orcus | cdb7d368e382d1b82628e58928866e50683a194fc88308195a008225ab48b7e7

Analysis

max time kernel
150s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

123xxx.exe
Size

907KB
MD5

8a8708ed2507d0907e08f10185d17bce
SHA1

6a3007eecffea8b616474e3a3f2a17660a567a22
SHA256

cdb7d368e382d1b82628e58928866e50683a194fc88308195a008225ab48b7e7
SHA512

f669d113ec12591af393c0ea7e662757d82d92c9ee3943dd39fc40e99621606c46ab3acc5ae8f4d7717391a195728fd9afa26e2e15d71aa5ac76d1fdf75bc744
SSDEEP

12288:Wgfe07KFML7iLMucoUe7dG1lFlWcYT70pxnnaaoawn7ueuRAxrZNrI0AilFEvxH9:/tY4MROxnFH9+rZlI0AilFEvxHiGWw

Score

10^/10

orcus persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

de2.localto.net:41509

Mutex

258334e365604d3ca90aaafdbf31c4c7

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\systemw\DSRHost.exe
reconnect_delay
10000
registry_keyname
DSRHost
taskscheduler_taskname
DSRHost
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023181-30.dat	family_orcus
behavioral2/files/0x000a000000023181-37.dat	family_orcus
behavioral2/files/0x000a000000023181-40.dat	family_orcus

Orcurs Rat Executable 4 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023181-30.dat	orcus
behavioral2/files/0x000a000000023181-37.dat	orcus
behavioral2/files/0x000a000000023181-40.dat	orcus
behavioral2/memory/688-41-0x0000000000A60000-0x0000000000B48000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation	123xxx.exe

Executes dropped EXE 1 IoCs

pid	Process
688	DSRHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DSRHost = "\"C:\\Program Files\\systemw\\DSRHost.exe\""	DSRHost.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	123xxx.exe
File created	C:\Windows\assembly\Desktop.ini	123xxx.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\systemw\DSRHost.exe	123xxx.exe
File opened for modification	C:\Program Files\systemw\DSRHost.exe	123xxx.exe
File created	C:\Program Files\systemw\DSRHost.exe.config	123xxx.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	123xxx.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	123xxx.exe
File opened for modification	C:\Windows\assembly	123xxx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
688	DSRHost.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
688	DSRHost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 4888	4196	123xxx.exe	85
PID 4196 wrote to memory of 4888	4196	123xxx.exe	85
PID 4888 wrote to memory of 3572	4888	csc.exe	87
PID 4888 wrote to memory of 3572	4888	csc.exe	87
PID 4196 wrote to memory of 688	4196	123xxx.exe	90
PID 4196 wrote to memory of 688	4196	123xxx.exe	90

C:\Users\Admin\AppData\Local\Temp\123xxx.exe
"C:\Users\Admin\AppData\Local\Temp\123xxx.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xb1jorxa.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF1A4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF1A3.tmp"
    3⤵
    PID:3572
- C:\Program Files\systemw\DSRHost.exe
  "C:\Program Files\systemw\DSRHost.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\systemw\DSRHost.exe

Filesize
907KB

MD5
8a8708ed2507d0907e08f10185d17bce

SHA1
6a3007eecffea8b616474e3a3f2a17660a567a22

SHA256
cdb7d368e382d1b82628e58928866e50683a194fc88308195a008225ab48b7e7

SHA512
f669d113ec12591af393c0ea7e662757d82d92c9ee3943dd39fc40e99621606c46ab3acc5ae8f4d7717391a195728fd9afa26e2e15d71aa5ac76d1fdf75bc744

Download Submit
C:\Program Files\systemw\DSRHost.exe

Filesize
907KB

MD5
8a8708ed2507d0907e08f10185d17bce

SHA1
6a3007eecffea8b616474e3a3f2a17660a567a22

SHA256
cdb7d368e382d1b82628e58928866e50683a194fc88308195a008225ab48b7e7

SHA512
f669d113ec12591af393c0ea7e662757d82d92c9ee3943dd39fc40e99621606c46ab3acc5ae8f4d7717391a195728fd9afa26e2e15d71aa5ac76d1fdf75bc744

Download Submit
C:\Program Files\systemw\DSRHost.exe

Filesize
907KB

MD5
8a8708ed2507d0907e08f10185d17bce

SHA1
6a3007eecffea8b616474e3a3f2a17660a567a22

SHA256
cdb7d368e382d1b82628e58928866e50683a194fc88308195a008225ab48b7e7

SHA512
f669d113ec12591af393c0ea7e662757d82d92c9ee3943dd39fc40e99621606c46ab3acc5ae8f4d7717391a195728fd9afa26e2e15d71aa5ac76d1fdf75bc744

Download Submit
C:\Program Files\systemw\DSRHost.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF1A4.tmp

Filesize
1KB

MD5
23174caa7c04f7d00050e081c128fd7b

SHA1
e32af52ec7836eed91ab856105fa5f7231443ace

SHA256
7a6a436cbef5ee13bbfb8ecf5e1a89f13d7ad2a9b7c184a7038dc8231917b07c

SHA512
ee810827d203b627e947e45413cf5cb9246079218e1e03f9ad15a34af4abebaeb4c97525578cf6bb070277f2709ade367801bffb6ae44739671c7c803edf729e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xb1jorxa.dll

Filesize
76KB

MD5
25f566770fd0c47a083d54098dcaf929

SHA1
080e5ad3da05cb70826e7245895109b98fc1217f

SHA256
6528932c55ab5f60ad2bf18447438b8660e55c1780da3bfa4d1fa1358044c092

SHA512
51566ced1e9910dbef093d9b391ee0c02e31e231f5ee2f0d749ed095aa5993f407defffa41ee5e051c2446cbc931a9c15d94485326efa3cffc2922c30cc57ea0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF1A3.tmp

Filesize
676B

MD5
8f929a9f8c9a388cd28f25e014c7f3c6

SHA1
0eeaa4b925604af0035fee73568b3289c6763f49

SHA256
55ad6ffc39d598434c245b6c06af546ba14f445338e6a5dbb3316cd8b0739917

SHA512
9c752b4f5874083daa5552fe45f63e8e289e87b0c2ca1879cda3c17eeb766cfad559bdf2e1ffa73fbba64c444b92eeb0f13aae64ebae7a833b38d611782b2e80

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xb1jorxa.0.cs

Filesize
208KB

MD5
e44b8c6d30cb536e61cd8d26a72da438

SHA1
ae41aef4a95ba98ff67c2e61c23dac535534ccff

SHA256
bd830498b8ac1eae90ee497cfd7f66b08e54248e7068fb413392093b9ca14d02

SHA512
a46a9d11b5e1d4275c0e46d68933095df11c7f277a5524f6ab2912dd4b82a55fc2eb60724fff93767233da86c1d62492c1197ba23f6d5ede4312aea421401f44

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xb1jorxa.cmdline

Filesize
349B

MD5
f758092ef38712aea5f3fa6687495b3c

SHA1
60a3626edc0417aa18ccd9f33b0504c253f9d036

SHA256
e8cf6c66f3800e9f8237f01fd05e15ad0e400ff9182246559da5f194302add69

SHA512
b5a243bf72cf13ace0d71164e7a570cdfb2fea26a16aaa32d5357b804f462cc83c6652a32d5230618f902c6b023bbfaaa79098e213ceca0261d4dcb44680f5d0

Download Submit
memory/688-43-0x00007FF9F1F50000-0x00007FF9F2A11000-memory.dmp

Filesize
10.8MB

Download
memory/688-44-0x000000001B890000-0x000000001B8A0000-memory.dmp

Filesize
64KB

Download
memory/688-52-0x000000001B890000-0x000000001B8A0000-memory.dmp

Filesize
64KB

Download
memory/688-51-0x000000001B890000-0x000000001B8A0000-memory.dmp

Filesize
64KB

Download
memory/688-50-0x00007FF9F1F50000-0x00007FF9F2A11000-memory.dmp

Filesize
10.8MB

Download
memory/688-49-0x000000001B890000-0x000000001B8A0000-memory.dmp

Filesize
64KB

Download
memory/688-48-0x000000001B840000-0x000000001B850000-memory.dmp

Filesize
64KB

Download
memory/688-47-0x000000001B710000-0x000000001B728000-memory.dmp

Filesize
96KB

Download
memory/688-46-0x000000001B6C0000-0x000000001B70E000-memory.dmp

Filesize
312KB

Download
memory/688-45-0x0000000002D60000-0x0000000002D72000-memory.dmp

Filesize
72KB

Download
memory/688-41-0x0000000000A60000-0x0000000000B48000-memory.dmp

Filesize
928KB

Download
memory/4196-6-0x000000001BC80000-0x000000001BC8E000-memory.dmp

Filesize
56KB

Download
memory/4196-0-0x00007FF9F69E0000-0x00007FF9F7381000-memory.dmp

Filesize
9.6MB

Download
memory/4196-42-0x00007FF9F69E0000-0x00007FF9F7381000-memory.dmp

Filesize
9.6MB

Download
memory/4196-1-0x00007FF9F69E0000-0x00007FF9F7381000-memory.dmp

Filesize
9.6MB

Download
memory/4196-2-0x0000000001170000-0x0000000001180000-memory.dmp

Filesize
64KB

Download
memory/4196-3-0x000000001BA90000-0x000000001BAEC000-memory.dmp

Filesize
368KB

Download
memory/4196-24-0x000000001B9F0000-0x000000001BA02000-memory.dmp

Filesize
72KB

Download
memory/4196-22-0x000000001CD90000-0x000000001CDA6000-memory.dmp

Filesize
88KB

Download
memory/4196-7-0x000000001C160000-0x000000001C62E000-memory.dmp

Filesize
4.8MB

Download
memory/4196-8-0x000000001C6D0000-0x000000001C76C000-memory.dmp

Filesize
624KB

Download
memory/4888-14-0x00000000021C0000-0x00000000021D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads