orcus | 7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a

Analysis

max time kernel
137s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-02-2025 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a.exe
Size

16.3MB
MD5

608e4e58655dfb340770b4a7054a8093
SHA1

5d054922ace64de66017d8d27c3b7206683d19b4
SHA256

7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a
SHA512

b506dbae0986e567b78fcc1da2760f08e1337321165aaf6e367039152ee14b498d44faa2c920763883d69cb139813db0d612b311aae0bd330013230f6f3668b3
SSDEEP

393216:C20EjcTK84e3km6NsO9l1dy1JCcYSwOshouIkPftRL54lR+:eE4CsAsWyDYSRwouTtRLf

Score

10^/10

orcus funpay discovery rat spyware stealer upx

Malware Config

Extracted

Family

orcus

Botnet

FunPay

31.44.184.52:44657

Mutex

sudo_vm3jypee5e4wpgyaqsjreb4akskikm0b

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%appdata%\privategamebase\Discord.exe
reconnect_delay
10000
registry_keyname
Sudik
taskscheduler_taskname
sudik
watchdog_path
AppData\aga.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015d6d-8.dat	family_orcus

Orcurs Rat Executable 12 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015d6d-8.dat	orcus
behavioral1/memory/2396-17-0x0000000000400000-0x000000000145A000-memory.dmp	orcus
behavioral1/memory/2516-45-0x0000000000830000-0x0000000000B74000-memory.dmp	orcus
behavioral1/memory/2608-61-0x00000000000A0000-0x00000000003E4000-memory.dmp	orcus
behavioral1/memory/3052-70-0x0000000000400000-0x0000000000744000-memory.dmp	orcus
behavioral1/memory/3052-68-0x0000000000400000-0x0000000000744000-memory.dmp	orcus
behavioral1/memory/3052-76-0x0000000000400000-0x0000000000744000-memory.dmp	orcus
behavioral1/memory/3052-74-0x0000000000400000-0x0000000000744000-memory.dmp	orcus
behavioral1/memory/3052-73-0x0000000000400000-0x0000000000744000-memory.dmp	orcus
behavioral1/memory/2836-79-0x00000000000D0000-0x0000000000414000-memory.dmp	orcus
behavioral1/memory/1828-216-0x0000000000280000-0x00000000005C4000-memory.dmp	orcus
behavioral1/memory/2884-218-0x0000000001380000-0x00000000016C4000-memory.dmp	orcus

Executes dropped EXE 9 IoCs

pid	Process
1332	SandeLLoCHECKER.exe
2516	Discord.exe
1252	Built.exe
2740	Built.exe
2608	Discord.exe
2836	Discord.exe
1216	Process not Found
1828	Discord.exe
2884	Discord.exe

Loads dropped DLL 10 IoCs

pid	Process
2396	7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a.exe
2396	7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a.exe
2396	7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a.exe
1252	Built.exe
2740	Built.exe
2516	Discord.exe
1748	MsiExec.exe
1748	MsiExec.exe
1748	MsiExec.exe
1216	Process not Found

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	SandeLLoCHECKER.exe
File opened (read-only)	\??\S:	SandeLLoCHECKER.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	SandeLLoCHECKER.exe
File opened (read-only)	\??\G:	SandeLLoCHECKER.exe
File opened (read-only)	\??\U:	SandeLLoCHECKER.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	SandeLLoCHECKER.exe
File opened (read-only)	\??\T:	SandeLLoCHECKER.exe
File opened (read-only)	\??\M:	SandeLLoCHECKER.exe
File opened (read-only)	\??\O:	SandeLLoCHECKER.exe
File opened (read-only)	\??\P:	SandeLLoCHECKER.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	SandeLLoCHECKER.exe
File opened (read-only)	\??\L:	SandeLLoCHECKER.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	SandeLLoCHECKER.exe
File opened (read-only)	\??\V:	SandeLLoCHECKER.exe
File opened (read-only)	\??\X:	SandeLLoCHECKER.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	SandeLLoCHECKER.exe
File opened (read-only)	\??\E:	SandeLLoCHECKER.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	SandeLLoCHECKER.exe
File opened (read-only)	\??\Z:	SandeLLoCHECKER.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	SandeLLoCHECKER.exe
File opened (read-only)	\??\R:	SandeLLoCHECKER.exe
File opened (read-only)	\??\J:	SandeLLoCHECKER.exe
File opened (read-only)	\??\Y:	SandeLLoCHECKER.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2608 set thread context of 3052	2608	Discord.exe	37

