcp | |
| N/A | 192.168.68.146:10131 | tcp | |
| N/A | 192.168.68.146:10131 | tcp |
Files
memory/4572-0-0x000000007478E000-0x000000007478F000-memory.dmp
memory/4572-1-0x00000000005E0000-0x0000000000714000-memory.dmp
memory/4572-2-0x0000000002B10000-0x0000000002B1A000-memory.dmp
memory/4572-3-0x0000000074780000-0x0000000074F30000-memory.dmp
memory/4572-4-0x00000000057B0000-0x0000000005D54000-memory.dmp
memory/4572-6-0x0000000005500000-0x000000000554C000-memory.dmp
memory/4572-5-0x00000000055A0000-0x0000000005632000-memory.dmp
memory/4572-7-0x00000000056B0000-0x0000000005716000-memory.dmp
memory/4572-8-0x0000000005770000-0x0000000005778000-memory.dmp
memory/4572-11-0x0000000006060000-0x00000000060AE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PDFReader.exe
| MD5 | 366809485bc0958ac26655a8158283a0 |
| SHA1 | e342bcae97887ae54af1a452bee924cf3ae0dbdc |
| SHA256 | ba928c4d2ba59ab646e5a8178d5bada82704eb4819146b79139a378f3c2be8a7 |
| SHA512 | c7e026768dc555ea15f86334e1ad3f00f314d223e49e291144ea262380856d31b2b57f696d185c5fe69c5c229dcaf4a001b13b81d1929415f50b001c79e03e15 |
memory/2624-22-0x0000000074780000-0x0000000074F30000-memory.dmp
memory/4572-24-0x0000000074780000-0x0000000074F30000-memory.dmp
memory/2624-25-0x0000000074780000-0x0000000074F30000-memory.dmp
memory/2624-26-0x00000000066E0000-0x00000000068A2000-memory.dmp
memory/2624-27-0x0000000006660000-0x0000000006670000-memory.dmp
memory/2624-28-0x0000000006BC0000-0x0000000006BCA000-memory.dmp
memory/2624-29-0x0000000074780000-0x0000000074F30000-memory.dmp