Overview

overview

10

Static

static

10

658CB5F3BD...83.exe

windows7_x64

10

658CB5F3BD...83.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    21-05-2021 17:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    658CB5F3BD26B13BB619C625501D7283.exe

  • Size

    907KB

  • MD5

    658cb5f3bd26b13bb619c625501d7283

  • SHA1

    55ed61f7bd39147201a022ec3f83edfc8c58e002

  • SHA256

    88f3320f4bcd533c568b9ba53205deb1b0e430c3c32a1dfa0bfded03851114a8

  • SHA512

    d932c5b58120b466ae3451ececbb9fc323603d70b728294dce88e8b911c38dd65f0a81ec8fbba7f4c7dd2b9f9f3304de318a5297703e1d94204c89c3be55ad91

Score
10/10
orcuspeopleratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

People

C2

4.tcp.ngrok.io:16788

Mutex

55c8e5e3f5fe4794a3ef3a55735c66ad

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %appdata%\MultiRunner\MultiRunner.exe

  • reconnect_delay

    10000

  • registry_keyname

    MutliRunner

  • taskscheduler_taskname

    MultiRunner

  • watchdog_path

    AppData\MultiHelper.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus Main Payload 2 IoCs
  • Orcurs Rat Executable 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\658CB5F3BD26B13BB619C625501D7283.exe
    "C:\Users\Admin\AppData\Local\Temp\658CB5F3BD26B13BB619C625501D7283.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3864
    • C:\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe
      "C:\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2476
      • C:\Users\Admin\AppData\Roaming\MultiHelper.exe
        "C:\Users\Admin\AppData\Roaming\MultiHelper.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe" 2476 /protectFile
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3480
        • C:\Users\Admin\AppData\Roaming\MultiHelper.exe
          "C:\Users\Admin\AppData\Roaming\MultiHelper.exe" /watchProcess "C:\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe" 2476 "/protectFile"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3228

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MultiHelper.exe.log
    MD5

    605f809fab8c19729d39d075f7ffdb53

    SHA1

    c546f877c9bd53563174a90312a8337fdfc5fdd9

    SHA256

    6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

    SHA512

    82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MultiHelper.exe
    MD5

    913967b216326e36a08010fb70f9dba3

    SHA1

    7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

    SHA256

    8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

    SHA512

    c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MultiHelper.exe
    MD5

    913967b216326e36a08010fb70f9dba3

    SHA1

    7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

    SHA256

    8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

    SHA512

    c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MultiHelper.exe
    MD5

    913967b216326e36a08010fb70f9dba3

    SHA1

    7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

    SHA256

    8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

    SHA512

    c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MultiHelper.exe.config
    MD5

    a2b76cea3a59fa9af5ea21ff68139c98

    SHA1

    35d76475e6a54c168f536e30206578babff58274

    SHA256

    f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

    SHA512

    b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe
    MD5

    658cb5f3bd26b13bb619c625501d7283

    SHA1

    55ed61f7bd39147201a022ec3f83edfc8c58e002

    SHA256

    88f3320f4bcd533c568b9ba53205deb1b0e430c3c32a1dfa0bfded03851114a8

    SHA512

    d932c5b58120b466ae3451ececbb9fc323603d70b728294dce88e8b911c38dd65f0a81ec8fbba7f4c7dd2b9f9f3304de318a5297703e1d94204c89c3be55ad91

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe
    MD5

    658cb5f3bd26b13bb619c625501d7283

    SHA1

    55ed61f7bd39147201a022ec3f83edfc8c58e002

    SHA256

    88f3320f4bcd533c568b9ba53205deb1b0e430c3c32a1dfa0bfded03851114a8

    SHA512

    d932c5b58120b466ae3451ececbb9fc323603d70b728294dce88e8b911c38dd65f0a81ec8fbba7f4c7dd2b9f9f3304de318a5297703e1d94204c89c3be55ad91

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MultiRunner\MultiRunner.exe.config
    MD5

    a2b76cea3a59fa9af5ea21ff68139c98

    SHA1

    35d76475e6a54c168f536e30206578babff58274

    SHA256

    f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

    SHA512

    b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

    Download Submit

  • memory/2476-134-0x0000000005B90000-0x0000000005BA5000-memory.dmp

    Filesize

    84KB

    Download

  • memory/2476-122-0x0000000000000000-mapping.dmp

    Download

  • memory/2476-148-0x0000000004F93000-0x0000000004F95000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2476-133-0x0000000005B20000-0x0000000005B68000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2476-146-0x0000000004F90000-0x0000000004F91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2476-135-0x0000000005ED0000-0x0000000005ED1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2476-136-0x0000000005D00000-0x0000000005D0C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2476-137-0x0000000006370000-0x0000000006371000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3228-144-0x0000000000000000-mapping.dmp

    Download

  • memory/3480-142-0x0000000000E10000-0x0000000000E11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3480-138-0x0000000000000000-mapping.dmp

    Download

  • memory/3864-120-0x00000000052F0000-0x00000000052F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3864-119-0x0000000005750000-0x0000000005751000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3864-118-0x0000000005140000-0x000000000519A000-memory.dmp

    Filesize

    360KB

    Download

  • memory/3864-117-0x0000000001240000-0x000000000124C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3864-116-0x0000000001250000-0x0000000001251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3864-114-0x0000000000810000-0x0000000000811000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3864-121-0x0000000005230000-0x0000000005240000-memory.dmp

    Filesize

    64KB

    Download