Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
26/02/2025, 18:36
General
-
Target
BoostWare.exe
-
Size
9.6MB
-
MD5
1dc82cdf4c25c697678c3d95e12c494a
-
SHA1
7e52934ffb36810cc3ed9974e7f650a9f2e1ba2e
-
SHA256
5cf6ff4162d3eb61d3877ca0f2ab3174b95e210a8424134d4bc8698ba33e0ff3
-
SHA512
5531feda823aa5d73f3538b22731dd54b93e15da9ce4f3e52ec380e99b52dcb7ad269fd532784a92b76deb8c2365cc190b8f784c18af7f4115612df01272ac2c
-
SSDEEP
196608:XDPBJeZiU597HSECgB3Io5kG8s/CjAWmRYsDb7dXkDoJNrEiKkQQCncv:XFQZig97y0B375GIC0Qs8ovrEXcv
Malware Config
Extracted
orcus
Fortnite
82.9.246.24:8808
f65beca88ddb49089d3a6be2931bc598
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%programfiles%\Microsoft\Skype.exe
-
reconnect_delay
10000
-
registry_keyname
Skype
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\Skype.exe
Signatures
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
Orcurs Rat Executable 2 IoCs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Drops file in System32 directory 3 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\BoostWare.exe"C:\Users\Admin\AppData\Local\Temp\BoostWare.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAbAByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAagBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAdQBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAZABrACMAPgA="2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Beta.exe"C:\Users\Admin\AppData\Local\Temp\Beta.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Rha4t.exe"C:\Users\Admin\AppData\Local\Temp\Rha4t.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install3⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Program Files\Microsoft\Skype.exe"C:\Program Files\Microsoft\Skype.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Skype.exe"C:\Users\Admin\AppData\Roaming\Skype.exe" /launchSelfAndExit "C:\Program Files\Microsoft\Skype.exe" 3516 /protectFile4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Skype.exe"C:\Users\Admin\AppData\Roaming\Skype.exe" /watchProcess "C:\Program Files\Microsoft\Skype.exe" 3516 "/protectFile"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
-
C:\Program Files\Microsoft\Skype.exe"C:\Program Files\Microsoft\Skype.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
1Obfuscated Files or Information
1Command Obfuscation
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
6.7MB
MD5e7537ce869ffa596c293e451f3c8f726
SHA18873228a10fef6b3a5b05c9e2e447a1985841bcf
SHA2564d135ec8daf850061742ddd4d49155e6b57599af896deb056dd68d26a8d0c13f
SHA5123956b1cd36bf8fb73b411cba07d0c0e84e3e84b85d2d8234b65648a6826c11441d0963c04558831fbd5dc9e6fe04752557d6e0720afbe34c73e16b19f1eab561
-
Filesize
3.0MB
MD54676c622444293d23fc92c88b4d5de1f
SHA12a99665bd67956a8a55b0992ce736a55558f308e
SHA2563023628d4215c3441486912e46694f64ff34636e9513456f162f3c1fa0c03847
SHA512fb4b258db7d1b3962576d56af57a13962a8acff1233a58679c4286c2669a3e07888df24d9c28d9ab2fb8f5c3be4b3d51eedf7f0009de4bc02a52519f06af6990
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
159B
MD5740dde6369b1c855ea2f8e171fa888c8
SHA1db3f1c7e5e4c087cf9eb02376fd750f1879f28f8
SHA256e03c480b46464159387618445ca9fd9870b53e092e2278837f2d5a54daf06cae
SHA512114607dcee4439e5e5c97ca986a65c8114a0e3f3c56f494ef6eaac9cb0f9ebf29b828aabc3100e4be197c94d54a7c26513942c56806bfb3bb0d3594ffef7458c
-
Filesize
21KB
MD5a80be96476032d2eaa901d180fe9fb73
SHA1f378d0bc5fefb9ea0b5006f020091ffcbcd7acec
SHA256d6075c1ed6f285f5de01ce0cc6a817b59054da8b19f20bc7081cfe7fb2b1af42
SHA512210c0c4c845b416a601015fba5ccd2a3e8a4b81d3b4c5e0491b07bd0dcad938d9b118728bb1abc21eb73c5f9263a3c08e1822ece91002a2d1f0983857f0192ea
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
64KB
-
Filesize
3.0MB
-
Filesize
56KB
-
Filesize
72KB
-
Filesize
368KB
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
1.0MB
-
Filesize
48KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
1.8MB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
352KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
652KB
-
Filesize
216KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB