orcus | cdb7d368e382d1b82628e58928866e50683a194fc88308195a008225ab48b7e7

Analysis

max time kernel
141s
max time network
148s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

123xxx.exe
Size

907KB
MD5

8a8708ed2507d0907e08f10185d17bce
SHA1

6a3007eecffea8b616474e3a3f2a17660a567a22
SHA256

cdb7d368e382d1b82628e58928866e50683a194fc88308195a008225ab48b7e7
SHA512

f669d113ec12591af393c0ea7e662757d82d92c9ee3943dd39fc40e99621606c46ab3acc5ae8f4d7717391a195728fd9afa26e2e15d71aa5ac76d1fdf75bc744
SSDEEP

12288:Wgfe07KFML7iLMucoUe7dG1lFlWcYT70pxnnaaoawn7ueuRAxrZNrI0AilFEvxH9:/tY4MROxnFH9+rZlI0AilFEvxHiGWw

Score

10^/10

orcus persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

de2.localto.net:41509

Mutex

258334e365604d3ca90aaafdbf31c4c7

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\systemw\DSRHost.exe
reconnect_delay
10000
registry_keyname
DSRHost
taskscheduler_taskname
DSRHost
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000e000000012271-27.dat	family_orcus
behavioral1/files/0x000e000000012271-26.dat	family_orcus
behavioral1/files/0x000e000000012271-30.dat	family_orcus

Orcurs Rat Executable 4 IoCs

resource	yara_rule
behavioral1/files/0x000e000000012271-27.dat	orcus
behavioral1/files/0x000e000000012271-26.dat	orcus
behavioral1/files/0x000e000000012271-30.dat	orcus
behavioral1/memory/2536-31-0x0000000000070000-0x0000000000158000-memory.dmp	orcus

Executes dropped EXE 1 IoCs

pid	Process
2536	DSRHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\DSRHost = "\"C:\\Program Files\\systemw\\DSRHost.exe\""	DSRHost.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\systemw\DSRHost.exe	123xxx.exe
File opened for modification	C:\Program Files\systemw\DSRHost.exe	123xxx.exe
File created	C:\Program Files\systemw\DSRHost.exe.config	123xxx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2536	DSRHost.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2536	DSRHost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2388	2112	123xxx.exe	28
PID 2112 wrote to memory of 2388	2112	123xxx.exe	28
PID 2112 wrote to memory of 2388	2112	123xxx.exe	28
PID 2388 wrote to memory of 2744	2388	csc.exe	30
PID 2388 wrote to memory of 2744	2388	csc.exe	30
PID 2388 wrote to memory of 2744	2388	csc.exe	30
PID 2112 wrote to memory of 2536	2112	123xxx.exe	31
PID 2112 wrote to memory of 2536	2112	123xxx.exe	31
PID 2112 wrote to memory of 2536	2112	123xxx.exe	31

C:\Users\Admin\AppData\Local\Temp\123xxx.exe
"C:\Users\Admin\AppData\Local\Temp\123xxx.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\diq3qcer.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6FF3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6FF2.tmp"
    3⤵
    PID:2744
- C:\Program Files\systemw\DSRHost.exe
  "C:\Program Files\systemw\DSRHost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\systemw\DSRHost.exe

Filesize
907KB

MD5
8a8708ed2507d0907e08f10185d17bce

SHA1
6a3007eecffea8b616474e3a3f2a17660a567a22

SHA256
cdb7d368e382d1b82628e58928866e50683a194fc88308195a008225ab48b7e7

SHA512
f669d113ec12591af393c0ea7e662757d82d92c9ee3943dd39fc40e99621606c46ab3acc5ae8f4d7717391a195728fd9afa26e2e15d71aa5ac76d1fdf75bc744

Download Submit
C:\Program Files\systemw\DSRHost.exe

Filesize
907KB

MD5
8a8708ed2507d0907e08f10185d17bce

SHA1
6a3007eecffea8b616474e3a3f2a17660a567a22

SHA256
cdb7d368e382d1b82628e58928866e50683a194fc88308195a008225ab48b7e7

SHA512
f669d113ec12591af393c0ea7e662757d82d92c9ee3943dd39fc40e99621606c46ab3acc5ae8f4d7717391a195728fd9afa26e2e15d71aa5ac76d1fdf75bc744

Download Submit
C:\Program Files\systemw\DSRHost.exe

Filesize
907KB

MD5
8a8708ed2507d0907e08f10185d17bce

SHA1
6a3007eecffea8b616474e3a3f2a17660a567a22

SHA256
cdb7d368e382d1b82628e58928866e50683a194fc88308195a008225ab48b7e7

SHA512
f669d113ec12591af393c0ea7e662757d82d92c9ee3943dd39fc40e99621606c46ab3acc5ae8f4d7717391a195728fd9afa26e2e15d71aa5ac76d1fdf75bc744

Download Submit
C:\Program Files\systemw\DSRHost.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6FF3.tmp

Filesize
1KB

MD5
a2452619e000110e48aa90aece091d6c

SHA1
84923a9a4f5a534e7e36eaf20ccf9528cfbf472b

SHA256
7e62b8be3bb1e03d6e037ab3a87b2519bfa7f6f70800dcbef22e04daee0cf28d

SHA512
6c79174d03a079110bd2a0ddffb3f4a795291653760ed2941ae62311245be822191de1dd17740c2fb87753d0392e9860fc3d94cd7b312ce3e7deb344e7119f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\diq3qcer.dll

Filesize
76KB

MD5
fd20c3ba05adacae7f7508914ddf43dc

SHA1
c1f2a712cfcd59598ece486691d75ff7769fbf4b

SHA256
b74b9fa53ec66d096c8986272a8c2c992d178e9b224642fc752b5c79188008bd

SHA512
5d03476874d78ca3fc86ae1ff8d75f90a5aa976b446a36097400623a003ff1d1ccba11022359f4632ce925628071d229c3e2184e777b84a9ab043142fa06120b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6FF2.tmp

Filesize
676B

MD5
87bb3c6407e41d060d90c385884d67fc

SHA1
7c71c0cc6c46b813a973cd4fc16642e132451d8f

SHA256
c81f64768a7687ae513690711a6e4e857f211b537ed9d7771061adc6c206f0d8

SHA512
0bf658c98d2a3933b31aef65419368d0d54b0d92f138fce8657efd79c3678e687a72526c36aa86c7b3044f31410a3fe9b8fa3e217f3d73879a40d98637b7c13d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\diq3qcer.0.cs

Filesize
208KB

MD5
2b14ae8b54d216abf4d228493ceca44a

SHA1
d134351498e4273e9d6391153e35416bc743adef

SHA256
4e1cc3da1f7bf92773aae6cffa6d61bfc3e25aead3ad947f6215f93a053f346c

SHA512
5761b605add10ae3ef80f3b8706c8241b4e8abe4ac3ce36b7be8a97d08b08da5a72fedd5e976b3c9e1c463613a943ebb5d323e6a075ef6c7c3b1abdc0d53ac05

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\diq3qcer.cmdline

Filesize
349B

MD5
00c080f93694404c13f19be8edb9393f

SHA1
dbba2823eb2e11fc70c1f629b7accd2e92d2e4fc

SHA256
b927b1e2c688153f3044541c4fca336c6ebcfe68dd66142b656c2968525fde26

SHA512
a9b53ce88d0375b5cb233cae053ea366b85a185356bb018f0424ff8df715889610da8610255b4438d5c51bdd61a8fccaa83ecec40408f1939827f8ee9b1e2e5f

Download Submit
memory/2112-4-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/2112-18-0x0000000000E30000-0x0000000000E46000-memory.dmp

Filesize
88KB

Download
memory/2112-0-0x0000000000B20000-0x0000000000B7C000-memory.dmp

Filesize
368KB

Download
memory/2112-20-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2112-3-0x0000000000B90000-0x0000000000C10000-memory.dmp

Filesize
512KB

Download
memory/2112-1-0x00000000002A0000-0x00000000002AE000-memory.dmp

Filesize
56KB

Download
memory/2112-2-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/2112-29-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Filesize
9.6MB

Download
memory/2388-10-0x00000000022B0000-0x0000000002330000-memory.dmp

Filesize
512KB

Download
memory/2536-31-0x0000000000070000-0x0000000000158000-memory.dmp

Filesize
928KB

Download
memory/2536-32-0x000007FEEF720000-0x000007FEF010C000-memory.dmp

Filesize
9.9MB

Download
memory/2536-33-0x000000001AFC0000-0x000000001B040000-memory.dmp

Filesize
512KB

Download
memory/2536-34-0x00000000006E0000-0x00000000006F2000-memory.dmp

Filesize
72KB

Download
memory/2536-35-0x0000000001F90000-0x0000000001FDE000-memory.dmp

Filesize
312KB

Download
memory/2536-36-0x00000000020E0000-0x00000000020F8000-memory.dmp

Filesize
96KB

Download
memory/2536-37-0x00000000006D0000-0x00000000006E0000-memory.dmp

Filesize
64KB

Download
memory/2536-38-0x000000001AFC0000-0x000000001B040000-memory.dmp

Filesize
512KB

Download
memory/2536-39-0x000007FEEF720000-0x000007FEF010C000-memory.dmp

Filesize
9.9MB

Download
memory/2536-40-0x000000001AFC0000-0x000000001B040000-memory.dmp

Filesize
512KB

Download
memory/2536-41-0x000000001AFC0000-0x000000001B040000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads