Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
-
submitted
31/01/2025, 01:06
General
-
Target
ce50de3fb504c11827ad22791e6c165cb803cfd1c3039fedac3ab79641ae661b.exe
-
Size
3.0MB
-
MD5
951b9c287b1459f3ad0e22779a6d999e
-
SHA1
a17cfe2ad70c6dc7fca315d5f88cf19f2683d006
-
SHA256
ce50de3fb504c11827ad22791e6c165cb803cfd1c3039fedac3ab79641ae661b
-
SHA512
10820bed94cc0dd8d8bd10f07f41982059afeff22d4a6d938a9dc1dd1921e4534d4ed5a7e8d3dd0effa49edfbc17bd23c4153127ef9d39af5787f37878096252
-
SSDEEP
49152:ZGX87p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpKu/nRFfjI7L0qb:ZLHTPJg8z1mKnypSbRxo9JCm
Malware Config
Extracted
orcus
Новый тег
31.44.184.52:22514
sudo_pyfhdzqzq1v1nlw2314nsrmdcg85nhyh
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%appdata%\flowerjs\gamegame.exe
-
reconnect_delay
10000
-
registry_keyname
Sudik
-
taskscheduler_taskname
sudik
-
watchdog_path
AppData\aga.exe
Signatures
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
Orcus main payload 1 IoCs
-
Orcurs Rat Executable 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce50de3fb504c11827ad22791e6c165cb803cfd1c3039fedac3ab79641ae661b.exe"C:\Users\Admin\AppData\Local\Temp\ce50de3fb504c11827ad22791e6c165cb803cfd1c3039fedac3ab79641ae661b.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\flowerjs\gamegame.exe"C:\Users\Admin\AppData\Roaming\flowerjs\gamegame.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Roaming\flowerjs\gamegame.exeC:\Users\Admin\AppData\Roaming\flowerjs\gamegame.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\flowerjs\gamegame.exeC:\Users\Admin\AppData\Roaming\flowerjs\gamegame.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\flowerjs\gamegame.exeC:\Users\Admin\AppData\Roaming\flowerjs\gamegame.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Roaming\flowerjs\gamegame.exeC:\Users\Admin\AppData\Roaming\flowerjs\gamegame.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5663b8d5469caa4489d463aa9bc18124f
SHA1e57123a7d969115853ea631a3b33826335025d28
SHA2567b4fa505452f0b8ac74bb31f5a03b13342836318018fb18d224ae2ff11b1a7e8
SHA51245e373295125a629fcc0b19609608d969c9106514918bfac5d6b8e340e407434577b825741b8fa6a043c8f3f5c1a030ba8857da5f4e8ef15a551ce3c5fe03b55
-
Filesize
3.0MB
MD5951b9c287b1459f3ad0e22779a6d999e
SHA1a17cfe2ad70c6dc7fca315d5f88cf19f2683d006
SHA256ce50de3fb504c11827ad22791e6c165cb803cfd1c3039fedac3ab79641ae661b
SHA51210820bed94cc0dd8d8bd10f07f41982059afeff22d4a6d938a9dc1dd1921e4534d4ed5a7e8d3dd0effa49edfbc17bd23c4153127ef9d39af5787f37878096252
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
312KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
6.1MB
-
Filesize
320KB
-
Filesize
56KB
-
Filesize
1.8MB
-
Filesize
1.0MB
-
Filesize
304KB
-
Filesize
240KB
-
Filesize
96KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
56KB
-
Filesize
7.7MB
-
Filesize
368KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
72KB
-
Filesize
3.0MB