Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
31/01/2025, 01:06
Behavioral task
behavioral1
Sample
ce50de3fb504c11827ad22791e6c165cb803cfd1c3039fedac3ab79641ae661b.exe
Resource
win7-20241010-en
General
-
Target
ce50de3fb504c11827ad22791e6c165cb803cfd1c3039fedac3ab79641ae661b.exe
-
Size
3.0MB
-
MD5
951b9c287b1459f3ad0e22779a6d999e
-
SHA1
a17cfe2ad70c6dc7fca315d5f88cf19f2683d006
-
SHA256
ce50de3fb504c11827ad22791e6c165cb803cfd1c3039fedac3ab79641ae661b
-
SHA512
10820bed94cc0dd8d8bd10f07f41982059afeff22d4a6d938a9dc1dd1921e4534d4ed5a7e8d3dd0effa49edfbc17bd23c4153127ef9d39af5787f37878096252
-
SSDEEP
49152:ZGX87p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpKu/nRFfjI7L0qb:ZLHTPJg8z1mKnypSbRxo9JCm
Malware Config
Extracted
orcus
Новый тег
31.44.184.52:22514
sudo_pyfhdzqzq1v1nlw2314nsrmdcg85nhyh
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%appdata%\flowerjs\gamegame.exe
-
reconnect_delay
10000
-
registry_keyname
Sudik
-
taskscheduler_taskname
sudik
-
watchdog_path
AppData\aga.exe
Signatures
-
Orcus family
-
Orcus main payload 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023c80-13.dat family_orcus -
Orcurs Rat Executable 2 IoCs
resource yara_rule behavioral2/memory/3952-1-0x0000000000450000-0x000000000074E000-memory.dmp orcus behavioral2/files/0x0008000000023c80-13.dat orcus -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation ce50de3fb504c11827ad22791e6c165cb803cfd1c3039fedac3ab79641ae661b.exe -
Executes dropped EXE 5 IoCs
pid Process 432 gamegame.exe 5100 gamegame.exe 4332 gamegame.exe 2748 gamegame.exe 2072 gamegame.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 432 set thread context of 616 432 gamegame.exe 88 PID 5100 set thread context of 3020 5100 gamegame.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ce50de3fb504c11827ad22791e6c165cb803cfd1c3039fedac3ab79641ae661b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gamegame.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caspol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gamegame.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gamegame.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caspol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gamegame.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gamegame.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 3952 ce50de3fb504c11827ad22791e6c165cb803cfd1c3039fedac3ab79641ae661b.exe 432 gamegame.exe 432 gamegame.exe 5100 gamegame.exe 5100 gamegame.exe 5100 gamegame.exe 5100 gamegame.exe 3020 caspol.exe 3020 caspol.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3952 ce50de3fb504c11827ad22791e6c165cb803cfd1c3039fedac3ab79641ae661b.exe Token: SeDebugPrivilege 432 gamegame.exe Token: SeDebugPrivilege 5100 gamegame.exe Token: SeDebugPrivilege 3020 caspol.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 3952 wrote to memory of 432 3952 ce50de3fb504c11827ad22791e6c165cb803cfd1c3039fedac3ab79641ae661b.exe 86 PID 3952 wrote to memory of 432 3952 ce50de3fb504c11827ad22791e6c165cb803cfd1c3039fedac3ab79641ae661b.exe 86 PID 3952 wrote to memory of 432 3952 ce50de3fb504c11827ad22791e6c165cb803cfd1c3039fedac3ab79641ae661b.exe 86 PID 432 wrote to memory of 616 432 gamegame.exe 88 PID 432 wrote to memory of 616 432 gamegame.exe 88 PID 432 wrote to memory of 616 432 gamegame.exe 88 PID 432 wrote to memory of 616 432 gamegame.exe 88 PID 432 wrote to memory of 616 432 gamegame.exe 88 PID 432 wrote to memory of 616 432 gamegame.exe 88 PID 432 wrote to memory of 616 432 gamegame.exe 88 PID 432 wrote to memory of 616 432 gamegame.exe 88 PID 5100 wrote to memory of 1916 5100 gamegame.exe 90 PID 5100 wrote to memory of 1916 5100 gamegame.exe 90 PID 5100 wrote to memory of 1916 5100 gamegame.exe 90 PID 5100 wrote to memory of 3020 5100 gamegame.exe 91 PID 5100 wrote to memory of 3020 5100 gamegame.exe 91 PID 5100 wrote to memory of 3020 5100 gamegame.exe 91 PID 5100 wrote to memory of 3020 5100 gamegame.exe 91 PID 5100 wrote to memory of 3020 5100 gamegame.exe 91 PID 5100 wrote to memory of 3020 5100 gamegame.exe 91 PID 5100 wrote to memory of 3020 5100 gamegame.exe 91 PID 5100 wrote to memory of 3020 5100 gamegame.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce50de3fb504c11827ad22791e6c165cb803cfd1c3039fedac3ab79641ae661b.exe"C:\Users\Admin\AppData\Local\Temp\ce50de3fb504c11827ad22791e6c165cb803cfd1c3039fedac3ab79641ae661b.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Users\Admin\AppData\Roaming\flowerjs\gamegame.exe"C:\Users\Admin\AppData\Roaming\flowerjs\gamegame.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"3⤵
- System Location Discovery: System Language Discovery
PID:616
-
-
-
C:\Users\Admin\AppData\Roaming\flowerjs\gamegame.exeC:\Users\Admin\AppData\Roaming\flowerjs\gamegame.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"2⤵PID:1916
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Users\Admin\AppData\Roaming\flowerjs\gamegame.exeC:\Users\Admin\AppData\Roaming\flowerjs\gamegame.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4332
-
C:\Users\Admin\AppData\Roaming\flowerjs\gamegame.exeC:\Users\Admin\AppData\Roaming\flowerjs\gamegame.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2748
-
C:\Users\Admin\AppData\Roaming\flowerjs\gamegame.exeC:\Users\Admin\AppData\Roaming\flowerjs\gamegame.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2072
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5663b8d5469caa4489d463aa9bc18124f
SHA1e57123a7d969115853ea631a3b33826335025d28
SHA2567b4fa505452f0b8ac74bb31f5a03b13342836318018fb18d224ae2ff11b1a7e8
SHA51245e373295125a629fcc0b19609608d969c9106514918bfac5d6b8e340e407434577b825741b8fa6a043c8f3f5c1a030ba8857da5f4e8ef15a551ce3c5fe03b55
-
Filesize
3.0MB
MD5951b9c287b1459f3ad0e22779a6d999e
SHA1a17cfe2ad70c6dc7fca315d5f88cf19f2683d006
SHA256ce50de3fb504c11827ad22791e6c165cb803cfd1c3039fedac3ab79641ae661b
SHA51210820bed94cc0dd8d8bd10f07f41982059afeff22d4a6d938a9dc1dd1921e4534d4ed5a7e8d3dd0effa49edfbc17bd23c4153127ef9d39af5787f37878096252
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad