orcus | 144947ddb462ddbdb8a4f1e3fdca9278e268e5fb918f154897477776676cdf7a

Analysis

max time kernel
159s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-03-2023 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60.exe
Size

905KB
MD5

184e63d8cc64364cc3878378e56874ec
SHA1

29b0f6419e8d44ac70f0a8a8e91175b46238d093
SHA256

ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60
SHA512

5f8254cdcd387f496ab5c3e6a77552264ead620721f27ef080c5139dacfc923345db030132f54791c64e7ae18b1aec14fbb7cf4a2111e22d8e6b93a40e560e8d
SSDEEP

24576:9Aw4MROxnFj3IrkxrrcI0AilFEvxHPTToo4:9WMi1UqrrcI0AilFEvxHP

Score

10^/10

orcus persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

4.tcp.eu.ngrok.io:16452

Mutex

1b704d0841c7486288b6ef5dfe82a084

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
C:\Program Files\Windows NT\TableTextService\en-US\english.exe
reconnect_delay
10000
registry_keyname
svchost
taskscheduler_taskname
Cortana
watchdog_path
AppData\WindowsDefender.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 4 IoCs

Processes:

resource	yara_rule
C:\Program Files\Windows NT\TableTextService\en-US\english.exe	family_orcus
C:\Program Files\Windows NT\TableTextService\en-US\english.exe	family_orcus
C:\Program Files\Windows NT\TableTextService\en-US\english.exe	family_orcus
C:\Program Files\Windows NT\TableTextService\en-US\english.exe	family_orcus

Orcurs Rat Executable 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3460-133-0x00000000005E0000-0x00000000006C8000-memory.dmp	orcus
C:\Program Files\Windows NT\TableTextService\en-US\english.exe	orcus
C:\Program Files\Windows NT\TableTextService\en-US\english.exe	orcus
C:\Program Files\Windows NT\TableTextService\en-US\english.exe	orcus
C:\Program Files\Windows NT\TableTextService\en-US\english.exe	orcus

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60.exeenglish.exeWindowsDefender.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	english.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	WindowsDefender.exe

Executes dropped EXE 4 IoCs

Processes:

english.exeenglish.exeWindowsDefender.exeWindowsDefender.exe

pid process

1572 english.exe
4312 english.exe
4200 WindowsDefender.exe
2352 WindowsDefender.exe

pid	process
1572	english.exe
4312	english.exe
4200	WindowsDefender.exe
2352	WindowsDefender.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

english.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\english.exe\""	english.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 3 IoCs

Processes:

ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60.exe

description	ioc	process
File created	C:\Program Files\Windows NT\TableTextService\en-US\english.exe	ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\english.exe	ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\english.exe.config	ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WindowsDefender.exeenglish.exe

pid	process
2352	WindowsDefender.exe
2352	WindowsDefender.exe
1572	english.exe
1572	english.exe
2352	WindowsDefender.exe
1572	english.exe
1572	english.exe
2352	WindowsDefender.exe
1572	english.exe
2352	WindowsDefender.exe
2352	WindowsDefender.exe
1572	english.exe
1572	english.exe
2352	WindowsDefender.exe
2352	WindowsDefender.exe
1572	english.exe
2352	WindowsDefender.exe
1572	english.exe
2352	WindowsDefender.exe
1572	english.exe
2352	WindowsDefender.exe
1572	english.exe
2352	WindowsDefender.exe
1572	english.exe
2352	WindowsDefender.exe
1572	english.exe
2352	WindowsDefender.exe
1572	english.exe
1572	english.exe
2352	WindowsDefender.exe
2352	WindowsDefender.exe
1572	english.exe
2352	WindowsDefender.exe
1572	english.exe
1572	english.exe
2352	WindowsDefender.exe
1572	english.exe
2352	WindowsDefender.exe
2352	WindowsDefender.exe
1572	english.exe
2352	WindowsDefender.exe
1572	english.exe
2352	WindowsDefender.exe
1572	english.exe
2352	WindowsDefender.exe
1572	english.exe
1572	english.exe
2352	WindowsDefender.exe
2352	WindowsDefender.exe
1572	english.exe
1572	english.exe
2352	WindowsDefender.exe
1572	english.exe
2352	WindowsDefender.exe
2352	WindowsDefender.exe
1572	english.exe
1572	english.exe
2352	WindowsDefender.exe
1572	english.exe
2352	WindowsDefender.exe
2352	WindowsDefender.exe
1572	english.exe
1572	english.exe
2352	WindowsDefender.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WindowsDefender.exeWindowsDefender.exeenglish.exe

description	pid	process
Token: SeDebugPrivilege	4200	WindowsDefender.exe
Token: SeDebugPrivilege	2352	WindowsDefender.exe
Token: SeDebugPrivilege	1572	english.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60.exeenglish.exeWindowsDefender.exe

description	pid	process	target process
PID 3460 wrote to memory of 1572	3460	ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60.exe	english.exe
PID 3460 wrote to memory of 1572	3460	ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60.exe	english.exe
PID 3460 wrote to memory of 1572	3460	ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60.exe	english.exe
PID 1572 wrote to memory of 4200	1572	english.exe	WindowsDefender.exe
PID 1572 wrote to memory of 4200	1572	english.exe	WindowsDefender.exe
PID 1572 wrote to memory of 4200	1572	english.exe	WindowsDefender.exe
PID 4200 wrote to memory of 2352	4200	WindowsDefender.exe	WindowsDefender.exe
PID 4200 wrote to memory of 2352	4200	WindowsDefender.exe	WindowsDefender.exe
PID 4200 wrote to memory of 2352	4200	WindowsDefender.exe	WindowsDefender.exe

C:\Users\Admin\AppData\Local\Temp\ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60.exe
"C:\Users\Admin\AppData\Local\Temp\ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3460

C:\Program Files\Windows NT\TableTextService\en-US\english.exe
"C:\Program Files\Windows NT\TableTextService\en-US\english.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572

C:\Users\Admin\AppData\Roaming\WindowsDefender.exe
"C:\Users\Admin\AppData\Roaming\WindowsDefender.exe" /launchSelfAndExit "C:\Program Files\Windows NT\TableTextService\en-US\english.exe" 1572 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4200

C:\Users\Admin\AppData\Roaming\WindowsDefender.exe
"C:\Users\Admin\AppData\Roaming\WindowsDefender.exe" /watchProcess "C:\Program Files\Windows NT\TableTextService\en-US\english.exe" 1572 "/protectFile"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Program Files\Windows NT\TableTextService\en-US\english.exe
"C:\Program Files\Windows NT\TableTextService\en-US\english.exe"
1⤵
- Executes dropped EXE
PID:4312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows NT\TableTextService\en-US\english.exe
Filesize
905KB

MD5
184e63d8cc64364cc3878378e56874ec

SHA1
29b0f6419e8d44ac70f0a8a8e91175b46238d093

SHA256
ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60

SHA512
5f8254cdcd387f496ab5c3e6a77552264ead620721f27ef080c5139dacfc923345db030132f54791c64e7ae18b1aec14fbb7cf4a2111e22d8e6b93a40e560e8d

Download Submit
C:\Program Files\Windows NT\TableTextService\en-US\english.exe
Filesize
905KB

MD5
184e63d8cc64364cc3878378e56874ec

SHA1
29b0f6419e8d44ac70f0a8a8e91175b46238d093

SHA256
ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60

SHA512
5f8254cdcd387f496ab5c3e6a77552264ead620721f27ef080c5139dacfc923345db030132f54791c64e7ae18b1aec14fbb7cf4a2111e22d8e6b93a40e560e8d

Download Submit
C:\Program Files\Windows NT\TableTextService\en-US\english.exe
Filesize
905KB

MD5
184e63d8cc64364cc3878378e56874ec

SHA1
29b0f6419e8d44ac70f0a8a8e91175b46238d093

SHA256
ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60

SHA512
5f8254cdcd387f496ab5c3e6a77552264ead620721f27ef080c5139dacfc923345db030132f54791c64e7ae18b1aec14fbb7cf4a2111e22d8e6b93a40e560e8d

Download Submit
C:\Program Files\Windows NT\TableTextService\en-US\english.exe
Filesize
905KB

MD5
184e63d8cc64364cc3878378e56874ec

SHA1
29b0f6419e8d44ac70f0a8a8e91175b46238d093

SHA256
ddad33460be1dfc2c1739e69a6be544049fb471346c489da162926ef44acfe60

SHA512
5f8254cdcd387f496ab5c3e6a77552264ead620721f27ef080c5139dacfc923345db030132f54791c64e7ae18b1aec14fbb7cf4a2111e22d8e6b93a40e560e8d

Download Submit
C:\Program Files\Windows NT\TableTextService\en-US\english.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsDefender.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsDefender.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsDefender.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsDefender.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsDefender.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
memory/1572-156-0x00000000068C0000-0x00000000068CA000-memory.dmp

Filesize
40KB

Download
memory/1572-153-0x0000000001A30000-0x0000000001A40000-memory.dmp

Filesize
64KB

Download
memory/1572-174-0x0000000001A30000-0x0000000001A40000-memory.dmp

Filesize
64KB

Download
memory/3460-137-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/3460-133-0x00000000005E0000-0x00000000006C8000-memory.dmp

Filesize
928KB

Download
memory/3460-134-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/3460-135-0x00000000056A0000-0x0000000005C44000-memory.dmp

Filesize
5.6MB

Download
memory/3460-136-0x00000000051B0000-0x0000000005242000-memory.dmp

Filesize
584KB

Download
memory/4200-170-0x00000000000B0000-0x00000000000B8000-memory.dmp

Filesize
32KB

Download
memory/4312-155-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download