Malware Analysis Report

2025-03-15 06:51

Sample ID 240101-yphrzaghdr
Target 232b207bb6bf55bd615ae02f4d176c48.exe
SHA256 a754a7dd4fa2ad3f52aefe67444d38504e17da934f70a950fbe37fa371b74770
Tags
orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a754a7dd4fa2ad3f52aefe67444d38504e17da934f70a950fbe37fa371b74770

Threat Level: Known bad

The file 232b207bb6bf55bd615ae02f4d176c48.exe was found to be: Known bad.

Malicious Activity Summary

orcus rat spyware stealer

Orcus main payload

Orcus

Orcurs Rat Executable

Orcus family

Orcurs Rat Executable

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-01 19:57

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-01 19:57

Reported

2024-01-01 20:00

Platform

win7-20231215-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\232b207bb6bf55bd615ae02f4d176c48.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\232b207bb6bf55bd615ae02f4d176c48.exe C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe
PID 2128 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\232b207bb6bf55bd615ae02f4d176c48.exe C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe
PID 2128 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\232b207bb6bf55bd615ae02f4d176c48.exe C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe
PID 2128 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\232b207bb6bf55bd615ae02f4d176c48.exe C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe
PID 2792 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe C:\Users\Admin\AppData\Roaming\Watchdog.exe
PID 2792 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe C:\Users\Admin\AppData\Roaming\Watchdog.exe
PID 2792 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe C:\Users\Admin\AppData\Roaming\Watchdog.exe
PID 2792 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe C:\Users\Admin\AppData\Roaming\Watchdog.exe
PID 2760 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe C:\Users\Admin\AppData\Roaming\Watchdog.exe
PID 2760 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe C:\Users\Admin\AppData\Roaming\Watchdog.exe
PID 2760 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe C:\Users\Admin\AppData\Roaming\Watchdog.exe
PID 2760 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\Watchdog.exe C:\Users\Admin\AppData\Roaming\Watchdog.exe

Processes

C:\Users\Admin\AppData\Local\Temp\232b207bb6bf55bd615ae02f4d176c48.exe

"C:\Users\Admin\AppData\Local\Temp\232b207bb6bf55bd615ae02f4d176c48.exe"

C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe

"C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe"

C:\Users\Admin\AppData\Roaming\Watchdog.exe

"C:\Users\Admin\AppData\Roaming\Watchdog.exe" /watchProcess "C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe" 2792

C:\Users\Admin\AppData\Roaming\Watchdog.exe

"C:\Users\Admin\AppData\Roaming\Watchdog.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe" 2792

Network

Country Destination Domain Proto
US 8.8.8.8:53 nanonana24.ddns.net udp

Files

memory/2128-0-0x00000000748A0000-0x0000000074F8E000-memory.dmp

memory/2128-1-0x00000000009B0000-0x0000000000A98000-memory.dmp

memory/2128-2-0x0000000004800000-0x0000000004840000-memory.dmp

memory/2128-3-0x0000000000480000-0x000000000048E000-memory.dmp

memory/2128-4-0x0000000000540000-0x000000000059C000-memory.dmp

memory/2128-5-0x0000000001EE0000-0x0000000001EF2000-memory.dmp

\Users\Admin\AppData\Roaming\Pix\Winlogon.exe

MD5 60746e89094ae97a7d8b3d1fc9eb4b23
SHA1 d248a7c0840907d45d20ac58d107adc6cbd09f72
SHA256 1d55c7c0954efd7ade420f06a66e8a6cfb84812e49ac885031325d7db973a774
SHA512 d80196b37481229de9dd9a4e8e5025340631ccd7d2471219d8b0defee677e54bbb04a8fb77a1d6575c74e58077b482cc9ac0d1bb26823fb5d5bfdbb4ae3b139c

memory/2792-18-0x0000000000790000-0x00000000007D0000-memory.dmp

memory/2792-19-0x0000000000510000-0x0000000000522000-memory.dmp

memory/2792-20-0x00000000006B0000-0x00000000006FE000-memory.dmp

memory/2792-17-0x00000000748A0000-0x0000000074F8E000-memory.dmp

memory/2128-16-0x00000000748A0000-0x0000000074F8E000-memory.dmp

memory/2792-15-0x0000000000150000-0x0000000000238000-memory.dmp

C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe

MD5 03f0c1bc02f845a26037aa55b1bcd8c0
SHA1 4d3bc38e9bbcacffdef9e4846418654652958d55
SHA256 c65df115272da0df9bae771231c98c5affc65e1d07205f0f3b17dfd778288960
SHA512 cb54196cfdec48392786c2d4812892ddb6180b687abc16769281997ebab5c4d5b33a1bbbfe6c6d0f959a9cccbeaef5bcd31be6fc2e0491f9170fcf2b671ac126

C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe

MD5 6f20781bf9a22c2c6b38c46ff1353f27
SHA1 e91fdd1a814520a9ca69b3adfc00f1a193a4bc7f
SHA256 078d21d184dd8c09c4f8ae1f078049abd20171712497ec3d0e2583e54884feef
SHA512 442be2df76aa20b9188a358b63cf1f671c87725f597aa7e0887444c500dadb112359033dc77c79e23d7feabdfe33c1bba1bde8691156c9d18deece02bc56751b

memory/2792-21-0x00000000007F0000-0x0000000000808000-memory.dmp

memory/2792-22-0x0000000000B50000-0x0000000000B60000-memory.dmp

memory/2792-23-0x0000000000790000-0x00000000007D0000-memory.dmp

memory/2760-33-0x0000000000FA0000-0x0000000000FA8000-memory.dmp

memory/2760-34-0x00000000748A0000-0x0000000074F8E000-memory.dmp

memory/2760-37-0x00000000748A0000-0x0000000074F8E000-memory.dmp

memory/2652-36-0x00000000748A0000-0x0000000074F8E000-memory.dmp

memory/2792-38-0x00000000748A0000-0x0000000074F8E000-memory.dmp

memory/2792-39-0x0000000000790000-0x00000000007D0000-memory.dmp

memory/2792-40-0x0000000000790000-0x00000000007D0000-memory.dmp

memory/2652-41-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-01 19:57

Reported

2024-01-01 20:01

Platform

win10v2004-20231215-en

Max time kernel

5s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\232b207bb6bf55bd615ae02f4d176c48.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\232b207bb6bf55bd615ae02f4d176c48.exe

"C:\Users\Admin\AppData\Local\Temp\232b207bb6bf55bd615ae02f4d176c48.exe"

C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe

"C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe"

C:\Users\Admin\AppData\Roaming\Watchdog.exe

"C:\Users\Admin\AppData\Roaming\Watchdog.exe" /watchProcess "C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe" 4884

C:\Users\Admin\AppData\Roaming\Watchdog.exe

"C:\Users\Admin\AppData\Roaming\Watchdog.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Roaming\Pix\Winlogon.exe" 4884

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 nanonana24.ddns.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 nanonana24.ddns.net udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 62.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 nanonana24.ddns.net udp

Files

memory/436-0-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/436-1-0x0000000000160000-0x0000000000248000-memory.dmp

memory/436-2-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

memory/436-3-0x0000000000D80000-0x0000000000D8E000-memory.dmp

memory/436-4-0x0000000000DE0000-0x0000000000E3C000-memory.dmp

memory/436-5-0x0000000005340000-0x00000000058E4000-memory.dmp

memory/436-6-0x0000000004D90000-0x0000000004E22000-memory.dmp

memory/436-7-0x0000000004D70000-0x0000000004D82000-memory.dmp

memory/436-23-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/4884-22-0x0000000002050000-0x0000000002060000-memory.dmp

memory/4884-25-0x00000000059F0000-0x0000000005A02000-memory.dmp

memory/4884-26-0x0000000005F70000-0x0000000005FBE000-memory.dmp

memory/4884-27-0x0000000005FD0000-0x0000000005FE8000-memory.dmp

memory/4884-24-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/4884-28-0x0000000006030000-0x0000000006048000-memory.dmp

memory/4884-29-0x00000000060D0000-0x00000000060E0000-memory.dmp

memory/4884-30-0x0000000006BF0000-0x0000000006BFA000-memory.dmp

memory/544-44-0x0000000000F50000-0x0000000000F58000-memory.dmp

memory/544-45-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/544-49-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/4692-48-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/4884-50-0x0000000002050000-0x0000000002060000-memory.dmp

memory/4884-51-0x0000000074660000-0x0000000074E10000-memory.dmp

memory/4692-52-0x0000000074660000-0x0000000074E10000-memory.dmp