quasar | 3641770670faf667b289df978513c46c31b2074cd5504cbd73dccc510e394ace

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2023, 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Orcuido.exe
Size

3.1MB
MD5

00535440a40587b5b08ba0b98dfeb4b3
SHA1

7ca280a1dc7102c3f371b748b8e9b6a13cf09b29
SHA256

3641770670faf667b289df978513c46c31b2074cd5504cbd73dccc510e394ace
SHA512

0ba4d4630ffdab08a9a6849b88321a6eba7b4233ff09c2373520ac98632509cbbb9f4939e2bfaa1021b04c2c8a13f172fa6bf4fed2363f195dadf2d4b8175868
SSDEEP

49152:DvCI22SsaNYfdPBldt698dBcjHqxDE/Avk/JxPoGdIfhTHHB72eh2NT:DvP22SsaNYfdPBldt6+dBcjHqxQNi

Score

10^/10

quasar orcus spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Orcus

Rares14023-51676.portmap.host:51676

Mutex

eabc7ac9-6a8c-4e27-bfcf-1cbc46331ce7

Attributes

encryption_key
1A1B74C3A45D7286503C40C19ECC5088F044534B
install_name
OrcusRat.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/3304-133-0x0000000000530000-0x0000000000854000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Orcuido.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Orcuido.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Orcuido.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Orcuido.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Orcuido.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Orcuido.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Orcuido.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Orcuido.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Orcuido.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Orcuido.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Orcuido.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Orcuido.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Orcuido.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Orcuido.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3704	schtasks.exe
4536	schtasks.exe
4264	schtasks.exe
3928	schtasks.exe
3692	schtasks.exe
2432	schtasks.exe
4596	schtasks.exe
1532	schtasks.exe
1980	schtasks.exe
3972	schtasks.exe
1296	schtasks.exe
2740	schtasks.exe
3788	schtasks.exe
2140	schtasks.exe

