Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
30/01/2025, 13:26
Behavioral task
behavioral1
Sample
Update.exe
Resource
win7-20240729-en
General
-
Target
Update.exe
-
Size
3.0MB
-
MD5
2fe71c8b3764c2e139e32d132437bc67
-
SHA1
70bdbce5ad67ce24d75bd76b41cb6eecdcc24dc7
-
SHA256
7e7f54be771fd2aa38fe215442508a4673163aa87f39eabb7c6cf9de77d1546d
-
SHA512
f12e8d338824c18384a300a78a21d88cf7d589d26d06c18d4b6f00f9fc50c567f8ac024990fa69a49323632f82124d2cfc890ba040eaac15934a283029ac2a2d
-
SSDEEP
49152:G+1xzMQNZKMx6Y3BfoKTL0lmGlrtWAypQxbno9JnCmoyrZEI0AilFCvxHd:G+1n666WTMXypSbno9JCm
Malware Config
Extracted
orcus
dc.deenote4396.com:10134
3749f50e4c6b4cbfb5eac93f5e5530bb
-
autostart_method
TaskScheduler
-
enable_keylogger
true
-
install_path
%programfiles%\Lenovo\Update.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Lenovo
-
watchdog_path
AppData\Lenovo.exe
Signatures
-
Orcus family
-
Orcus main payload 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023c35-52.dat family_orcus -
Orcurs Rat Executable 2 IoCs
resource yara_rule behavioral2/files/0x0008000000023c35-52.dat orcus behavioral2/memory/644-62-0x0000000000CB0000-0x0000000000FAE000-memory.dmp orcus -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation Update.exe Key value queried \REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation Update.exe Key value queried \REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation Lenovo.exe -
Executes dropped EXE 6 IoCs
pid Process 4920 WindowsInput.exe 984 WindowsInput.exe 644 Update.exe 1756 Update.exe 2212 Lenovo.exe 3264 Lenovo.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsInput.exe.config Update.exe File created C:\Windows\SysWOW64\WindowsInput.InstallState WindowsInput.exe File created C:\Windows\SysWOW64\WindowsInput.exe Update.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Lenovo\Update.exe Update.exe File opened for modification C:\Program Files\Lenovo\Update.exe Update.exe File created C:\Program Files\Lenovo\Update.exe.config Update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lenovo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lenovo.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 644 Update.exe 644 Update.exe 644 Update.exe 3264 Lenovo.exe 3264 Lenovo.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe 644 Update.exe 3264 Lenovo.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 644 Update.exe Token: SeDebugPrivilege 2212 Lenovo.exe Token: SeDebugPrivilege 3264 Lenovo.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 644 Update.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3504 wrote to memory of 4524 3504 Update.exe 87 PID 3504 wrote to memory of 4524 3504 Update.exe 87 PID 4524 wrote to memory of 4568 4524 csc.exe 89 PID 4524 wrote to memory of 4568 4524 csc.exe 89 PID 3504 wrote to memory of 4920 3504 Update.exe 90 PID 3504 wrote to memory of 4920 3504 Update.exe 90 PID 3504 wrote to memory of 644 3504 Update.exe 92 PID 3504 wrote to memory of 644 3504 Update.exe 92 PID 644 wrote to memory of 2212 644 Update.exe 94 PID 644 wrote to memory of 2212 644 Update.exe 94 PID 644 wrote to memory of 2212 644 Update.exe 94 PID 2212 wrote to memory of 3264 2212 Lenovo.exe 95 PID 2212 wrote to memory of 3264 2212 Lenovo.exe 95 PID 2212 wrote to memory of 3264 2212 Lenovo.exe 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Update.exe"C:\Users\Admin\AppData\Local\Temp\Update.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hntladlm.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD8BD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD8BC.tmp"3⤵PID:4568
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4920
-
-
C:\Program Files\Lenovo\Update.exe"C:\Program Files\Lenovo\Update.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Users\Admin\AppData\Roaming\Lenovo.exe"C:\Users\Admin\AppData\Roaming\Lenovo.exe" /launchSelfAndExit "C:\Program Files\Lenovo\Update.exe" 644 /protectFile3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Roaming\Lenovo.exe"C:\Users\Admin\AppData\Roaming\Lenovo.exe" /watchProcess "C:\Program Files\Lenovo\Update.exe" 644 "/protectFile"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3264
-
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
PID:984
-
C:\Program Files\Lenovo\Update.exe"C:\Program Files\Lenovo\Update.exe"1⤵
- Executes dropped EXE
PID:1756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD52fe71c8b3764c2e139e32d132437bc67
SHA170bdbce5ad67ce24d75bd76b41cb6eecdcc24dc7
SHA2567e7f54be771fd2aa38fe215442508a4673163aa87f39eabb7c6cf9de77d1546d
SHA512f12e8d338824c18384a300a78a21d88cf7d589d26d06c18d4b6f00f9fc50c567f8ac024990fa69a49323632f82124d2cfc890ba040eaac15934a283029ac2a2d
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
1KB
MD51bf56844523bc6fbb39397e34254b5e8
SHA17581dcde7776471d1b6c416edf98ca1dc43b342f
SHA256348dc89c778f5b75d4fe0046d3786292f5853944187d016b5530008fa63af379
SHA5125cf0f99fa13065b4ad3113654e94022dbb69ed4d35e3eaa55f48b8f6ee75223296cbf92d97299ebdd3ab8fab0fdb4d1f71318155e5df6e0a71acdde649518bc9
-
Filesize
76KB
MD51a467a8b5440dd47a03fe22ce5fa15bc
SHA1b056dd37c7bf35ec8c7f5b3cebdff8db15781fdc
SHA25683db7acb41dfa297db7ce60b395a1daf8265d462e11cfc640646677839022a99
SHA512c7b182dd1cd15a068f7d4ed74c4c6d053251953105e2353bf21e0061bc3c18e0a76edc933833233f1307d8154aaa6b4d749446056cadf1fef19d27805519641c
-
Filesize
9KB
MD52d755da0539c2158464fd680aeeafa10
SHA1027be49916ebb28b6af7112ac3f5921e016ab67b
SHA256a3e0e958ea53e5a0ed8c8debf5a24be30bcfabe423ea09337098674f4c125cc6
SHA5126dbc740c760b1fc33dca1986d73f61e6213918584a1cf1f1be5775d0931a26701650ebd894767696127f09f3a10d4f9c44535add9a68c94d0f4eed6022fbdad1
-
Filesize
21KB
MD53bfc2e9172bbd881cd34f0923724596a
SHA1f1cd48baadd891c39b7ef45a9d71ff8355ea5df7
SHA256a9cd2113e12ac6b42a2523755bd71ed129b71562e8cd4bb274d0141db7e40899
SHA512882b5afac26bb9be88269c93c7800f5d0c6153ad0a895193c9acf70a0724137518a8b52584c16c248b2f79929c83072fa72bbbd9da3f0fba4ff1f9b50837d5d6
-
Filesize
349B
MD589817519e9e0b4e703f07e8c55247861
SHA14636de1f6c997a25c3190f73f46a3fd056238d78
SHA256f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13
SHA512b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3
-
Filesize
676B
MD55a40b740e24089e477e7e28486686dee
SHA12fa0b6ab5bf9ad03c6ac7fb7d9d003d19ea4e8b9
SHA256b98e00d6ec4b02026bb3a117f447f875a59f5dd3062a9c0662c27599a5b3debe
SHA512c6a470f276ab80716942782e4dbc7352387363cab3665b06daec8d3adf9abd3a759331274c292f9aebdbf13b79e4d54c4a31ca3e89112a1ec0e36b9f25850434
-
Filesize
208KB
MD53d8f4eddd37ae95e3043c9433ed3c5f2
SHA193be07b8af6212190eee6a4cb9dd5d257974b9a1
SHA25642343e33ca7264ffdb632dee4bbc8d47abd3cfe4d1740017dd365d23c6671294
SHA51254329aefe375bddcddc9d84c3f152ab2a78f231cdd8e3021ecf0e44f6d1c5e94fb653639098ed71ca565d2328a48c6ae9d211996210c02144fb9e1c5db9732fd
-
Filesize
349B
MD5ba3c3308ea9fe50fed4e1d7d24190f4e
SHA105d0989f4d423c021e764ce1d60082ff606b60b0
SHA256002e85af6d433132df6b65654f5b576a498d292b742c4500a8e46eb991a60218
SHA512dac0d1f6a930a7a666ab7f187e308b52bf4a1c9bdf9cbb561964cf1ec90af8112a05d3625b94876c224c2515751ddb16ab3c6ff719c63dbe999c67daf4e327ac