Overview
overview
10Static
static
10uploaded/0...de.exe
windows10-2004-x64
7uploaded/0...03.exe
windows10-2004-x64
7uploaded/0...03.exe
windows11-21h2-x64
7uploaded/0...74.exe
windows10-2004-x64
5uploaded/0...74.exe
windows11-21h2-x64
5uploaded/1.exe
windows10-2004-x64
6uploaded/1.exe
windows11-21h2-x64
6uploaded/123.exe
windows10-2004-x64
10uploaded/123.exe
windows11-21h2-x64
10uploaded/1...f7.exe
windows10-2004-x64
5uploaded/1...f7.exe
windows11-21h2-x64
5uploaded/1...7b.exe
windows10-2004-x64
6uploaded/1...7b.exe
windows11-21h2-x64
6uploaded/1...1e.exe
windows10-2004-x64
1uploaded/1...1e.exe
windows11-21h2-x64
1Archivo_20...87.doc
windows10-2004-x64
6Archivo_20...87.doc
windows11-21h2-x64
10Refusal-21...1.xlsm
windows10-2004-x64
10Refusal-21...1.xlsm
windows11-21h2-x64
6uploaded/222.exe
windows10-2004-x64
10uploaded/222.exe
windows11-21h2-x64
10uploaded/2...29.doc
windows10-2004-x64
10uploaded/2...29.doc
windows11-21h2-x64
10uploaded/2...34.exe
windows10-2004-x64
3uploaded/2...34.exe
windows11-21h2-x64
3uploaded/2...47.exe
windows10-2004-x64
7uploaded/2...47.exe
windows11-21h2-x64
7uploaded/2...b2.exe
windows10-2004-x64
5uploaded/2...b2.exe
windows11-21h2-x64
5uploaded/3...92.exe
windows10-2004-x64
3uploaded/3...92.exe
windows11-21h2-x64
3uploaded/3...a4.exe
windows10-2004-x64
8General
-
Target
250602-pr9h2aer5w.bin
-
Size
466.8MB
-
Sample
250602-pyz8yaz1dy
-
MD5
72364945b46c400678b30759b1cdda52
-
SHA1
55c1e9725dab3925e63943c5aa4329d6fee0012d
-
SHA256
bd5ee1f6ebe18c36a0168c43f459f54fd133d35244b269e4ecef5bd2a484c72b
-
SHA512
13a9ef2c624bde874181a33f21cf62f4ffa52a8a7e958a729088b7fab1462f4d71775934b10b1b1ac678f6e18d9f2832c33440aec8dbfe815348345bf8bbc42b
-
SSDEEP
12582912:V3JuitJi1QjcTh6WzDfCP/Hs+6IQ23CvC9n6Vy8QC+xk:V3IiC1Q6hbzWPvs+TQICoOy//a
Static task
static1
Behavioral task
behavioral1
Sample
uploaded/057c3508b21674c3ab95c4c0f26a7195a6aba8d35464dfc97d96452479d430de.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
uploaded/0f0d2abea57c5403fb538eef2e42d5003.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral3
Sample
uploaded/0f0d2abea57c5403fb538eef2e42d5003.exe
Resource
win11-20250502-en
Behavioral task
behavioral4
Sample
uploaded/0fec46875e62cf4c572c4cc4cc7e84374.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral5
Sample
uploaded/0fec46875e62cf4c572c4cc4cc7e84374.exe
Resource
win11-20250502-en
Behavioral task
behavioral6
Sample
uploaded/1.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral7
Sample
uploaded/1.exe
Resource
win11-20250502-en
Behavioral task
behavioral8
Sample
uploaded/123.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral9
Sample
uploaded/123.exe
Resource
win11-20250502-en
Behavioral task
behavioral10
Sample
uploaded/1546d38e814b5348b877ade61fa7cc0f7.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral11
Sample
uploaded/1546d38e814b5348b877ade61fa7cc0f7.exe
Resource