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
2840	PING.EXE
3800	PING.EXE
4820	PING.EXE
2840	PING.EXE
1688	PING.EXE
3956	PING.EXE
4860	PING.EXE
3976	PING.EXE
1708	PING.EXE
4716	PING.EXE
3392	PING.EXE
2520	PING.EXE
2916	PING.EXE
4788	PING.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	3304	Orcuido.exe
Token: SeDebugPrivilege	4660	Orcuido.exe
Token: SeDebugPrivilege	2028	Orcuido.exe
Token: SeDebugPrivilege	4352	Orcuido.exe
Token: SeDebugPrivilege	3024	Orcuido.exe
Token: SeDebugPrivilege	3012	Orcuido.exe
Token: SeDebugPrivilege	2460	Orcuido.exe
Token: SeDebugPrivilege	3776	Orcuido.exe
Token: SeDebugPrivilege	1792	Orcuido.exe
Token: SeDebugPrivilege	864	Orcuido.exe
Token: SeDebugPrivilege	1684	Orcuido.exe
Token: SeDebugPrivilege	4172	Orcuido.exe
Token: SeDebugPrivilege	3308	Orcuido.exe
Token: SeDebugPrivilege	2752	Orcuido.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 4264	3304	Orcuido.exe	83
PID 3304 wrote to memory of 4264	3304	Orcuido.exe	83
PID 3304 wrote to memory of 1580	3304	Orcuido.exe	85
PID 3304 wrote to memory of 1580	3304	Orcuido.exe	85
PID 1580 wrote to memory of 3884	1580	cmd.exe	87
PID 1580 wrote to memory of 3884	1580	cmd.exe	87
PID 1580 wrote to memory of 3956	1580	cmd.exe	88
PID 1580 wrote to memory of 3956	1580	cmd.exe	88
PID 1580 wrote to memory of 4660	1580	cmd.exe	95
PID 1580 wrote to memory of 4660	1580	cmd.exe	95
PID 4660 wrote to memory of 3928	4660	Orcuido.exe	96
PID 4660 wrote to memory of 3928	4660	Orcuido.exe	96
PID 4660 wrote to memory of 4596	4660	Orcuido.exe	98
PID 4660 wrote to memory of 4596	4660	Orcuido.exe	98
PID 4596 wrote to memory of 812	4596	cmd.exe	100
PID 4596 wrote to memory of 812	4596	cmd.exe	100
PID 4596 wrote to memory of 4820	4596	cmd.exe	101
PID 4596 wrote to memory of 4820	4596	cmd.exe	101
PID 4596 wrote to memory of 2028	4596	cmd.exe	102
PID 4596 wrote to memory of 2028	4596	cmd.exe	102
PID 2028 wrote to memory of 3972	2028	Orcuido.exe	103
PID 2028 wrote to memory of 3972	2028	Orcuido.exe	103
PID 2028 wrote to memory of 3812	2028	Orcuido.exe	105
PID 2028 wrote to memory of 3812	2028	Orcuido.exe	105
PID 3812 wrote to memory of 2344	3812	cmd.exe	107
PID 3812 wrote to memory of 2344	3812	cmd.exe	107
PID 3812 wrote to memory of 4716	3812	cmd.exe	108
PID 3812 wrote to memory of 4716	3812	cmd.exe	108
PID 3812 wrote to memory of 4352	3812	cmd.exe	110
PID 3812 wrote to memory of 4352	3812	cmd.exe	110
PID 4352 wrote to memory of 1532	4352	Orcuido.exe	111
PID 4352 wrote to memory of 1532	4352	Orcuido.exe	111
PID 4352 wrote to memory of 1328	4352	Orcuido.exe	113
PID 4352 wrote to memory of 1328	4352	Orcuido.exe	113
PID 1328 wrote to memory of 2300	1328	cmd.exe	115
PID 1328 wrote to memory of 2300	1328	cmd.exe	115
PID 1328 wrote to memory of 3392	1328	cmd.exe	116
PID 1328 wrote to memory of 3392	1328	cmd.exe	116
PID 1328 wrote to memory of 3024	1328	cmd.exe	117
PID 1328 wrote to memory of 3024	1328	cmd.exe	117
PID 3024 wrote to memory of 1296	3024	Orcuido.exe	118
PID 3024 wrote to memory of 1296	3024	Orcuido.exe	118
PID 3024 wrote to memory of 3032	3024	Orcuido.exe	120
PID 3024 wrote to memory of 3032	3024	Orcuido.exe	120
PID 3032 wrote to memory of 632	3032	cmd.exe	122
PID 3032 wrote to memory of 632	3032	cmd.exe	122
PID 3032 wrote to memory of 2840	3032	cmd.exe	123
PID 3032 wrote to memory of 2840	3032	cmd.exe	123
PID 3032 wrote to memory of 3012	3032	cmd.exe	124
PID 3032 wrote to memory of 3012	3032	cmd.exe	124
PID 3012 wrote to memory of 3692	3012	Orcuido.exe	125
PID 3012 wrote to memory of 3692	3012	Orcuido.exe	125
PID 3012 wrote to memory of 668	3012	Orcuido.exe	127
PID 3012 wrote to memory of 668	3012	Orcuido.exe	127
PID 668 wrote to memory of 3884	668	cmd.exe	129
PID 668 wrote to memory of 3884	668	cmd.exe	129
PID 668 wrote to memory of 4860	668	cmd.exe	130
PID 668 wrote to memory of 4860	668	cmd.exe	130
PID 668 wrote to memory of 2460	668	cmd.exe	131
PID 668 wrote to memory of 2460	668	cmd.exe	131
PID 2460 wrote to memory of 3704	2460	Orcuido.exe	132
PID 2460 wrote to memory of 3704	2460	Orcuido.exe	132
PID 2460 wrote to memory of 992	2460	Orcuido.exe	134
PID 2460 wrote to memory of 992	2460	Orcuido.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Orcuido.exe
"C:\Users\Admin\AppData\Local\Temp\Orcuido.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\OrcusRat.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:4264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Huc7xc0KQiI9.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3884
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:3956
- - C:\Users\Admin\AppData\Local\Temp\Orcuido.exe
    "C:\Users\Admin\AppData\Local\Temp\Orcuido.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\OrcusRat.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:3928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ot3BHQBzr4AM.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:812
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:4820
    - - C:\Users\Admin\AppData\Local\Temp\Orcuido.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Orcuido.exe"
        5⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\OrcusRat.exe" /rl HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:3972
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eTG2DHN61OxH.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2344
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\Orcuido.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Orcuido.exe"
        7⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\OrcusRat.exe" /rl HIGHEST /f
        8⤵
        Creates scheduled task(s)
        
        PID:1532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uM4LWJGuQwkQ.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2300
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\Orcuido.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Orcuido.exe"
        9⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\OrcusRat.exe" /rl HIGHEST /f
        10⤵
        Creates scheduled task(s)
        
        PID:1296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1qrhaeOIfMPD.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\Orcuido.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Orcuido.exe"
        11⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\OrcusRat.exe" /rl HIGHEST /f
        12⤵
        Creates scheduled task(s)
        
        PID:3692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BYuEuJ4wOalI.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\Orcuido.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Orcuido.exe"
        13⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\OrcusRat.exe" /rl HIGHEST /f
        14⤵
        Creates scheduled task(s)
        
        PID:3704
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qVIu3debW5YM.bat" "
        14⤵
        
        PID:992
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2388
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\Orcuido.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Orcuido.exe"
        15⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\OrcusRat.exe" /rl HIGHEST /f
        16⤵
        Creates scheduled task(s)
        
        PID:2432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IK7HaVsdKDYn.bat" "
        16⤵
        
        PID:1492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:4484
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        Runs ping.exe
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\Orcuido.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Orcuido.exe"
        17⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\OrcusRat.exe" /rl HIGHEST /f
        18⤵
        Creates scheduled task(s)
        
        PID:4596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pjAdqRLigcLT.bat" "
        18⤵
        
        PID:4504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:4132
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\Orcuido.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Orcuido.exe"
        19⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\OrcusRat.exe" /rl HIGHEST /f
        20⤵
        Creates scheduled task(s)
        
        PID:4536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yJzIC8OMklEL.bat" "
        20⤵
        
        PID:672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2260
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\Orcuido.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Orcuido.exe"
        21⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\OrcusRat.exe" /rl HIGHEST /f
        22⤵
        Creates scheduled task(s)
        
        PID:1980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WUyh111SVeVq.bat" "
        22⤵
        
        PID:3392
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:3444
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\Orcuido.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Orcuido.exe"
        23⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4172
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\OrcusRat.exe" /rl HIGHEST /f
        24⤵
        Creates scheduled task(s)
        
        PID:2740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Dwy70fmp3lJN.bat" "
        24⤵
        
        PID:4460
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        Runs ping.exe
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\Orcuido.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Orcuido.exe"
        25⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3308
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\OrcusRat.exe" /rl HIGHEST /f
        26⤵
        Creates scheduled task(s)
        
        PID:3788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VdWX1J2cOhiw.bat" "
        26⤵
        
        PID:3012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:2680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        Runs ping.exe
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\Orcuido.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Orcuido.exe"
        27⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\OrcusRat.exe" /rl HIGHEST /f
        28⤵
        Creates scheduled task(s)
        
        PID:2140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dN3S4rVbJr2u.bat" "
        28⤵
        
        PID:1880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:3956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        Runs ping.exe
        
        PID:3800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Orcuido.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1qrhaeOIfMPD.bat

Filesize
204B

MD5
5f241b9ef636e4f0965dac6476982035

SHA1
df6cbb69a10c8dadc9dd9d4c93ad62984d7367f8

SHA256
8d1d4c3c8d8f775f9548f06e0f6eda91c0217c7a25ef673ee43eb27a85d9b8ca

SHA512
4af0a00fac85cbc8c88f8e9a501459579500aa5a31ac6181111e6348663750d27a569cb11e94ef63fc650844b854bb915098bbf86d03e5e27fb2ea3b02f94bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYuEuJ4wOalI.bat

Filesize
204B

MD5
949fdf24bdae39fa9419155b21748615

SHA1
cfe9750fdf5157fa22265f2f9668a776f3fb8c31

SHA256
f10bb4aa949a7dc1e48db88e3eec7999290deb93e14c7abe017a26446ba8b07b

SHA512
2666b21d26faeacc10ec5da83e97532f7dbf41722a8fa641bc2acc22c32dfb07971a22ade224cb80eca01ade7e5b500bc1b49188cf10351777d3db437d1b3c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dwy70fmp3lJN.bat

Filesize
204B

MD5
c60a427d81c911c4c6f875ea3828852c

SHA1
b14d4c93e34b9dbf0aebeb86a6a11c8932954f04

SHA256
066f0673bab365cc7caaae37ece9493512234e325833fd5e3eb6b084a940e479

SHA512
4155879074788f0aaf3a30e5b434a08871248f13617491f2ed18f0c320fc0050a8c359a2179cee408c8da38e914b6b64acaf178f16d87c873b03426374300549

Download Submit
C:\Users\Admin\AppData\Local\Temp\Huc7xc0KQiI9.bat

Filesize
204B

MD5
46c1d54b0ad0a3a7662558fe76b6f8f9

SHA1
0c22abd650ffca565f1c20306f90f4ac02e9e717

SHA256
9f3e4f2b1246b385ff97e7d5c81824c2c3687b302436d4ddb7a17eb7bd31a7e1

SHA512
bf52ab2775bcd5d5c573b3b457a2fe413ab7fcad30dfe305fc59284c768e5366473f3b7dda95db1d93dba5f009a82b5ff672b934a7eca24e5cd07a8d74405ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IK7HaVsdKDYn.bat

Filesize
204B

MD5
f809f4ac0dac3296e7bd8f798b07a94b

SHA1
5ac055de2289aa2b75c57c412314a5622206a126

SHA256
928ef4da0fd453166e1dac18aaac718e71607b6baa9d89d4ffb2fffd8a5805fa

SHA512
95aee69a89d70549c941c175cc3ed0f77becfe7cceef540b78fc52366d946112d5635322f332c2bb8fcb7fe0e2ffb48d709ca5baaa639901774dca0336ee22ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ot3BHQBzr4AM.bat

Filesize
204B

MD5
89fd50da06715b65585779f08d8364df

SHA1
f720e40f0de969043f99b0e73f6f714f405a204c

SHA256
023d003f143f203bda5a9789efffd52c57aa0820f5afe9cc09679ba283874e6c

SHA512
5d540ec034550e87387e3a2fcf786940107539a6b9483656a443806e8ea08c4ef81330093ba402475d94fdfc5b8d57686d24c4362948d5311398dc97756c39bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\VdWX1J2cOhiw.bat

Filesize
204B

MD5
da117384e840a7180094b63c814ec535

SHA1
febdc4671f8b58fdcaf79354e4dce09016a32be7

SHA256
60085671ee8f5cf6f5e45852b22f5910c6c143e4aeec0495553a6ed504897166

SHA512
aeb3011d4bc885cbc189c948d8766369c1e0580876cf763f28cf6a61663123b4e0b433ef4e1c574d7787853224bc0b36a3a346e8a3f8bad2aa6b22754f5febb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUyh111SVeVq.bat

Filesize
204B

MD5
e9865ba62d5c2e139050a3ce0f54ca62

SHA1
b5bb0d89091600d24d1a3aee544fc281e574837d

SHA256
f24cfb6d1f5047f4b2a5c6b0cfe77db738001bb51c3be8be80a0c09b924c43bc

SHA512
c9ef7ceb8726ba7a6e4142f8e9ee97476f4aaf4e404ba4f29684bfa79244bea05f8ba4b66f941c4522ee3c5a815eeb5facf926604d9504961d004ff5d1ed4e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\dN3S4rVbJr2u.bat

Filesize
204B

MD5
396f96a0a739640c02e46b5d8af0e200

SHA1
922f9fa379805d4f02392f37819c73205f274a91

SHA256
57551d38f14981dcdb0fa0b83ad8d0c7d33336b4465ba76224dc4b7a9e067268

SHA512
107482b35bd8f80ba92eef005b9a4d4ad6bdf26f2cef7f00cf01981a4dea2530dff1c0fdb02db310b3129d8ae30d2eada1b83034eb849c885754a6feb5b06ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\eTG2DHN61OxH.bat

Filesize
204B

MD5
6306439645583b88e77dd351c1da5929

SHA1
905297b7fb87e041b2b85850217a0b14f5fa821f

SHA256
81548779e33e941053cb840b84056c5d75181dcac88adb3b3292a5a3f82375e3

SHA512
000717ef4e751a55fd43152ad1d5a8b5d72347555d1bd850197774f4103d4dd3a987359c8b8cf027b7c7eee4372b25adbebb329486b7a0ac2cb7ff99c168c7cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\pjAdqRLigcLT.bat

Filesize
204B

MD5
b0c9ef913839b629dc4848decd91aa43

SHA1
169538ad385b9800795ee4eb03a540abb28f6bad

SHA256
e0bf8bb0be9152849da0417b678af5b6e1a2a7bad3b6f2d37178e11b9eb54f67

SHA512
7f1571333798891fe834fcaf84f47ebefc8a9ce0fd0e18e415953192469798b94946f5e0cca03e6a1aefdc4908cd60d90a454378b6ee255b55c9c3e307ef011e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qVIu3debW5YM.bat

Filesize
204B

MD5
d05a8b93f027f77edd6e9584ec56e896

SHA1
ebed2a290728adee6fa24f78fb1d9cbcfa5c182f

SHA256
3b6a7c77f0ed5bcbeb6c94f6cad97acf93bf00e1756352f800cec260447d4d99

SHA512
0a0f50a00cf20ae4f474ba484313b16f9bb3843c1e4359fbf5d03cb5783946cf541289a2888a747c0baa2d50dc10a879b24af9f438b3056b8e8006ea4b6f44a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uM4LWJGuQwkQ.bat

Filesize
204B

MD5
951d05a435ffc31a465b7a174aefad25

SHA1
1fa8eaea5cde204509b8621b41aa648b529ce3bd

SHA256
2636419df9d07ae3a379230f33c9d15ba05ce5cbe3c88a4f386410bddcdbdc27

SHA512
01f473e7dc2c8c03bb3206127d3544bec16a5b723ad8a2a330f8959f0e27db80d85ea2f4079e7d9eb7ee74e5cea6ce8461c2ca4a6e0b02da7d9059bae4a205bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\yJzIC8OMklEL.bat

Filesize
204B

MD5
202599c95998c746dbb90fd9380772ea

SHA1
837edb7172f851ae3ba09a2a21d2580c5935db84

SHA256
7a3f2098c78c5186c265279565aeb122638a116907732c77ad068d7f549632a6

SHA512
a43cc3d8333873a75029910bd90596327fe37122a6e385c2483d587debde1899b7b5a22d02a31d78d6b7f83ba5e42da94f27f05e48a0bab76f3e732fa565ef2c

Download Submit
memory/2028-148-0x000000001B100000-0x000000001B110000-memory.dmp

Filesize
64KB

Download
memory/3304-135-0x000000001B330000-0x000000001B380000-memory.dmp

Filesize
320KB

Download
memory/3304-133-0x0000000000530000-0x0000000000854000-memory.dmp

Filesize
3.1MB

Download
memory/3304-136-0x000000001CD70000-0x000000001CE22000-memory.dmp

Filesize
712KB

Download
memory/3304-134-0x000000001B3F0000-0x000000001B400000-memory.dmp

Filesize
64KB

Download
memory/4352-153-0x000000001C550000-0x000000001C560000-memory.dmp

Filesize
64KB

Download
memory/4660-143-0x000000001D060000-0x000000001D070000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads