General
-
Target
Wave-Setup.exe
-
Size
125.0MB
-
Sample
250218-vx51pavkap
-
MD5
9c2c4ff8c886747f36dfb60baf8dfc58
-
SHA1
447c496617ce26d88040f6b927bd7758f895e704
-
SHA256
5583231982fa337c0ade14f84301cbf2078656bcfe128f99dd082c3ec95cb4c7
-
SHA512
0fc242a792479be540a8d78128efe566229f1b97c39bed840f813b81a5bc6504002f427e06eca14973e17c3789ec4f2d00a8cbbcbbcaa5629a34300fa9635a0f
-
SSDEEP
24576:ZTZS04YNEMuExDiU6E5R9s8xY/2l/d4BNIbt+rx:ZTb4auS+UjfU2TgNIbt+r
Malware Config
Extracted
orcus
147.45.67.158
07a04be20fd64a6f98b69fb858017041
-
administration_rights_required
false
-
anti_debugger
false
-
anti_tcp_analyzer
false
-
antivm
false
-
autostart_method
2
-
change_creation_date
false
-
force_installer_administrator_privileges
false
-
hide_file
false
-
install
false
-
installation_folder
%appdata%\Microsoft\Speech\wavecrack.exe
-
installservice
false
-
keylogger_enabled
false
-
newcreationdate
02/18/2022 03:09:09
-
plugins
AgUFh/KmowjokAL8tAK+cicSsb2a/R0OQgBzAG8AZABQAHIAbwB0AGUAYwB0AGkAbwBuAAcDMQAuADAAQSA0ADcAZQBiADcANgA1ADAAMwA0ADkAOAA0ADcAYgA0AGEAOQBhAGYANQAyADEAMQBiADMANQA4ADYAMQA4ADQAAQXs/a7YDMDqAcy2Ar9g7F/XqzpdHw9EAGkAcwBhAGIAbABlAEQAZQBmAGUAbgBkAGUAcgAHAzIALgAwAEEgMABkADYAZABmADMAYwBiADgAOAA5ADIANABhADYAMwBhADkAYgBjADMAMgAyAGUAMAA2AGQANQAxADAAZABhAAEAAAQE
-
reconnect_delay
10000
-
registry_autostart_keyname
Audio HD Driver
-
registry_hidden_autostart
false
-
set_admin_flag
false
-
tasksch_name
svchost.exe
-
tasksch_request_highest_privileges
false
-
try_other_autostart_onfail
false
Targets
-
-
Target
Wave-Setup.exe
-
Size
125.0MB
-
MD5
9c2c4ff8c886747f36dfb60baf8dfc58
-
SHA1
447c496617ce26d88040f6b927bd7758f895e704
-
SHA256
5583231982fa337c0ade14f84301cbf2078656bcfe128f99dd082c3ec95cb4c7
-
SHA512
0fc242a792479be540a8d78128efe566229f1b97c39bed840f813b81a5bc6504002f427e06eca14973e17c3789ec4f2d00a8cbbcbbcaa5629a34300fa9635a0f
-
SSDEEP
24576:ZTZS04YNEMuExDiU6E5R9s8xY/2l/d4BNIbt+rx:ZTb4auS+UjfU2TgNIbt+r
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender DisableAntiSpyware settings
-
Modifies Windows Defender Real-time Protection settings
-
Modifies Windows Defender TamperProtection settings
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
UAC bypass
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Windows security modification
-
Checks whether UAC is enabled
-
Hijack Execution Flow: Executable Installer File Permissions Weakness
Possible Turn off User Account Control's privilege elevation for standard users.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
3Windows Service
3Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
3Windows Service
3Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
5Disable or Modify Tools
5Modify Registry
6