win11-20250502-en
Behavioral task
behavioral12
Sample
uploaded/1812b1b80810a47d68157ec25c3a44e7b.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral13
Sample
uploaded/1812b1b80810a47d68157ec25c3a44e7b.exe
Resource
win11-20250502-en
Behavioral task
behavioral14
Sample
uploaded/19a972ce0137c326e9a800096bc442276468096ad02c6dec2aba37564d0e441e.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral15
Sample
uploaded/19a972ce0137c326e9a800096bc442276468096ad02c6dec2aba37564d0e441e.exe
Resource
win11-20250502-en
Behavioral task
behavioral16
Sample
Archivo_2001_2021_49-381887.doc
Resource
win10v2004-20250502-en
Behavioral task
behavioral17
Sample
Archivo_2001_2021_49-381887.doc
Resource
win11-20250502-en
Behavioral task
behavioral18
Sample
Refusal-217432546-01212021.xlsm
Resource
win10v2004-20250502-en
Behavioral task
behavioral19
Sample
Refusal-217432546-01212021.xlsm
Resource
win11-20250508-en
Behavioral task
behavioral20
Sample
uploaded/222.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral21
Sample
uploaded/222.exe
Resource
win11-20250502-en
Behavioral task
behavioral22
Sample
uploaded/2531 2212 2020 QG-826729.doc
Resource
win10v2004-20250502-en
Behavioral task
behavioral23
Sample
uploaded/2531 2212 2020 QG-826729.doc
Resource
win11-20250502-en
Behavioral task
behavioral24
Sample
uploaded/25f2c4054d0680fd51f2cf860055f2234.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral25
Sample
uploaded/25f2c4054d0680fd51f2cf860055f2234.exe
Resource
win11-20250502-en
Behavioral task
behavioral26
Sample
uploaded/2bb792ea1927ddd3a5a245eaf96c06ca2598191f670750c24d5b9ed47f20e147.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral27
Sample
uploaded/2bb792ea1927ddd3a5a245eaf96c06ca2598191f670750c24d5b9ed47f20e147.exe
Resource
win11-20250502-en
Behavioral task
behavioral28
Sample
uploaded/2e5473aa5ebf01ac5ce00c7ad537ddcb2.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral29
Sample
uploaded/2e5473aa5ebf01ac5ce00c7ad537ddcb2.exe
Resource
win11-20250502-en
Behavioral task
behavioral30
Sample
uploaded/387812ee2820cbf49812b1b229b7d8721ee37296f7b6018332a56e30a99e1092.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral31
Sample
uploaded/387812ee2820cbf49812b1b229b7d8721ee37296f7b6018332a56e30a99e1092.exe
Resource
win11-20250502-en
Behavioral task
behavioral32
Sample
uploaded/3c8ec4a8a8c3b1fbabc577576da5b70f5ddf3460b68775f3fbfa4fc07b6a7fa4.exe
Resource
win10v2004-20250502-en
Malware Config
Extracted
orcus
192.168.171.129:10134
pont9245.ddns.net:7777
147.185.221.16:18244
hostip00.duckdns.org:10134
91.218.65.24:10134
s7vety-27063.portmap.host:27063
kissmyasshole.myddns.me:1012
186d21ec80e143edb3384fa80d4ee7f8
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Extracted
orcus
Roblox script injector
youcantfindmelol.ddns.net:10134
de0e17d469cc46849280a8cd4d643763
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%programfiles%\Java\Java.exe
-
reconnect_delay
10000
-
registry_keyname
Java
-
taskscheduler_taskname
Java Updater
-
watchdog_path
Temp\Java Updater.exe
Extracted
orcus
NEW
122.186.23.243:10134
c7798e5973374c92859ce651077d0576
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%windir%\Desktop Window Manager.exe
-
reconnect_delay
10000
-
registry_keyname
Program
-
taskscheduler_taskname
Windows
-
watchdog_path
AppData\OrcusWatchdog.exe
Extracted
orcus
EMVLATEST
3.tcp.eu.ngrok.io:22028
699ea505fbd445a7924b6888db7a5f2a
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%programfiles%\Windows Security\Microsoft Defender.exe
-
reconnect_delay
10000
-
registry_keyname
javaservice
-
taskscheduler_taskname
win10service
-
watchdog_path
AppData\javaforwin.exe
Extracted
asyncrat
0.5.7B
Default
friendlyman69.ddns.net:55042
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
lsass.exe
-
install_folder
%AppData%
Extracted
darkcomet
- gencode
-
install
false
-
offline_keylogger
false
-
persistence
false
Extracted
xworm
5.0
127.0.0.1:5555
hostz.hopto.org:5555
172.65.175.19:443
127.0.0.1:7000
council-amp.gl.at.ply.gg:59436
28.ip.gl.ply.gg:65453
Nyv6QFoXtqKjtLri
-
Install_directory
%Userprofile%
-
install_file
DMA Driver.exe
Extracted
nanocore
1.2.2.0
90.120.50.244:2518
127.0.0.1:2518
6baeca53-6eec-4a83-8679-c479f2f1a649
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-11-20T17:31:41.353489336Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
2518
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
6baeca53-6eec-4a83-8679-c479f2f1a649
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
90.120.50.244
-
primary_dns_server
8.8.8.8
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
xworm
studies-license.gl.at.ply.gg:48057
dpwekwpd-58261.portmap.io:58261
127.0.0.1:7000
127.0.0.1:2321
133.23.21.222:2321
28.ip.gl.ply.gg:65453
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Extracted
umbral
https://discord.com/api/webhooks/1367163929452613703/0Ot4VsdGUKWdMg4T-pgsrzxgFAOyvGEFGDEYD7_CrEfiWkjJTQFitsIjIZavpL8rfypz
Extracted
orcus
NOOB NONAME
26.223.23.213:25565
378fcdd4ef824c7db5946dd1cf8ec64f
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
Temp\OrcusWatchdog.exe
Extracted
http://zhongsijiacheng.com/wp-content/jn5/
http://artistascitizen.com/wp-content/Bx3cr6/
http://ombchardin.com/archive/V/
https://apsolution.work/magneti-marelli-zkkmb/toq7Eiy/
https://happycheftv.com/wp-admin/z6uGcbY/
https://careercoachconnection.com/tenderometer/4K/
https://tacademicos.com/content/JbF68i/
Extracted
http://www.toteteca.com/qzkiodlofm/5555555555.jpg
Extracted
http://zenithcampus.com/l/yQ/
http://hbprivileged.com/cgi-bin/kcggF/
http://localaffordableroofer.com/ralphs-receipt-f2uhf/qTT5DC/
https://johnhaydenwrites.com/track_url/P/
https://nahlasolimandesigns.com/nahla3/d/
https://football-eg.com/web_map/n/
https://vietnhabienhoa.com/wordpress/QUTy/
Targets
-
-
Target
uploaded/057c3508b21674c3ab95c4c0f26a7195a6aba8d35464dfc97d96452479d430de.exe
-
Size
2.7MB
-
MD5
2648c64711a910797ec85e145d45fe3e
-
SHA1
bca3cd7091f73be66213f7aac1bef1be1527bfb2
-
SHA256
057c3508b21674c3ab95c4c0f26a7195a6aba8d35464dfc97d96452479d430de
-
SHA512
129d8f7afbf4d05568df05319b2e684235e3392e3928252ad35c227abe22870114c6d343fded5ecbf98d105f16c7ddc0eb0487020f1b7efa785dcacd1c203e82
-
SSDEEP
49152:ROnDZlOiVb/3pYBZpUh0QuM5enR/Iy1TqjUC6R5SAq6Iex20AB4T2zQbk3G4QZDv:ROzJVb/3QGgnR/Iy1TEUnbqiI0AB4XkC
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
uploaded/0f0d2abea57c5403fb538eef2e42d5003.exe
-
Size
409KB
-
MD5
3d6531f8f4eb1b41f62e8a55f033735f
-
SHA1
aa250187efbbb4254d14949d862b41c6125b452c
-
SHA256
f7f8ca0ae4af42baa3586561ce73cea45445e439eec867091704a696de334e96
-
SHA512
505bb32692f7e65106dc55eb8fdb9eb0b4b095d1fbc6b3c33d496fbd9f540e7c05c0f42df3401c7d1933f0f48fb51844e61c5b6bdbf29a2d2ff273366076a121
-
SSDEEP
12288:P//ZbUXN0kCD9pZ4QQxCQDrX2t9xqkHE7J:P3Zbm0BZvQxCgrXS9f6
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
uploaded/0fec46875e62cf4c572c4cc4cc7e84374.exe
-
Size
73KB
-
MD5
c0bae473a586ca639fd3f0e2113ae32c
-
SHA1
562c4595d866f71de81d72f2a1356dd0b266aa2f
-
SHA256
d423b582ccf801825bf5a60d1c0a0ffdf5b06704507f327873d4790029753ffe
-
SHA512
947863e46bb0a1275343a7383d6708dcacc1e53e9e6ff6c1006f527d838f7836670af9a446a01c11c01b292e8096ce8f3b51de7d8d142a17c691342ba00d3309
-
SSDEEP
1536:Hj0eb32T01PQb3zTjbM6ptmJTYHjR9Ob4UGpGtP43KBp:3bFMzTFq+N48UxpP
-
-
-
Target
uploaded/1.exe
-
Size
913KB
-
MD5
c02308ef085b976898fa42b065254aa2
-
SHA1
95e03e7644a56af5fefc12c32b2c86b2c20fe5af
-
SHA256
6b4adc3f05b6f7968d826b26b6a472ad3906a5b659eae167bd3a922415c6133d
-
SHA512
e64ee710eb5fedb7d7220a8876b64945a76f70e2880100b30d340e346d0880a98085c8c183f2796f6c706347de030124daeb5a8fcda7aff578bf1cb88ee484e5
-
SSDEEP
24576:X+5T4MROxnFm5bHKTlQZrZlI0AilFEvxHizS9:u50MiAZrZlI0AilFEvxHi
Score6/10-
Drops desktop.ini file(s)
-
-
-
Target
uploaded/123.exe
-
Size
903KB
-
MD5
264e7741729c68da987f40f4cd19a36f
-
SHA1
16dc103026652605229355ced92127fd1c85bbc2
-
SHA256
94ad5e95fc0167221e93b241d4890649158fb8a59272d9e96ad741d3b7e51fff
-
SHA512
e2d5bd4fd3e08f69cb225e5c72d2a515770292df59c14c6f20c45cc1736145dc148ab2a05ff78ab560a84ca696fb7937a9a8d193696a2b8337eabc5f07ed9168
-
SSDEEP
12288:00XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCVyrO12nIMmJPepjikbQ7dG1lF/:qPF4MROxnFNHrrcI0AilFEvxHPmooo
-
Orcus family
-
Orcurs Rat Executable
-
-
-
Target
uploaded/1546d38e814b5348b877ade61fa7cc0f7.exe
-
Size
73KB
-
MD5
2bbc55048c13c64ff4f381d02fd2e37d
-
SHA1
c0de7b7c3bc33898db1134126bad349abc6eec6e
-
SHA256
ba06a9df44bb8d2439f9ec8ef3cf7ab8349abdc9dc60593f5718785ceb4e7e76
-
SHA512
3b9a62cb11ad5c5abc3466d4e2208242c421d801bbae4151fc36754d7c579cabe661a06ffa7bf30ad6257fa80f343ab295836281711396abffd0bdfe5dff6548
-
SSDEEP
1536:zj0eb32T01PQb3zTjbM6ptmJTYHjR9Ob4UGpGtDl3K7:LbFMzTFq+N48U1E7
-
-
-
Target
uploaded/1812b1b80810a47d68157ec25c3a44e7b.exe
-
Size
124KB
-
MD5
1b83cb61b35c039591f2ff3380e04d81
-
SHA1
f70328bdcddd8b70c847db5eba6f8fe777f99397
-
SHA256
790353165b689048a77a6aa76010b561db500d85e3d3509b1ce869204129de49
-
SHA512
3f43b80d07db00cb204890c9b62fe0563d456d6621a2bfacdbf9568b1e03562197fec849896c804b8c2fdc2f686fa2a244ad69261d2919b74857b973fe02e733
-
SSDEEP
3072:5hjQjOmwnvFHygjCLf85f5EuO2qixYDZFeEI7:5hjVvFSgjCLf85f5h4ixYDZFm7
Score6/10-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
-
-
Target
uploaded/19a972ce0137c326e9a800096bc442276468096ad02c6dec2aba37564d0e441e.exe
-
Size
1.9MB
-
MD5
7c282de58057bcbd9fd001d5bd5c9728
-
SHA1
13080576fcdd77d6219c948f33e242a1a3f19efb
-
SHA256
19a972ce0137c326e9a800096bc442276468096ad02c6dec2aba37564d0e441e
-
SHA512
15221e1da59d05d011809d95b3c235356cebc341ba04190edee4e1143bf3a5c415809a427419cf08f8a10c0c7772bc1427412199fbd588e6adfbca285e2d9eb4
-
SSDEEP
49152:1fDODfDFnzD1Us+kMg7ZFZrr89UfT3MF:Cr8AMF
Score1/10 -
-
-
Target
Archivo_2001_2021_49-381887.doc
-
Size
158KB
-
MD5
74ab40efc21fceb14a432f7c4d000b67
-
SHA1
5fb79750ab4f78e18c3d1800be5b2e9ac0959db3
-
SHA256
89680559595f62f12bfdd9338c525133244ea6b7f23bb9b5b798ce04232817f0
-
SHA512
d2abd2bebf5485aeaa570b4d019c426afaa1173f4f428eafecc617072c7f86242db306098ec3081135e71c69ae18b0f28504313f5f0cdd70f8634c3d1ed8a70d
-
SSDEEP
3072:OL1QUTdcrrXyQBsc0vWJVi4IrwVdmZVT2Vq:OLC9PII4R2V
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Process spawned suspicious child process
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
-
-
-
Target
Refusal-217432546-01212021.xlsm
-
Size
25KB
-
MD5
7a0ca2f162b86659f47411d39f8be75e
-
SHA1
8ee78da95af22a1d01d3ec035eaccdeb5be44276
-
SHA256
70a5d9ef163f6e6c7e32c366363d7d4e9a6cbb06df84802edd177acb907fe092
-
SHA512
c22ffe07d03a3d605e77da77d4a8f5425bc32ae7da5bf1abe558b265f8cd396d83f4f438b620611f65b6d0383e75cf197d75807036f733123cc820f5ee471a95
-
SSDEEP
384:4Mfowh92aGcoKKRR6xt7k5SV8m2ylTQ8aoVT0QNuzWKP8WZoms:4MflhQaGc7SsFk5S6f6TfW+u7DZRs
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Process spawned suspicious child process
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
-
-
-
Target
uploaded/222.exe
-
Size
907KB
-
MD5
9474c8c2696babee986e8ae1bc46bd78
-
SHA1
1bcbfc24030a8e09c15055ad90685cac7af24cb1
-
SHA256
b2f324d6ae851aa65773d233201d58ac5230d525281afd1775e0b82514ac9645
-
SHA512
bf03529601fb0a935188c6efd72e5d752aed5c23085ade870a385c47b746b8ce9927527c78ab61c28a4d4b8cf23217b1e74e76ee6e1644d85439646a216f5153
-
SSDEEP
24576:ocI4MROxnFj3qxXFHXRrZlI0AilFEvxHiW8F:ocrMi1mRhrZlI0AilFEvxHiW
-
Orcus family
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
-
-
Target
uploaded/2531 2212 2020 QG-826729.doc
-
Size
213KB
-
MD5
cf288a156f60cf132cf14c617b41a154
-
SHA1
b4dbb03f48b651d2a81849a12049a9ac9f5295a2
-
SHA256
3a15b42c4692483aedb912298719b52e5513cf3d2a58ffca07c78fa8c48b536c
-
SHA512
f694cfad3e816fc7af937a6eca905ae4c1fa71fc1be1a2c4f56b9060bdfc2eb0fee520698b80bb92bdbfffedd13c50946a5e08f1f8e863a259629e9e419b754c
-
SSDEEP
3072:O9ufstRUUKSns8T00JSHUgteMJ8qMD7gRyHYbwRe/dNx0tcn15rJDMsIxS:O9ufsfgIf0pLxbwQlNx0tw15rJDMsIxS
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
-
-
Target
uploaded/25f2c4054d0680fd51f2cf860055f2234.exe
-
Size
162KB
-
MD5
91106264680a5cc064c550a62c8650c7
-
SHA1
67758edc66f1160728b82ab7608bb0cf1ad7fc5a
-
SHA256
b3fb1ae7923313ad51ec2101c28fd1f1417cc987f33272227fdc1745c5e5261b
-
SHA512
4a5dc892381f09c7628f71c386756026ca432e4614e26a46309fdd9d2453c76643f58ebe8e61cc0d567cb563a0ab484f18b85c90afa9b65aef14863fc166dbf3
-
SSDEEP
3072:0LzOI+8oz3Y+u1gb2KoTJBJsHZ4AYsRmwRCRJJI3itUWJNem6q:0H2zTu1gbAvMZ4A9RPLpy
Score3/10 -
-
-
Target
uploaded/2bb792ea1927ddd3a5a245eaf96c06ca2598191f670750c24d5b9ed47f20e147.exe
-
Size
9.8MB
-
MD5
23e735b01c2f68b79d9e6cd8ac8e42f4
-
SHA1
b3edba909b2fbdd8d0217bb956f3ee500f9ab137
-
SHA256
2bb792ea1927ddd3a5a245eaf96c06ca2598191f670750c24d5b9ed47f20e147
-
SHA512
44a0a253919ef8a956799bfd3fcd4e40dcbe21ef493a98597d798ed8c53f7d4e801b7f43c182d3df970f185696d46dcc05bb1f94895a863875da94ce282837ff
-
SSDEEP
196608:JGtFyDDwRv5DFUhA7yUjCaoQLXtN9rEs2oLkdDPbrTOjJ/XY2a8nH36CJ5:otFyDDwRvl6hTjaoALAoL6DzrTYvvaK5
Score7/10-
Loads dropped DLL
-
-
-
Target
uploaded/2e5473aa5ebf01ac5ce00c7ad537ddcb2.exe
-
Size
73KB
-
MD5
e1a1a8ec650e500872946774b1b9c30e
-
SHA1
0622e0ab98bcd1a289732e4cad457e1474d84b4a
-
SHA256
43e54d4e4f485f789739694024b6136f5e5215172555a846608abc8f5386c19a
-
SHA512
fe659312fcb4ce55ece76bafbd61ffce5774fa51223b215276d4e1eac4176f0a717749ddc4af97d2bf7a81242d1ae5b25ae08329b245ab6a64e11fd2ccb0fa9a
-
SSDEEP
1536:sj0eb32T01PQb3zTjbM6ptmJTYHjR9Ob4UGpGtfW3Kn8:KbFMzTFq+N48UVj8
-
-
-
Target
uploaded/387812ee2820cbf49812b1b229b7d8721ee37296f7b6018332a56e30a99e1092.exe
-
Size
144KB
-
MD5
c2a760c6461449ac1d5a5538242bed11
-
SHA1
59684c6261afc698c0f6a46658986f0268f4c5a0
-
SHA256
387812ee2820cbf49812b1b229b7d8721ee37296f7b6018332a56e30a99e1092
-
SHA512
b00734a77c70f18ed10049c67823316498208b32e9f662f9fa56074b862bd8606826947f8cb394ed48d0d9b88f47e7fa214153e53fbc83c60bb7075d57375dd8
-
SSDEEP
3072:/29rIyJvv9Gq9q/uNKFO+oFGqN/xJCpgDjXYQWNoF97PYJ:e98S9Gq9WM5Z2mbYQWNslY
Score3/10 -
-
-
Target
uploaded/3c8ec4a8a8c3b1fbabc577576da5b70f5ddf3460b68775f3fbfa4fc07b6a7fa4.exe
-
Size
11.8MB
-
MD5
b777cfa3f6c7d8ad118caf620908a60d
-
SHA1
46a0af09d1901ceaca3ccde27499ee1b91cdf0e1
-
SHA256
3c8ec4a8a8c3b1fbabc577576da5b70f5ddf3460b68775f3fbfa4fc07b6a7fa4
-
SHA512
f41be2c1673f8fe1f884b36a74b0e2e906702432375aab0934e7afaf329a576943a077a7369adf134136be26b823a699c025d3e5c0a7e54bf1d939a25ddf8745
-
SSDEEP
196608:54F1KIlUrJyTOZzEwLVa1XwETq4FHsm1hmKXdFL5d3IH:yF4LyTOZ3LVgXwCDFHsm1hm8dJI
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1