Overview

overview

10

Static

static

10

f6d66119_e...ed.exe

windows7_x64

10

f6d66119_e...ed.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    158s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    28-05-2021 17:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6d66119_extracted.exe

  • Size

    953KB

  • MD5

    7c0515a40b439d120deb649fb8ccafe3

  • SHA1

    c081cb8c417f69a8675f9c90b5cc6778d770d8a7

  • SHA256

    3f25bc78db5f00c85bbd8662838858fa12989976b7be9c70aa6f68fe92c78a53

  • SHA512

    12f160d3162f5fa8a62e972630e0e9c17385e7ab4a8760a8680f20a89f3acc64c1baff8a68b5a7b8e8f7785b72cac3ae7254bb1b223aacbe413a5e5a65455f41

Score
10/10
orcusstart - steamratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

Start - Steam

C2

185.217.1.185:911

Mutex

a36e4add169c442b882f8f0c5cb7e8cf

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    false

  • install_path

    %programdata%\Steam\Steam Client.exe

  • reconnect_delay

    6600

  • registry_keyname

    Steam Webhelper Standalone

  • taskscheduler_taskname

    Steam Client WebHelper

  • watchdog_path

    Temp\Steam Client WebHelper.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus Main Payload 3 IoCs
  • Orcurs Rat Executable 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6d66119_extracted.exe
    "C:\Users\Admin\AppData\Local\Temp\f6d66119_extracted.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4652
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y-p2yf_o.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB973.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB972.tmp"
        3⤵
          PID:2204
      • C:\ProgramData\Steam\Steam Client.exe
        "C:\ProgramData\Steam\Steam Client.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4268
        • C:\Users\Admin\AppData\Local\Temp\Steam Client WebHelper.exe
          "C:\Users\Admin\AppData\Local\Temp\Steam Client WebHelper.exe" /launchSelfAndExit "C:\ProgramData\Steam\Steam Client.exe" 4268 /protectFile
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:492
          • C:\Users\Admin\AppData\Local\Temp\Steam Client WebHelper.exe
            "C:\Users\Admin\AppData\Local\Temp\Steam Client WebHelper.exe" /watchProcess "C:\ProgramData\Steam\Steam Client.exe" 4268 "/protectFile"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1004
    • C:\ProgramData\Steam\Steam Client.exe
      "C:\ProgramData\Steam\Steam Client.exe"
      1⤵
      • Executes dropped EXE
      PID:3476

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/492-148-0x00000000009D0000-0x00000000009D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3036-122-0x00000000009B0000-0x00000000009B2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3476-143-0x000000001BA90000-0x000000001BA92000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4268-132-0x0000000000F60000-0x0000000000F70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4268-136-0x0000000001240000-0x0000000001255000-memory.dmp

      Filesize

      84KB

      Download

    • memory/4268-141-0x0000000001260000-0x000000000126C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4268-142-0x000000001B772000-0x000000001B774000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4268-133-0x0000000000F50000-0x0000000000F52000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4268-134-0x0000000002CB0000-0x0000000002CF8000-memory.dmp

      Filesize

      288KB

      Download

    • memory/4268-131-0x0000000000F20000-0x0000000000F2C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4268-130-0x000000001B770000-0x000000001B772000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4268-129-0x0000000002C50000-0x0000000002CAA000-memory.dmp

      Filesize

      360KB

      Download

    • memory/4268-150-0x000000001B774000-0x000000001B776000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4268-127-0x0000000000940000-0x0000000000941000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4652-114-0x0000000001210000-0x0000000001212000-memory.dmp

      Filesize

      8KB

      Download