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019346-44.dat	upx
behavioral1/memory/2740-47-0x000007FEF5CD0000-0x000007FEF62B9000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SandeLLoCHECKER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	SandeLLoCHECKER.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	SandeLLoCHECKER.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2516	Discord.exe
2608	Discord.exe
2608	Discord.exe
2608	Discord.exe
2608	Discord.exe
3052	regasm.exe
3052	regasm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1332	SandeLLoCHECKER.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	Discord.exe
Token: SeDebugPrivilege	2608	Discord.exe
Token: SeDebugPrivilege	3052	regasm.exe
Token: SeRestorePrivilege	2392	msiexec.exe
Token: SeTakeOwnershipPrivilege	2392	msiexec.exe
Token: SeSecurityPrivilege	2392	msiexec.exe
Token: SeCreateTokenPrivilege	1332	SandeLLoCHECKER.exe
Token: SeAssignPrimaryTokenPrivilege	1332	SandeLLoCHECKER.exe
Token: SeLockMemoryPrivilege	1332	SandeLLoCHECKER.exe
Token: SeIncreaseQuotaPrivilege	1332	SandeLLoCHECKER.exe
Token: SeMachineAccountPrivilege	1332	SandeLLoCHECKER.exe
Token: SeTcbPrivilege	1332	SandeLLoCHECKER.exe
Token: SeSecurityPrivilege	1332	SandeLLoCHECKER.exe
Token: SeTakeOwnershipPrivilege	1332	SandeLLoCHECKER.exe
Token: SeLoadDriverPrivilege	1332	SandeLLoCHECKER.exe
Token: SeSystemProfilePrivilege	1332	SandeLLoCHECKER.exe
Token: SeSystemtimePrivilege	1332	SandeLLoCHECKER.exe
Token: SeProfSingleProcessPrivilege	1332	SandeLLoCHECKER.exe
Token: SeIncBasePriorityPrivilege	1332	SandeLLoCHECKER.exe
Token: SeCreatePagefilePrivilege	1332	SandeLLoCHECKER.exe
Token: SeCreatePermanentPrivilege	1332	SandeLLoCHECKER.exe
Token: SeBackupPrivilege	1332	SandeLLoCHECKER.exe
Token: SeRestorePrivilege	1332	SandeLLoCHECKER.exe
Token: SeShutdownPrivilege	1332	SandeLLoCHECKER.exe
Token: SeDebugPrivilege	1332	SandeLLoCHECKER.exe
Token: SeAuditPrivilege	1332	SandeLLoCHECKER.exe
Token: SeSystemEnvironmentPrivilege	1332	SandeLLoCHECKER.exe
Token: SeChangeNotifyPrivilege	1332	SandeLLoCHECKER.exe
Token: SeRemoteShutdownPrivilege	1332	SandeLLoCHECKER.exe
Token: SeUndockPrivilege	1332	SandeLLoCHECKER.exe
Token: SeSyncAgentPrivilege	1332	SandeLLoCHECKER.exe
Token: SeEnableDelegationPrivilege	1332	SandeLLoCHECKER.exe
Token: SeManageVolumePrivilege	1332	SandeLLoCHECKER.exe
Token: SeImpersonatePrivilege	1332	SandeLLoCHECKER.exe
Token: SeCreateGlobalPrivilege	1332	SandeLLoCHECKER.exe
Token: SeCreateTokenPrivilege	1332	SandeLLoCHECKER.exe
Token: SeAssignPrimaryTokenPrivilege	1332	SandeLLoCHECKER.exe
Token: SeLockMemoryPrivilege	1332	SandeLLoCHECKER.exe
Token: SeIncreaseQuotaPrivilege	1332	SandeLLoCHECKER.exe
Token: SeMachineAccountPrivilege	1332	SandeLLoCHECKER.exe
Token: SeTcbPrivilege	1332	SandeLLoCHECKER.exe
Token: SeSecurityPrivilege	1332	SandeLLoCHECKER.exe
Token: SeTakeOwnershipPrivilege	1332	SandeLLoCHECKER.exe
Token: SeLoadDriverPrivilege	1332	SandeLLoCHECKER.exe
Token: SeSystemProfilePrivilege	1332	SandeLLoCHECKER.exe
Token: SeSystemtimePrivilege	1332	SandeLLoCHECKER.exe
Token: SeProfSingleProcessPrivilege	1332	SandeLLoCHECKER.exe
Token: SeIncBasePriorityPrivilege	1332	SandeLLoCHECKER.exe
Token: SeCreatePagefilePrivilege	1332	SandeLLoCHECKER.exe
Token: SeCreatePermanentPrivilege	1332	SandeLLoCHECKER.exe
Token: SeBackupPrivilege	1332	SandeLLoCHECKER.exe
Token: SeRestorePrivilege	1332	SandeLLoCHECKER.exe
Token: SeShutdownPrivilege	1332	SandeLLoCHECKER.exe
Token: SeDebugPrivilege	1332	SandeLLoCHECKER.exe
Token: SeAuditPrivilege	1332	SandeLLoCHECKER.exe
Token: SeSystemEnvironmentPrivilege	1332	SandeLLoCHECKER.exe
Token: SeChangeNotifyPrivilege	1332	SandeLLoCHECKER.exe
Token: SeRemoteShutdownPrivilege	1332	SandeLLoCHECKER.exe
Token: SeUndockPrivilege	1332	SandeLLoCHECKER.exe
Token: SeSyncAgentPrivilege	1332	SandeLLoCHECKER.exe
Token: SeEnableDelegationPrivilege	1332	SandeLLoCHECKER.exe
Token: SeManageVolumePrivilege	1332	SandeLLoCHECKER.exe
Token: SeImpersonatePrivilege	1332	SandeLLoCHECKER.exe
Token: SeCreateGlobalPrivilege	1332	SandeLLoCHECKER.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1332	SandeLLoCHECKER.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 1332	2396	7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a.exe	30
PID 2396 wrote to memory of 1332	2396	7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a.exe	30
PID 2396 wrote to memory of 1332	2396	7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a.exe	30
PID 2396 wrote to memory of 1332	2396	7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a.exe	30
PID 2396 wrote to memory of 1332	2396	7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a.exe	30
PID 2396 wrote to memory of 1332	2396	7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a.exe	30
PID 2396 wrote to memory of 1332	2396	7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a.exe	30
PID 2396 wrote to memory of 2516	2396	7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a.exe	31
PID 2396 wrote to memory of 2516	2396	7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a.exe	31
PID 2396 wrote to memory of 2516	2396	7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a.exe	31
PID 2396 wrote to memory of 2516	2396	7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a.exe	31
PID 2396 wrote to memory of 2516	2396	7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a.exe	31
PID 2396 wrote to memory of 2516	2396	7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a.exe	31
PID 2396 wrote to memory of 2516	2396	7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a.exe	31
PID 2396 wrote to memory of 1252	2396	7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a.exe	32
PID 2396 wrote to memory of 1252	2396	7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a.exe	32
PID 2396 wrote to memory of 1252	2396	7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a.exe	32
PID 2396 wrote to memory of 1252	2396	7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a.exe	32
PID 1252 wrote to memory of 2740	1252	Built.exe	33
PID 1252 wrote to memory of 2740	1252	Built.exe	33
PID 1252 wrote to memory of 2740	1252	Built.exe	33
PID 2516 wrote to memory of 2608	2516	Discord.exe	34
PID 2516 wrote to memory of 2608	2516	Discord.exe	34
PID 2516 wrote to memory of 2608	2516	Discord.exe	34
PID 2516 wrote to memory of 2608	2516	Discord.exe	34
PID 2516 wrote to memory of 2608	2516	Discord.exe	34
PID 2516 wrote to memory of 2608	2516	Discord.exe	34
PID 2516 wrote to memory of 2608	2516	Discord.exe	34
PID 2608 wrote to memory of 3012	2608	Discord.exe	36
PID 2608 wrote to memory of 3012	2608	Discord.exe	36
PID 2608 wrote to memory of 3012	2608	Discord.exe	36
PID 2608 wrote to memory of 3012	2608	Discord.exe	36
PID 2608 wrote to memory of 3012	2608	Discord.exe	36
PID 2608 wrote to memory of 3012	2608	Discord.exe	36
PID 2608 wrote to memory of 3012	2608	Discord.exe	36
PID 2608 wrote to memory of 3052	2608	Discord.exe	37
PID 2608 wrote to memory of 3052	2608	Discord.exe	37
PID 2608 wrote to memory of 3052	2608	Discord.exe	37
PID 2608 wrote to memory of 3052	2608	Discord.exe	37
PID 2608 wrote to memory of 3052	2608	Discord.exe	37
PID 2608 wrote to memory of 3052	2608	Discord.exe	37
PID 2608 wrote to memory of 3052	2608	Discord.exe	37
PID 2608 wrote to memory of 3052	2608	Discord.exe	37
PID 2608 wrote to memory of 3052	2608	Discord.exe	37
PID 2608 wrote to memory of 3052	2608	Discord.exe	37
PID 2608 wrote to memory of 3052	2608	Discord.exe	37
PID 2608 wrote to memory of 3052	2608	Discord.exe	37
PID 2656 wrote to memory of 2836	2656	taskeng.exe	38
PID 2656 wrote to memory of 2836	2656	taskeng.exe	38
PID 2656 wrote to memory of 2836	2656	taskeng.exe	38
PID 2656 wrote to memory of 2836	2656	taskeng.exe	38
PID 2656 wrote to memory of 2836	2656	taskeng.exe	38
PID 2656 wrote to memory of 2836	2656	taskeng.exe	38
PID 2656 wrote to memory of 2836	2656	taskeng.exe	38
PID 2392 wrote to memory of 1748	2392	msiexec.exe	42
PID 2392 wrote to memory of 1748	2392	msiexec.exe	42
PID 2392 wrote to memory of 1748	2392	msiexec.exe	42
PID 2392 wrote to memory of 1748	2392	msiexec.exe	42
PID 2392 wrote to memory of 1748	2392	msiexec.exe	42
PID 2392 wrote to memory of 1748	2392	msiexec.exe	42
PID 2392 wrote to memory of 1748	2392	msiexec.exe	42
PID 2656 wrote to memory of 1828	2656	taskeng.exe	43
PID 2656 wrote to memory of 1828	2656	taskeng.exe	43
PID 2656 wrote to memory of 1828	2656	taskeng.exe	43

C:\Users\Admin\AppData\Local\Temp\7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a.exe
"C:\Users\Admin\AppData\Local\Temp\7a3b4434bc8c5175b29c8c905e4b97b6e4bf6d9ae9371a25c8b12dc6cacc0d8a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER.exe
  "C:\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1332
- C:\Users\Admin\AppData\Local\Temp\Discord.exe
  "C:\Users\Admin\AppData\Local\Temp\Discord.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe
    "C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      4⤵
      PID:3012
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3052
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2740

C:\Windows\system32\taskeng.exe
taskeng.exe {A1ADECF7-401C-4397-B5F6-ECD6C69AA631} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe
  C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2836
- C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe
  C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1828
- C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe
  C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2884

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C129AA8CE932F14D3C1781F45C319329 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1332\dialog.jpg

Filesize
36KB

MD5
abf1076064505dee794fa7aed67252b8

SHA1
358d4e501bb3007feece82a4039cc1050f23fab4

SHA256
fb0d133f05de6aa6a7a3491ae532191a60c438b35d9ff7bfec9e63131f6f0c73

SHA512
9a4680a8d186c1d7550b5e03cbdd095b0c88b2e0249a3af75fa0253d2c9a6f0aa1dd570ecf1a273683a14e6c7b5fb11678be3da439a3bf23eab790372e96e321

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC9D6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICBF6.tmp

Filesize
1.1MB

MD5
c04ed00ddcb3518e8cf6db24db294a50

SHA1
cc98cc3ab9c4371f85ea227d9f761bab4aa76baa

SHA256
3c21e1f3bb3ebeb5f0ff68658db8abd18b62f8b195288c4bf87936fc51f8ae9e

SHA512
736946a3130f294878ea51145960017babcc1b8ac2c96afd8b9e2a4d120f173afb84bbd04b6f0113f286d4bc671befecd4e92c582f1de1a0d5bc8738c3cae9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICCA2.tmp

Filesize
709KB

MD5
eb7811666ac7be6477e23af68511424f

SHA1
1623579c5a3710dcc694a2fd49defa27d56d9175

SHA256
ad706739b04256b9215e80d2d030863a37f0d7fd0e4071d0a3a73d6704d8bd8f

SHA512
3055baa15c92f476513c66a423043dc4b8c5f83f47643ad77665d6a2f823f4655bf4ae241d8af4bc34d53630df1c35989f0b11b934a631960668fcc7a8c81a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC9F8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12522\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F123046A-2CBF-4743-A59B-E3D2751B5780}\51B5780\SandeLLoCHECKER_Installer.msi

