Overview

overview

10

Static

static

10

25BE4FB3B1...8A.exe

windows7_x64

10

25BE4FB3B1...8A.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    29-06-2021 07:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    25BE4FB3B1C478E02194503047AC838A.exe

  • Size

    911KB

  • MD5

    25be4fb3b1c478e02194503047ac838a

  • SHA1

    a4223aa801bae210d077ea9c30835bdd3a82aa22

  • SHA256

    28506529f97de0d6a877427c102e62425f63c764dd2d55f4510dcc5d49335085

  • SHA512

    67cf89cd1d3592044d878f4876a2f7a2a2e8412ec13c16b977b2ba8512cd94970c8058479e39c436691d1c95f3c795feb9ce464cbb4923bf8e12b74c03f71df6

Score
10/10
orcuspersistenceratspywarestealer

Malware Config

Extracted

Family

orcus

C2

74.201.28.60:4296

Mutex

Hysteria4

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\O\WindowsUserApplicationData.exe

  • reconnect_delay

    10000

  • registry_keyname

    Hysteria

  • taskscheduler_taskname

    Hysteria

  • watchdog_path

    AppData\WindowsUserApplicationData.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus Main Payload 3 IoCs
  • Orcurs Rat Executable 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Drops startup file 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\25BE4FB3B1C478E02194503047AC838A.exe
    "C:\Users\Admin\AppData\Local\Temp\25BE4FB3B1C478E02194503047AC838A.exe"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:3188
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O\WindowsUserApplicationData.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O\WindowsUserApplicationData.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3944
      • C:\Users\Admin\AppData\Roaming\WindowsUserApplicationData.exe
        "C:\Users\Admin\AppData\Roaming\WindowsUserApplicationData.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O\WindowsUserApplicationData.exe" 3944
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3396
        • C:\Users\Admin\AppData\Roaming\WindowsUserApplicationData.exe
          "C:\Users\Admin\AppData\Roaming\WindowsUserApplicationData.exe" /watchProcess "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O\WindowsUserApplicationData.exe" 3944
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3992
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O\WindowsUserApplicationData.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O\WindowsUserApplicationData.exe"
    1⤵
    • Executes dropped EXE
    PID:3148

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WindowsUserApplicationData.exe.log
    MD5

    605f809fab8c19729d39d075f7ffdb53

    SHA1

    c546f877c9bd53563174a90312a8337fdfc5fdd9

    SHA256

    6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

    SHA512

    82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O\WindowsUserApplicationData.exe
    MD5

    25be4fb3b1c478e02194503047ac838a

    SHA1

    a4223aa801bae210d077ea9c30835bdd3a82aa22

    SHA256

    28506529f97de0d6a877427c102e62425f63c764dd2d55f4510dcc5d49335085

    SHA512

    67cf89cd1d3592044d878f4876a2f7a2a2e8412ec13c16b977b2ba8512cd94970c8058479e39c436691d1c95f3c795feb9ce464cbb4923bf8e12b74c03f71df6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O\WindowsUserApplicationData.exe
    MD5

    25be4fb3b1c478e02194503047ac838a

    SHA1

    a4223aa801bae210d077ea9c30835bdd3a82aa22

    SHA256

    28506529f97de0d6a877427c102e62425f63c764dd2d55f4510dcc5d49335085

    SHA512

    67cf89cd1d3592044d878f4876a2f7a2a2e8412ec13c16b977b2ba8512cd94970c8058479e39c436691d1c95f3c795feb9ce464cbb4923bf8e12b74c03f71df6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O\WindowsUserApplicationData.exe
    MD5

    25be4fb3b1c478e02194503047ac838a

    SHA1

    a4223aa801bae210d077ea9c30835bdd3a82aa22

    SHA256

    28506529f97de0d6a877427c102e62425f63c764dd2d55f4510dcc5d49335085

    SHA512

    67cf89cd1d3592044d878f4876a2f7a2a2e8412ec13c16b977b2ba8512cd94970c8058479e39c436691d1c95f3c795feb9ce464cbb4923bf8e12b74c03f71df6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O\WindowsUserApplicationData.exe.config
    MD5

    a2b76cea3a59fa9af5ea21ff68139c98

    SHA1

    35d76475e6a54c168f536e30206578babff58274

    SHA256

    f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

    SHA512

    b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WindowsUserApplicationData.exe
    MD5

    913967b216326e36a08010fb70f9dba3

    SHA1

    7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

    SHA256

    8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

    SHA512

    c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WindowsUserApplicationData.exe
    MD5

    913967b216326e36a08010fb70f9dba3

    SHA1

    7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

    SHA256

    8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

    SHA512

    c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WindowsUserApplicationData.exe
    MD5

    913967b216326e36a08010fb70f9dba3

    SHA1

    7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

    SHA256

    8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

    SHA512

    c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WindowsUserApplicationData.exe.config
    MD5

    a2b76cea3a59fa9af5ea21ff68139c98

    SHA1

    35d76475e6a54c168f536e30206578babff58274

    SHA256

    f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

    SHA512

    b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

    Download Submit

  • memory/3148-145-0x00000000051E0000-0x00000000051E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3188-119-0x00000000053C0000-0x00000000053C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3188-114-0x0000000000510000-0x0000000000511000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3188-121-0x0000000004F40000-0x0000000004F50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3188-120-0x0000000004F60000-0x0000000004F61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3188-118-0x0000000004E60000-0x0000000004EBA000-memory.dmp

    Filesize

    360KB

    Download

  • memory/3188-117-0x00000000029E0000-0x00000000029EC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3188-116-0x0000000002A40000-0x0000000002A41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3396-150-0x00000000008A0000-0x00000000008A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3396-146-0x0000000000000000-mapping.dmp

    Download

  • memory/3944-122-0x0000000000000000-mapping.dmp

    Download

  • memory/3944-160-0x0000000007900000-0x0000000007901000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3944-143-0x0000000006710000-0x0000000006711000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3944-142-0x0000000006540000-0x000000000654C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3944-164-0x0000000001813000-0x0000000001815000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3944-137-0x0000000006390000-0x00000000063A5000-memory.dmp

    Filesize

    84KB

    Download

  • memory/3944-133-0x0000000005CE0000-0x0000000005D28000-memory.dmp

    Filesize

    288KB

    Download

  • memory/3944-157-0x00000000076E0000-0x00000000076E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3944-158-0x0000000007E90000-0x0000000007E91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3944-159-0x00000000078A0000-0x00000000078A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3944-144-0x0000000001810000-0x0000000001811000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3944-161-0x0000000007940000-0x0000000007941000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3944-162-0x0000000007AB0000-0x0000000007AB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3944-163-0x00000000084A0000-0x00000000084A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3992-152-0x0000000000000000-mapping.dmp

    Download