General
-
Target
e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1
-
Size
3.9MB
-
Sample
220524-szkresbgcl
-
MD5
7185dd04ba69eac4b0c2b269843cfae3
-
SHA1
47427c2fb4e1a097304f801a9dc6815b84fa1519
-
SHA256
e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1
-
SHA512
150a4450de27b0338628a88d66dc595dac942bd2e8dd5aab4c6bd5f340bfaeddc08f38bcc4b1991d67fa29178779718fc19676b65031b992f3db030eba281ce5
Static task
static1
Behavioral task
behavioral1
Sample
e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1.exe
Resource
win7-20220414-en
Malware Config
Extracted
orcus
dontreachme.ddns.net:3600
dontreachme2.ddns.net:3600
637bdf863f424e26ae6741c39d47588d
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%appdata%\Windows Updater\Dupper.exe
-
reconnect_delay
10000
-
registry_keyname
WindowsUpdater
-
taskscheduler_taskname
WindowUpdater
-
watchdog_path
Temp\Updater.exe
Targets
-
-
Target
e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1
-
Size
3.9MB
-
MD5
7185dd04ba69eac4b0c2b269843cfae3
-
SHA1
47427c2fb4e1a097304f801a9dc6815b84fa1519
-
SHA256
e65f0af765d6f45dca86b41090d47d66b9a1cef14e516e75504d8222277df8b1
-
SHA512
150a4450de27b0338628a88d66dc595dac942bd2e8dd5aab4c6bd5f340bfaeddc08f38bcc4b1991d67fa29178779718fc19676b65031b992f3db030eba281ce5
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Orcus Main Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Orcurs Rat Executable
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v6
Persistence
Bootkit
1Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
2Install Root Certificate
1Modify Registry
4