Filesize
3.9MB

MD5
e47c6582751cdc22d8c0eeac60de6d0b

SHA1
4c057d98754b09c95fcae46162673d1b241ccea4

SHA256
c645a247c399ae2e8ccf8f826415e7287b52080fcae3dac203e7e543fe792ccb

SHA512
2e2dc24e4cc1314f17506c0007f1e5c1200af1a2b14820968e7a1019c29b60913701beb5498a6c13e7cef938e98efa464b1cae2f5a8cc59c493caebfd158da5b

Download Submit
C:\Users\Admin\AppData\Roaming\privategamebase\Discord.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
7.4MB

MD5
271698776c17f52bdd5083bc872f2b69

SHA1
0827944c3617c5b8fcf119182fa26afef974b9e8

SHA256
e3cd396506f03d756d04ffd28759c296bc0176b584f27017ca504c6836241ff6

SHA512
b4a97ef4d4b65feab1bf3fe1e8f9824b1bec216099942212d2211ad04c9288f24155e220e531a72ae631e994b814210e2e74e7a81ba45e240b25a0621c439534

Download Submit
\Users\Admin\AppData\Local\Temp\Discord.exe

Filesize
3.2MB

MD5
90cd2e9c676fc284584653b5d4f95126

SHA1
4e1a138d45e7833d1eb4205606cdd7f4508bce5c

SHA256
5ccf3a06eeaa035c5b4b60f44e7820692c015208d62e415a3c224c009edde3df

SHA512
57166446c7743344914d2c1e089e066bc0ddddc29cb8e64e801f01c63f6287d524a3778a7d67070779e90ad31e7b0675f081dafbd32b34aa407e20706885a146

Download Submit
\Users\Admin\AppData\Local\Temp\MSICB68.tmp

Filesize
587KB

MD5
9e0aef52f6c03b2fea067342d9d4f22f

SHA1
d4431a858c8a7a79315829ec7aa82e838c2714f4

SHA256
42b8adafcb4e8496d9822a0c504f449e56456528a9251c153381d3f63d197e5b

SHA512
42858a6695d7906b3df4dc97f3b1fac737633a51ffb52e8ec8eddeb21f8cdb53c199bb698e54c4a931155eafd879de6fff114b84f298c84436b776e286ebeeb1

Download Submit
\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER.exe

Filesize
5.7MB

MD5
8a0591a6b534e32fa179f2d781b79026

SHA1
61e1aff6f862cbce0e1f6e9e70d186e5013d9846

SHA256
4df8350850592b587c4d2aaabddc8454bc4652df0082b85c3336139a9c6ea53e

SHA512
0a261afd07a152e0f4e7d4df8ad0d57c53e9690b0b4f7ed13614b60c55466bafa7ac70472f6b1b5b41e49b249f080ad3c4d440b655b631b17c3c7e1cea3055bd

Download Submit
memory/1828-216-0x0000000000280000-0x00000000005C4000-memory.dmp

Filesize
3.3MB

Download
memory/2396-17-0x0000000000400000-0x000000000145A000-memory.dmp

Filesize
16.4MB

Download
memory/2516-48-0x0000000000250000-0x000000000025E000-memory.dmp

Filesize
56KB

Download
memory/2516-49-0x0000000000600000-0x000000000065C000-memory.dmp

Filesize
368KB

Download
memory/2516-50-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2516-45-0x0000000000830000-0x0000000000B74000-memory.dmp

Filesize
3.3MB

Download
memory/2608-62-0x0000000000820000-0x0000000000832000-memory.dmp

Filesize
72KB

Download
memory/2608-63-0x0000000004C20000-0x0000000004C6E000-memory.dmp

Filesize
312KB

Download
memory/2608-61-0x00000000000A0000-0x00000000003E4000-memory.dmp

Filesize
3.3MB

Download
memory/2740-47-0x000007FEF5CD0000-0x000007FEF62B9000-memory.dmp

Filesize
5.9MB

Download
memory/2836-79-0x00000000000D0000-0x0000000000414000-memory.dmp

Filesize
3.3MB

Download
memory/2884-218-0x0000000001380000-0x00000000016C4000-memory.dmp

Filesize
3.3MB

Download
memory/3052-68-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/3052-78-0x0000000000770000-0x0000000000788000-memory.dmp

Filesize
96KB

Download
memory/3052-80-0x0000000000D10000-0x0000000000D20000-memory.dmp

Filesize
64KB

Download
memory/3052-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3052-73-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/3052-74-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/3052-76-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/3052-66-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/3052-70-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download
memory/3052-64-0x0000000000400000-0x0000000000744000-memory.dmp

Filesize
3.3MB

Download