orcus | cdb7d368e382d1b82628e58928866e50683a194fc88308195a008225ab48b7e7

Analysis

max time kernel
148s
max time network
162s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

123xxx.exe
Size

907KB
MD5

8a8708ed2507d0907e08f10185d17bce
SHA1

6a3007eecffea8b616474e3a3f2a17660a567a22
SHA256

cdb7d368e382d1b82628e58928866e50683a194fc88308195a008225ab48b7e7
SHA512

f669d113ec12591af393c0ea7e662757d82d92c9ee3943dd39fc40e99621606c46ab3acc5ae8f4d7717391a195728fd9afa26e2e15d71aa5ac76d1fdf75bc744
SSDEEP

12288:Wgfe07KFML7iLMucoUe7dG1lFlWcYT70pxnnaaoawn7ueuRAxrZNrI0AilFEvxH9:/tY4MROxnFH9+rZlI0AilFEvxHiGWw

Score

10^/10

orcus persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

de2.localto.net:41509

Mutex

258334e365604d3ca90aaafdbf31c4c7

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\systemw\DSRHost.exe
reconnect_delay
10000
registry_keyname
DSRHost
taskscheduler_taskname
DSRHost
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 3 IoCs

resource	yara_rule
behavioral1/files/0x003100000001272f-26.dat	family_orcus
behavioral1/files/0x003100000001272f-27.dat	family_orcus
behavioral1/files/0x003100000001272f-30.dat	family_orcus

Orcurs Rat Executable 4 IoCs

resource	yara_rule
behavioral1/files/0x003100000001272f-26.dat	orcus
behavioral1/files/0x003100000001272f-27.dat	orcus
behavioral1/files/0x003100000001272f-30.dat	orcus
behavioral1/memory/2704-31-0x00000000012A0000-0x0000000001388000-memory.dmp	orcus

Executes dropped EXE 1 IoCs

pid	Process
2704	DSRHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\DSRHost = "\"C:\\Program Files\\systemw\\DSRHost.exe\""	DSRHost.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\systemw\DSRHost.exe	123xxx.exe
File opened for modification	C:\Program Files\systemw\DSRHost.exe	123xxx.exe
File created	C:\Program Files\systemw\DSRHost.exe.config	123xxx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2704	DSRHost.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2704	DSRHost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1420	1744	123xxx.exe	28
PID 1744 wrote to memory of 1420	1744	123xxx.exe	28
PID 1744 wrote to memory of 1420	1744	123xxx.exe	28
PID 1420 wrote to memory of 2776	1420	csc.exe	30
PID 1420 wrote to memory of 2776	1420	csc.exe	30
PID 1420 wrote to memory of 2776	1420	csc.exe	30
PID 1744 wrote to memory of 2704	1744	123xxx.exe	31
PID 1744 wrote to memory of 2704	1744	123xxx.exe	31
PID 1744 wrote to memory of 2704	1744	123xxx.exe	31

C:\Users\Admin\AppData\Local\Temp\123xxx.exe
"C:\Users\Admin\AppData\Local\Temp\123xxx.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mf6zjvvb.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5CD1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5CC0.tmp"
    3⤵
    PID:2776
- C:\Program Files\systemw\DSRHost.exe
  "C:\Program Files\systemw\DSRHost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\systemw\DSRHost.exe

Filesize
907KB

MD5
8a8708ed2507d0907e08f10185d17bce

SHA1
6a3007eecffea8b616474e3a3f2a17660a567a22

SHA256
cdb7d368e382d1b82628e58928866e50683a194fc88308195a008225ab48b7e7

SHA512
f669d113ec12591af393c0ea7e662757d82d92c9ee3943dd39fc40e99621606c46ab3acc5ae8f4d7717391a195728fd9afa26e2e15d71aa5ac76d1fdf75bc744

Download Submit
C:\Program Files\systemw\DSRHost.exe

Filesize
907KB

MD5
8a8708ed2507d0907e08f10185d17bce

SHA1
6a3007eecffea8b616474e3a3f2a17660a567a22

SHA256
cdb7d368e382d1b82628e58928866e50683a194fc88308195a008225ab48b7e7

SHA512
f669d113ec12591af393c0ea7e662757d82d92c9ee3943dd39fc40e99621606c46ab3acc5ae8f4d7717391a195728fd9afa26e2e15d71aa5ac76d1fdf75bc744

Download Submit
C:\Program Files\systemw\DSRHost.exe

Filesize
907KB

MD5
8a8708ed2507d0907e08f10185d17bce

SHA1
6a3007eecffea8b616474e3a3f2a17660a567a22

SHA256
cdb7d368e382d1b82628e58928866e50683a194fc88308195a008225ab48b7e7

SHA512
f669d113ec12591af393c0ea7e662757d82d92c9ee3943dd39fc40e99621606c46ab3acc5ae8f4d7717391a195728fd9afa26e2e15d71aa5ac76d1fdf75bc744

Download Submit
C:\Program Files\systemw\DSRHost.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5CD1.tmp

Filesize
1KB

MD5
ac77151ff5551ebdab06154d2e5a0950

SHA1
5bd146c80a3d6e6a21c2adc32e94ec7131d862c5

SHA256
d6e0c0ce33ea55c9c407e7267c8121e8dcac24e261dbb6c2606246b10e1990ef

SHA512
ce4db48c04717d7d7b33d75e12420c4ce6d1a8dfce3b6d994dbc6737384c903dcc00b75682c7f2b76c74a9f7d5a3d6f0d442fb3a0fab5069ce2a73b5cde6acc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mf6zjvvb.dll

Filesize
76KB

MD5
bb34d0578f5e10001666a249481e397e

SHA1
ca290604c5c75e944a03f8fdfda49b7bbcb9d96f

SHA256
ca17542d834a18f36383dd8b0672a0674a170689c5c176f6ca39c37e2e9cdb30

SHA512
246a4aa4990cc1c98d3ac8c08c66a5cdd5bef91fa974d727d3619164648de3c73ee39fe194ed9eef335d50312bcaa5c42daddcb3938e84e4ea4d8df31efc0373

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5CC0.tmp

Filesize
676B

MD5
7d169424886becced8065a272570ee42

SHA1
ea8b91338c9193025e0706949ba506bcc592bc89

SHA256
4db283af01600e1b8ccc486f28120229292ee2e5f0651e4badd984ae72345a08

SHA512
de778751ff85860fead5f48958593b5418bbf37c6473b9104137bd0f4a059492ebd6b2167fe730f3986da7afdd06bbf8970d78a1f15cbbefccdc35e231858f9a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mf6zjvvb.0.cs

Filesize
208KB

MD5
2ca55a1f076f0334ee5b4e5c2be2b9fb

SHA1
3199e33821efb9717e21efb475e5f23f3250e71f

SHA256
089ad72f13b3a004cee9afc73528970d0ce94fa6eac72f0163d05f2e20edfdbb

SHA512
e0016fb5ea366f42c15de12ec7e2e5760b796e59ec1e662cafed2c3b62c0ebbfdc6593f85c869ababa31590440d51b6d0a522b7fed10d9ccd5d018b0dce5f5f1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mf6zjvvb.cmdline

Filesize
349B

MD5
a055794ead0bdd0382fc23d7fc93065b

SHA1
172c901e5afe6b199ffe5c57b12c1c7a982f3d6b

SHA256
5c7ad59263193f74882002eeadcfd58c0ffdc304e599dabbce43e491dab31f64

SHA512
29850e55f1d42fe9d1e5f5e6d720c2819e607ef7693358a32895057bc182783f41162d10d8b9268016cceb61aa1b99cbbec8c220ac37e60513611d099ced8ac5

Download Submit
memory/1420-10-0x00000000007B0000-0x0000000000830000-memory.dmp

Filesize
512KB

Download
memory/1744-0-0x0000000000DC0000-0x0000000000E1C000-memory.dmp

Filesize
368KB

Download
memory/1744-18-0x0000000000C90000-0x0000000000CA6000-memory.dmp

Filesize
88KB

Download
memory/1744-20-0x00000000009D0000-0x00000000009E2000-memory.dmp

Filesize
72KB

Download
memory/1744-4-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/1744-3-0x0000000000A60000-0x0000000000AE0000-memory.dmp

Filesize
512KB

Download
memory/1744-2-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/1744-29-0x000007FEF5840000-0x000007FEF61DD000-memory.dmp

Filesize
9.6MB

Download
memory/1744-1-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/2704-31-0x00000000012A0000-0x0000000001388000-memory.dmp

Filesize
928KB

Download
memory/2704-32-0x000007FEF1DC0000-0x000007FEF27AC000-memory.dmp

Filesize
9.9MB

Download
memory/2704-33-0x0000000000B10000-0x0000000000B22000-memory.dmp

Filesize
72KB

Download
memory/2704-34-0x000000001A990000-0x000000001A9DE000-memory.dmp

Filesize
312KB

Download
memory/2704-35-0x0000000000BB0000-0x0000000000BC8000-memory.dmp

Filesize
96KB

Download
memory/2704-36-0x0000000000660000-0x0000000000670000-memory.dmp

Filesize
64KB

Download
memory/2704-37-0x0000000000B30000-0x0000000000BB0000-memory.dmp

Filesize
512KB

Download
memory/2704-38-0x000007FEF1DC0000-0x000007FEF27AC000-memory.dmp

Filesize
9.9MB

Download
memory/2704-39-0x0000000000B30000-0x0000000000BB0000-memory.dmp

Filesize
512KB

Download
memory/2704-40-0x0000000000B30000-0x0000000000BB0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads