orcus | 8e2608e1cdedaf4f3495676b50fdab81cfa9b1018bb29c52b15358e747bce39b

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/06/2023, 01:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fc35a0e0418cefe500b02b81241fbb0338e7040db20934ed9abf3e6d55f879f4.exe
Size

6.0MB
MD5

864d1b8fe8c2caa11fabd19025c6af4c
SHA1

80ef38b4619508eca929367e505ed86820cc7629
SHA256

fc35a0e0418cefe500b02b81241fbb0338e7040db20934ed9abf3e6d55f879f4
SHA512

a49f606301afc240856aeb306bcbd83e06961b3b65d53477075ad13fe2d046a5fe623f4fb36b576b96e07064bec233a459a687609ce29e31365335902e6a8e99
SSDEEP

24576:UvcuN7KbNL34MROxnFf3HumarrcI0AilFEvxHPdeFooL:UvcuaWMid4rrcI0AilFEvxHP

Score

10^/10

orcus persistence rat spyware stealer

Malware Config

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 1 IoCs

resource	yara_rule
behavioral3/memory/1408-54-0x0000000000D30000-0x0000000001334000-memory.dmp	orcus

Executes dropped EXE 1 IoCs

pid	Process
1092	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1408	fc35a0e0418cefe500b02b81241fbb0338e7040db20934ed9abf3e6d55f879f4.exe
580	Process not Found

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost\\svchost.exe\" "	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1864	1408	WerFault.exe	27

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 1092	1408	fc35a0e0418cefe500b02b81241fbb0338e7040db20934ed9abf3e6d55f879f4.exe	28
PID 1408 wrote to memory of 1092	1408	fc35a0e0418cefe500b02b81241fbb0338e7040db20934ed9abf3e6d55f879f4.exe	28
PID 1408 wrote to memory of 1092	1408	fc35a0e0418cefe500b02b81241fbb0338e7040db20934ed9abf3e6d55f879f4.exe	28
PID 1408 wrote to memory of 1864	1408	fc35a0e0418cefe500b02b81241fbb0338e7040db20934ed9abf3e6d55f879f4.exe	30
PID 1408 wrote to memory of 1864	1408	fc35a0e0418cefe500b02b81241fbb0338e7040db20934ed9abf3e6d55f879f4.exe	30
PID 1408 wrote to memory of 1864	1408	fc35a0e0418cefe500b02b81241fbb0338e7040db20934ed9abf3e6d55f879f4.exe	30

C:\Users\Admin\AppData\Local\Temp\fc35a0e0418cefe500b02b81241fbb0338e7040db20934ed9abf3e6d55f879f4.exe
"C:\Users\Admin\AppData\Local\Temp\fc35a0e0418cefe500b02b81241fbb0338e7040db20934ed9abf3e6d55f879f4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1092
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1408 -s 1012
  2⤵
  - Program crash
  PID:1864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
90KB

MD5
5fde5a0c55b01230552775db6d023b7c

SHA1
f19ccea47993e4a24bc6bc89b1ec503f59538cd7

SHA256
7238ad4459807c09ba93c365b4c32c7bfeaad8746c6f5f6024d8453f875ce59e

SHA512
8c98d713b925aefada126a81e24bccd063f820b4b073b86d2171c10d6d346fd8632e0fad58521efc28d0de1076a266fe5e24bf8130f6d541ac09fa59e1373902

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
90KB

MD5
5fde5a0c55b01230552775db6d023b7c

SHA1
f19ccea47993e4a24bc6bc89b1ec503f59538cd7

SHA256
7238ad4459807c09ba93c365b4c32c7bfeaad8746c6f5f6024d8453f875ce59e

SHA512
8c98d713b925aefada126a81e24bccd063f820b4b073b86d2171c10d6d346fd8632e0fad58521efc28d0de1076a266fe5e24bf8130f6d541ac09fa59e1373902

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
90KB

MD5
5fde5a0c55b01230552775db6d023b7c

SHA1
f19ccea47993e4a24bc6bc89b1ec503f59538cd7

SHA256
7238ad4459807c09ba93c365b4c32c7bfeaad8746c6f5f6024d8453f875ce59e

SHA512
8c98d713b925aefada126a81e24bccd063f820b4b073b86d2171c10d6d346fd8632e0fad58521efc28d0de1076a266fe5e24bf8130f6d541ac09fa59e1373902

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
90KB

MD5
5fde5a0c55b01230552775db6d023b7c

SHA1
f19ccea47993e4a24bc6bc89b1ec503f59538cd7

SHA256
7238ad4459807c09ba93c365b4c32c7bfeaad8746c6f5f6024d8453f875ce59e

SHA512
8c98d713b925aefada126a81e24bccd063f820b4b073b86d2171c10d6d346fd8632e0fad58521efc28d0de1076a266fe5e24bf8130f6d541ac09fa59e1373902

Download Submit
memory/1408-54-0x0000000000D30000-0x0000000001334000-memory.dmp

Filesize
6.0MB

Download
memory/1408-55-0x000000001B590000-0x000000001B610000-memory.dmp

Filesize
512KB

Download
memory/1408-64-0x000000001B590000-0x000000001B610000-memory.dmp

Filesize
512KB

Download