orcus | 3e4ef7b0224b4601e28838ec6319634315025d824c1404a2a9e114139dbdbe21

General

Target

cd42f90ac522a1bf3a23764c700bbfa4.exe
Size

903KB
MD5

cd42f90ac522a1bf3a23764c700bbfa4
SHA1

0caaca5d0f02fe988b7c6629271dfb325431b71c
SHA256

3e4ef7b0224b4601e28838ec6319634315025d824c1404a2a9e114139dbdbe21
SHA512

6a4155f288155cd9b2da52275e30dad56390b12060841eb20ad2a68b6ea8d426c699bb40bc4abc80c146ed46d2e9b000d9198a52c379e9b9ed32d73ed49401c5

Score

10^/10

orcus persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

185.163.47.163:10134

Mutex

4ad7857f77a347b49a5a7908a4f79070

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus Main Payload 2 IoCs

Processes:

resource	yara_rule
C:\Program Files\Orcus\Orcus.exe	family_orcus
C:\Program Files\Orcus\Orcus.exe	family_orcus

Orcurs Rat Executable 2 IoCs

Processes:

resource	yara_rule
C:\Program Files\Orcus\Orcus.exe	orcus
C:\Program Files\Orcus\Orcus.exe	orcus

Executes dropped EXE 1 IoCs

Processes:

Orcus.exe

pid process

204 Orcus.exe

pid	process
204	Orcus.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Orcus.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\""	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

cd42f90ac522a1bf3a23764c700bbfa4.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	cd42f90ac522a1bf3a23764c700bbfa4.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	cd42f90ac522a1bf3a23764c700bbfa4.exe

Drops file in Program Files directory 3 IoCs

Processes:

cd42f90ac522a1bf3a23764c700bbfa4.exe

description	ioc	process
File created	C:\Program Files\Orcus\Orcus.exe	cd42f90ac522a1bf3a23764c700bbfa4.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	cd42f90ac522a1bf3a23764c700bbfa4.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	cd42f90ac522a1bf3a23764c700bbfa4.exe

Drops file in Windows directory 3 IoCs

Processes:

cd42f90ac522a1bf3a23764c700bbfa4.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	cd42f90ac522a1bf3a23764c700bbfa4.exe
File created	C:\Windows\assembly\Desktop.ini	cd42f90ac522a1bf3a23764c700bbfa4.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	cd42f90ac522a1bf3a23764c700bbfa4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Orcus.exe

description pid process

Token: SeDebugPrivilege 204 Orcus.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Orcus.exe

pid process

204 Orcus.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Orcus.exe

pid process

204 Orcus.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Orcus.exe

pid process

204 Orcus.exe

description	pid	process
Token: SeDebugPrivilege	204	Orcus.exe

pid	process
204	Orcus.exe

pid	process
204	Orcus.exe

pid	process
204	Orcus.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

cd42f90ac522a1bf3a23764c700bbfa4.execsc.exe

description	pid	process	target process
PID 4044 wrote to memory of 2676	4044	cd42f90ac522a1bf3a23764c700bbfa4.exe	csc.exe
PID 4044 wrote to memory of 2676	4044	cd42f90ac522a1bf3a23764c700bbfa4.exe	csc.exe
PID 2676 wrote to memory of 3992	2676	csc.exe	cvtres.exe
PID 2676 wrote to memory of 3992	2676	csc.exe	cvtres.exe
PID 4044 wrote to memory of 204	4044	cd42f90ac522a1bf3a23764c700bbfa4.exe	Orcus.exe
PID 4044 wrote to memory of 204	4044	cd42f90ac522a1bf3a23764c700bbfa4.exe	Orcus.exe

C:\Users\Admin\AppData\Local\Temp\cd42f90ac522a1bf3a23764c700bbfa4.exe
"C:\Users\Admin\AppData\Local\Temp\cd42f90ac522a1bf3a23764c700bbfa4.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uuok-lwk.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E1E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1E1D.tmp"
3⤵
PID:3992

C:\Program Files\Orcus\Orcus.exe
"C:\Program Files\Orcus\Orcus.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

MD5
cd42f90ac522a1bf3a23764c700bbfa4

SHA1
0caaca5d0f02fe988b7c6629271dfb325431b71c

SHA256
3e4ef7b0224b4601e28838ec6319634315025d824c1404a2a9e114139dbdbe21

SHA512
6a4155f288155cd9b2da52275e30dad56390b12060841eb20ad2a68b6ea8d426c699bb40bc4abc80c146ed46d2e9b000d9198a52c379e9b9ed32d73ed49401c5

