orcus | eac86f0d431431bfa29cfc4bbe2204c4124bce7c53535d37bed26f50a11d5241

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21-03-2023 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789.exe
Size

905KB
MD5

4309184cb5cc16c9d398559f0488664d
SHA1

8e9eab97272652afa19b858a8722488388f68968
SHA256

5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789
SHA512

1c409bd9a97aa001e3807b1c3cb6c02eba8e41807cc87c14c642dc15ef582dc957db9fdf6009a2f5330407d625a6bb17f7a24d468ae996d30a5b0c955f54ba5e
SSDEEP

24576:ZVWC4MROxnFj31rkxrrcI0AilFEvxHPNbyooI:ZqMi1JqrrcI0AilFEvxHP

Score

10^/10

orcus persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

4.tcp.eu.ngrok.io:16452

Mutex

1b704d0841c7486288b6ef5dfe82a084

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
C:\Program Files\Windows NT\TableTextService\en-US\english.exe
reconnect_delay
10000
registry_keyname
svchost
taskscheduler_taskname
Cortana
watchdog_path
AppData\WindowsDefender.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 5 IoCs

Processes:

resource	yara_rule
\Program Files\Windows NT\TableTextService\en-US\english.exe	family_orcus
C:\Program Files\Windows NT\TableTextService\en-US\english.exe	family_orcus
C:\Program Files\Windows NT\TableTextService\en-US\english.exe	family_orcus
C:\Program Files\Windows NT\TableTextService\en-US\english.exe	family_orcus
C:\Program Files\Windows NT\TableTextService\en-US\english.exe	family_orcus

Orcurs Rat Executable 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1292-54-0x0000000000A80000-0x0000000000B68000-memory.dmp	orcus
\Program Files\Windows NT\TableTextService\en-US\english.exe	orcus
C:\Program Files\Windows NT\TableTextService\en-US\english.exe	orcus
C:\Program Files\Windows NT\TableTextService\en-US\english.exe	orcus
C:\Program Files\Windows NT\TableTextService\en-US\english.exe	orcus
behavioral1/memory/1204-69-0x0000000000D70000-0x0000000000E58000-memory.dmp	orcus
C:\Program Files\Windows NT\TableTextService\en-US\english.exe	orcus

Executes dropped EXE 4 IoCs

Processes:

english.exeenglish.exeWindowsDefender.exeWindowsDefender.exe

pid process

1204 english.exe
1232 english.exe
556 WindowsDefender.exe
1196 WindowsDefender.exe
Loads dropped DLL 2 IoCs

Processes:

5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789.exeenglish.exe

pid process

1292 5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789.exe
1204 english.exe

pid	process
1204	english.exe
1232	english.exe
556	WindowsDefender.exe
1196	WindowsDefender.exe

pid	process
1292	5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789.exe
1204	english.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

english.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\english.exe\""	english.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 3 IoCs

Processes:

5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789.exe

description	ioc	process
File created	C:\Program Files\Windows NT\TableTextService\en-US\english.exe	5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\english.exe	5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\english.exe.config	5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WindowsDefender.exeenglish.exe

pid	process
1196	WindowsDefender.exe
1196	WindowsDefender.exe
1196	WindowsDefender.exe
1204	english.exe
1204	english.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe
1196	WindowsDefender.exe
1204	english.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WindowsDefender.exeWindowsDefender.exeenglish.exe

description	pid	process
Token: SeDebugPrivilege	556	WindowsDefender.exe
Token: SeDebugPrivilege	1196	WindowsDefender.exe
Token: SeDebugPrivilege	1204	english.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789.exetaskeng.exeenglish.exeWindowsDefender.exe

description	pid	process	target process
PID 1292 wrote to memory of 1204	1292	5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789.exe	english.exe
PID 1292 wrote to memory of 1204	1292	5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789.exe	english.exe
PID 1292 wrote to memory of 1204	1292	5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789.exe	english.exe
PID 1292 wrote to memory of 1204	1292	5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789.exe	english.exe
PID 1732 wrote to memory of 1232	1732	taskeng.exe	english.exe
PID 1732 wrote to memory of 1232	1732	taskeng.exe	english.exe
PID 1732 wrote to memory of 1232	1732	taskeng.exe	english.exe
PID 1732 wrote to memory of 1232	1732	taskeng.exe	english.exe
PID 1204 wrote to memory of 556	1204	english.exe	WindowsDefender.exe
PID 1204 wrote to memory of 556	1204	english.exe	WindowsDefender.exe
PID 1204 wrote to memory of 556	1204	english.exe	WindowsDefender.exe
PID 1204 wrote to memory of 556	1204	english.exe	WindowsDefender.exe
PID 556 wrote to memory of 1196	556	WindowsDefender.exe	WindowsDefender.exe
PID 556 wrote to memory of 1196	556	WindowsDefender.exe	WindowsDefender.exe
PID 556 wrote to memory of 1196	556	WindowsDefender.exe	WindowsDefender.exe
PID 556 wrote to memory of 1196	556	WindowsDefender.exe	WindowsDefender.exe

C:\Users\Admin\AppData\Local\Temp\5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789.exe
"C:\Users\Admin\AppData\Local\Temp\5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1292

C:\Program Files\Windows NT\TableTextService\en-US\english.exe
"C:\Program Files\Windows NT\TableTextService\en-US\english.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204

C:\Users\Admin\AppData\Roaming\WindowsDefender.exe
"C:\Users\Admin\AppData\Roaming\WindowsDefender.exe" /launchSelfAndExit "C:\Program Files\Windows NT\TableTextService\en-US\english.exe" 1204 /protectFile
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556

C:\Users\Admin\AppData\Roaming\WindowsDefender.exe
"C:\Users\Admin\AppData\Roaming\WindowsDefender.exe" /watchProcess "C:\Program Files\Windows NT\TableTextService\en-US\english.exe" 1204 "/protectFile"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\system32\taskeng.exe
taskeng.exe {63AAB665-995E-40AE-B198-048DD37986D2} S-1-5-21-1914912747-3343861975-731272777-1000:TMRJMUQF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Program Files\Windows NT\TableTextService\en-US\english.exe
"C:\Program Files\Windows NT\TableTextService\en-US\english.exe"
2⤵
- Executes dropped EXE
PID:1232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows NT\TableTextService\en-US\english.exe
Filesize
905KB

MD5
4309184cb5cc16c9d398559f0488664d

SHA1
8e9eab97272652afa19b858a8722488388f68968

SHA256
5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789

SHA512
1c409bd9a97aa001e3807b1c3cb6c02eba8e41807cc87c14c642dc15ef582dc957db9fdf6009a2f5330407d625a6bb17f7a24d468ae996d30a5b0c955f54ba5e

Download Submit
C:\Program Files\Windows NT\TableTextService\en-US\english.exe
Filesize
905KB

MD5
4309184cb5cc16c9d398559f0488664d

SHA1
8e9eab97272652afa19b858a8722488388f68968

SHA256
5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789

SHA512
1c409bd9a97aa001e3807b1c3cb6c02eba8e41807cc87c14c642dc15ef582dc957db9fdf6009a2f5330407d625a6bb17f7a24d468ae996d30a5b0c955f54ba5e

Download Submit
C:\Program Files\Windows NT\TableTextService\en-US\english.exe
Filesize
905KB

MD5
4309184cb5cc16c9d398559f0488664d

SHA1
8e9eab97272652afa19b858a8722488388f68968

SHA256
5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789

SHA512
1c409bd9a97aa001e3807b1c3cb6c02eba8e41807cc87c14c642dc15ef582dc957db9fdf6009a2f5330407d625a6bb17f7a24d468ae996d30a5b0c955f54ba5e

Download Submit
C:\Program Files\Windows NT\TableTextService\en-US\english.exe
Filesize
905KB

MD5
4309184cb5cc16c9d398559f0488664d

SHA1
8e9eab97272652afa19b858a8722488388f68968

SHA256
5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789

SHA512
1c409bd9a97aa001e3807b1c3cb6c02eba8e41807cc87c14c642dc15ef582dc957db9fdf6009a2f5330407d625a6bb17f7a24d468ae996d30a5b0c955f54ba5e

Download Submit
C:\Program Files\Windows NT\TableTextService\en-US\english.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsDefender.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsDefender.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsDefender.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsDefender.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\Program Files\Windows NT\TableTextService\en-US\english.exe
Filesize
905KB

MD5
4309184cb5cc16c9d398559f0488664d

SHA1
8e9eab97272652afa19b858a8722488388f68968

SHA256
5280de06cf2d668bceb7144acfc93125f97344c62891e49c319f5a6da6534789

SHA512
1c409bd9a97aa001e3807b1c3cb6c02eba8e41807cc87c14c642dc15ef582dc957db9fdf6009a2f5330407d625a6bb17f7a24d468ae996d30a5b0c955f54ba5e

Download Submit
\Users\Admin\AppData\Roaming\WindowsDefender.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
memory/556-85-0x0000000001340000-0x0000000001348000-memory.dmp

Filesize
32KB

Download
memory/1204-70-0x0000000000BD0000-0x0000000000C1E000-memory.dmp

Filesize
312KB

Download
memory/1204-86-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/1204-89-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/1204-74-0x0000000000D30000-0x0000000000D40000-memory.dmp

Filesize
64KB

Download
memory/1204-88-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/1204-71-0x0000000004CF0000-0x0000000004D30000-memory.dmp

Filesize
256KB

Download
memory/1204-72-0x0000000000CF0000-0x0000000000D08000-memory.dmp

Filesize
96KB

Download
memory/1204-69-0x0000000000D70000-0x0000000000E58000-memory.dmp

Filesize
928KB

Download
memory/1232-75-0x0000000004E00000-0x0000000004E40000-memory.dmp

Filesize
256KB

Download
memory/1292-56-0x0000000000230000-0x000000000023E000-memory.dmp

Filesize
56KB

Download
memory/1292-57-0x0000000000710000-0x000000000076C000-memory.dmp

Filesize
368KB

Download
memory/1292-54-0x0000000000A80000-0x0000000000B68000-memory.dmp

Filesize
928KB

Download
memory/1292-58-0x0000000000310000-0x0000000000322000-memory.dmp

Filesize
72KB

Download
memory/1292-55-0x00000000049C0000-0x0000000004A00000-memory.dmp

Filesize
256KB

Download