Download Submit
C:\Program Files\Orcus\Orcus.exe

MD5
cd42f90ac522a1bf3a23764c700bbfa4

SHA1
0caaca5d0f02fe988b7c6629271dfb325431b71c

SHA256
3e4ef7b0224b4601e28838ec6319634315025d824c1404a2a9e114139dbdbe21

SHA512
6a4155f288155cd9b2da52275e30dad56390b12060841eb20ad2a68b6ea8d426c699bb40bc4abc80c146ed46d2e9b000d9198a52c379e9b9ed32d73ed49401c5

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1E1E.tmp

MD5
17970f4bf64b7eefc27a244e9b6695ac

SHA1
64ec1eadefe14e9fad5558239f9f05ee6797f63e

SHA256
3393ad5e85e259ce09687ec6e99127b056b28bd8f840828e62b27c941d58247b

SHA512
a9c60345a3eab39531cec1fbd9a5de60fe7b0ceb64c969a7c944e7b1bfd03b510563ec96d5a0de825fb2c336b1354f109826ca329838114c651c87932b27105a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uuok-lwk.dll

MD5
07e90dd8c6dc3610b97bee377d0cf19d

SHA1
f8af32e9927148f48aedc965825347a4fc121ba1

SHA256
c24f9b5e8be59f882e2c0f0fd94cf6f827cfbe29fd5d9a9ac44b4d5281bc3f05

SHA512
c817a05c8db7e095d47ccaaaccc5b4051cf55ac669f2db3c4ea057495ac4f4dab79e2ac320a96b22d24498965fbcdeb5411d84baddaa0b4078a447796102b8db

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1E1D.tmp

MD5
fcea77a388eed2e2083950f2436da1b8

SHA1
8eb24713bdb23fed11df8798bde0f63dc70b265d

SHA256
ac21e042c2eb090ada98c2a460d1830892a855693bafe991c12ccb9d6e659201

SHA512
af50f7e22ab4b563a60f80e281d6272c393cac0d60b79e23723ac2e05fc9789873083ae93afeff1cf6d56614a88a393a83a0fb4bebc205b0b3a2283f98b3acb0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uuok-lwk.0.cs

MD5
ca4c2b1fb793dc95dbe5b17c0d5c5cf6

SHA1
339269eafcc8e7dd337511bc9d064d6e90067d87

SHA256
936844ba404c62e4e382f9495780f3f4bb8d41f8c858ec1acee10f6cfb50cc90

SHA512
0931bceec188f4da13210a4f872603d10414e9884e3243d0e5e98b0182f7d15c18ce28a8cbcec0d88868793ceb5290ebf917607a484f11446d65695552870b14

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uuok-lwk.cmdline

MD5
85a897d837383484c5ed81bf3d6aa20b

SHA1
8b01128aefbb845c8f169e9527fa2e53f7319508

SHA256
ebe1cdf50162bf15fb5dd7ccddcc0d94fca3ceb197786ef4d556e68ae33660d2

SHA512
b473c92796d03a72b89dd93d0847f52e50fe24bcc8f30def9cef849fef1ee47ecd5a2f46fbb3a519ed64aa7899044cad496afab7d0c1ecefabf5a07f8417879f

Download Submit
memory/204-129-0x000000001B550000-0x000000001B5AA000-memory.dmp

Filesize
360KB

Download
memory/204-132-0x000000001B5B0000-0x000000001B5F8000-memory.dmp

Filesize
288KB

Download
memory/204-140-0x000000001C790000-0x000000001C791000-memory.dmp

Filesize
4KB

Download
memory/204-139-0x000000001C490000-0x000000001C491000-memory.dmp

Filesize
4KB

Download
memory/204-138-0x000000001B660000-0x000000001B661000-memory.dmp

Filesize
4KB

Download
memory/204-127-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/204-137-0x00000000011D2000-0x00000000011D4000-memory.dmp

Filesize
8KB

Download
memory/204-130-0x0000000001180000-0x000000000118C000-memory.dmp

Filesize
48KB

Download
memory/204-131-0x00000000011C0000-0x00000000011D0000-memory.dmp

Filesize
64KB

Download
memory/204-123-0x0000000000000000-mapping.dmp

Download
memory/204-133-0x00000000011E0000-0x00000000011F5000-memory.dmp

Filesize
84KB

Download
memory/204-134-0x000000001BD60000-0x000000001BD61000-memory.dmp

Filesize
4KB

Download
memory/204-135-0x0000000001210000-0x000000000121C000-memory.dmp

Filesize
48KB

Download
memory/204-136-0x00000000011D0000-0x00000000011D2000-memory.dmp

Filesize
8KB

Download
memory/2676-115-0x0000000000000000-mapping.dmp

Download
memory/2676-122-0x0000000002230000-0x0000000002232000-memory.dmp

Filesize
8KB

Download
memory/3992-118-0x0000000000000000-mapping.dmp

Download
memory/4044-114-0x00000000027E0000-0x00000000027E2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads