Malware Analysis Report

2024-09-22 11:23

Sample ID 240105-bdy89aehhj
Target 23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4
SHA256 23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4
Tags
777 orcus rat spyware stealer hawkeye keylogger trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4

Threat Level: Known bad

The file 23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4 was found to be: Known bad.

Malicious Activity Summary

777 orcus rat spyware stealer hawkeye keylogger trojan

Orcus

Orcurs Rat Executable

Orcus main payload

HawkEye

Orcus family

Orcurs Rat Executable

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-01-05 01:02

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-05 01:02

Reported

2024-01-05 01:04

Platform

win7-20231129-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe N/A
File opened for modification C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe N/A
File created C:\Program Files (x86)\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2652 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2652 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2652 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2652 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2652 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 2652 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 2652 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 2652 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 2460 wrote to memory of 2544 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 2460 wrote to memory of 2544 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 2460 wrote to memory of 2544 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 2460 wrote to memory of 2544 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Orcus\Orcus.exe

Processes

C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe

"C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {B6B3AE42-E25B-41CC-8312-09DAE1C526FD} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

Network

Country Destination Domain Proto
N/A 10.86.6.129:3333 tcp
N/A 10.86.6.129:3333 tcp

Files

memory/2652-0-0x0000000000AC0000-0x0000000000BAC000-memory.dmp

memory/2652-1-0x0000000074BE0000-0x00000000752CE000-memory.dmp

memory/2652-2-0x0000000004310000-0x0000000004350000-memory.dmp

memory/2652-3-0x0000000000210000-0x000000000021E000-memory.dmp

memory/2652-4-0x0000000004270000-0x00000000042CC000-memory.dmp

memory/2652-6-0x0000000000620000-0x0000000000628000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

memory/2652-5-0x0000000000500000-0x0000000000512000-memory.dmp

memory/3024-15-0x0000000000C20000-0x0000000000C2C000-memory.dmp

memory/3024-16-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

memory/3024-17-0x0000000000270000-0x00000000002F0000-memory.dmp

memory/2616-22-0x0000000000E00000-0x0000000000E0C000-memory.dmp

memory/3024-20-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

memory/2616-23-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

memory/2616-24-0x0000000000E70000-0x0000000000EF0000-memory.dmp

memory/3028-37-0x0000000074BE0000-0x00000000752CE000-memory.dmp

memory/2652-36-0x0000000074BE0000-0x00000000752CE000-memory.dmp

memory/3028-38-0x0000000004960000-0x00000000049A0000-memory.dmp

memory/3028-40-0x0000000000B90000-0x0000000000BDE000-memory.dmp

memory/3028-39-0x00000000002D0000-0x00000000002E2000-memory.dmp

memory/3028-35-0x00000000002E0000-0x00000000003CC000-memory.dmp

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 8747fb0c494bc805a0f8be194e82a99f
SHA1 eb3cdca1ff70a573e5368db6e2fd32f7ef670443
SHA256 2ae01c5c9bf71a9cba2bfe89c585cf0e9d471080559de33975c34f8058d1e17f
SHA512 4dab2d6f8389a9f1c020aad6baea6cab9bfb5318e59ce1ce6f736cd17109f5e5c55a4572b8a5af3ea2ed32ca8a5980acb9f30211283be38e9edbd7f066704360

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 ec5623d7bcf17a8ad177a0abaa0d8b53
SHA1 03ec25e7b81c115761ed48e6c4eb97581c546f82
SHA256 8baffaa8ba8adcc7e3281f0629ef6cecb5817b56847f5aef35b974a8b223bf8d
SHA512 fc5ae721e73013077c4f49ef0c55b73c30ef97967f1ccebd319e3f4970ac8a37be6e5ff564626a11776d626477a298b4cf417f505a12cb3bcd7dbdc2726a6365

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 119abef9b2f3b8b4f0605027c3a89f28
SHA1 3bfc63741106d3d4d91237f822e02c1ecf08e562
SHA256 0023b189f400fd05af0406eb00f2a0447079df7230dea5e77c7ec96d95480e88
SHA512 89768daf39248661cf4b8d8a4f040b059d2b7e06e1bcda71480e8366dbd150aa08224c520dda587cce37f15068931d39854e4f87b0b46367006f733e050d9603

\Program Files (x86)\Orcus\Orcus.exe

MD5 90f3b8789b1a9e95fe6be3601f0ad1fb
SHA1 14bb0a612e9236a2abd91656d65c733ba87ae72d
SHA256 813602946a53cb3cfd91984b9af73228f0889a2f16a7d8157191408c6dc30337
SHA512 334c4587d312402f4ab9bbd5f40393a3cec46e2e5af6c880cada2de2f26ae893c38722132b5485d599b0634c0f3ef93888f02a972657a03ccc6c885c2cd857e4

memory/3028-41-0x0000000004C80000-0x0000000004C98000-memory.dmp

memory/3028-42-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 964dac46350af226913b3126e1183ab9
SHA1 4a6cb107069af8af44e8a644a8585f8dcd825434
SHA256 9814cf1bed7363e9404e251b128b4e70f8cd00e186e4d79bf81003046b6d0162
SHA512 1dac604696b4912e97b6fb437f139919af7de614c0d9ca0fc8dbfce7cd78231fc87ab620f13ad06d6079e1b39c6abc7d8683a0b0931bcd6cb32dc3c708d571a5

memory/3028-45-0x0000000004960000-0x00000000049A0000-memory.dmp

memory/2544-47-0x00000000003F0000-0x0000000000430000-memory.dmp

memory/2544-44-0x0000000074BE0000-0x00000000752CE000-memory.dmp

memory/2544-48-0x00000000003D0000-0x00000000003E2000-memory.dmp

memory/2544-49-0x0000000074BE0000-0x00000000752CE000-memory.dmp

memory/3028-50-0x0000000074BE0000-0x00000000752CE000-memory.dmp

memory/2616-51-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-05 01:02

Reported

2024-01-05 01:05

Platform

win10v2004-20231222-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Orcus\Orcus.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe N/A
File opened for modification C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe N/A
File created C:\Program Files (x86)\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1680 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1680 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 1680 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 1680 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 1640 wrote to memory of 3848 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
PID 1640 wrote to memory of 3848 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
PID 1640 wrote to memory of 3848 N/A C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
PID 3848 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
PID 3848 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
PID 3848 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe

Processes

C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe

"C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe

"C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe" /watchProcess "C:\Program Files (x86)\Orcus\Orcus.exe" 1640 "/protectFile"

C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe

"C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe" /launchSelfAndExit "C:\Program Files (x86)\Orcus\Orcus.exe" 1640 /protectFile

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
N/A 10.86.6.129:3333 tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
N/A 10.86.6.129:3333 tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
N/A 10.86.6.129:3333 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
N/A 10.86.6.129:3333 tcp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
N/A 10.86.6.129:3333 tcp
N/A 10.86.6.129:3333 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
N/A 10.86.6.129:3333 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
N/A 10.86.6.129:3333 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
N/A 10.86.6.129:3333 tcp
N/A 10.86.6.129:3333 tcp
N/A 10.86.6.129:3333 tcp
N/A 10.86.6.129:3333 tcp

Files

memory/1680-0-0x0000000000FA0000-0x000000000108C000-memory.dmp

memory/1680-1-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/1680-2-0x0000000005A60000-0x0000000005A70000-memory.dmp

memory/1680-3-0x0000000003390000-0x000000000339E000-memory.dmp

memory/1680-4-0x0000000005A70000-0x0000000005ACC000-memory.dmp

memory/1680-5-0x0000000006080000-0x0000000006624000-memory.dmp

memory/1680-6-0x0000000005BA0000-0x0000000005C32000-memory.dmp

memory/1680-7-0x0000000005B80000-0x0000000005B92000-memory.dmp

memory/1680-8-0x0000000005B90000-0x0000000005B98000-memory.dmp

memory/1680-9-0x0000000006000000-0x0000000006022000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/3684-23-0x0000000000450000-0x000000000045C000-memory.dmp

memory/3684-26-0x000000001C120000-0x000000001C15C000-memory.dmp

memory/3684-25-0x00007FFCA03F0000-0x00007FFCA0EB1000-memory.dmp

memory/3684-24-0x0000000002600000-0x0000000002612000-memory.dmp

memory/3684-27-0x000000001B020000-0x000000001B030000-memory.dmp

memory/3684-31-0x00007FFCA03F0000-0x00007FFCA0EB1000-memory.dmp

memory/4980-34-0x000000001A230000-0x000000001A240000-memory.dmp

memory/4980-33-0x00007FFCA03F0000-0x00007FFCA0EB1000-memory.dmp

memory/4980-35-0x000000001A650000-0x000000001A75A000-memory.dmp

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 95fb8dcde6ed1c23d7368fca327afa4f
SHA1 065be48aa51bed8cec9a84eff21365638c200a1f
SHA256 167d11bc988abc6eeb16500179edde5160189dc1467c1a500e0222bd744d7d2d
SHA512 5d7cdbe779b0f73a1d5897168bbb844c1f522e84029206305a9ee56269931746874beed62a145a7f716835d1cc6ba62d8fca4093a52ebfffc2f0ac7e344cabdd

memory/1640-51-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/1640-53-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

memory/1680-52-0x0000000074ED0000-0x0000000075680000-memory.dmp

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 05a85feb6a64e7bea76a5e62d4bac280
SHA1 6d5091f8e14ef66adfbcefb64f6c295511903baa
SHA256 4029b12013ced488cabaee9b0eff5813d9d181850f598963ca0513ed90947c74
SHA512 78d21644521a22a47a701053ca195bde9c22e5c1924ecd83afb1ad0a4038886ac1b3bd2405c13890ba289a29fd8cb42e346785f7700f41989339edf5f2fe4b0d

memory/1640-55-0x0000000005810000-0x0000000005828000-memory.dmp

memory/1640-54-0x00000000050D0000-0x000000000511E000-memory.dmp

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 d170cb41663519b7d62ceb9b46f3dc60
SHA1 0b63124a8f4830368b213544e12efd6820fc0fa8
SHA256 5ad765a0620b83f3ea41eaeef318842b5081fff6b5dcb903b629500ff45691da
SHA512 671ce83ddd246a4d8f941670ebe49820e4cf22a670fe992acf47ec18a5d5b12d5739ff2a95d6fa28c8d529067a68d4b3ec3505cbe88726dcada273b1a1baf84b

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 bd9ec5d01bd0c80eb06890e2235305f2
SHA1 b58944e77853b3d285d66c13057618c9d69ebcda
SHA256 20aaa34b68eba4f2edca3539926a270507e0dbfaf8958ba85198bee1f5c24ac7
SHA512 18e0b5f78c959e00836aeb4f082b8fc8f81506746c529fdbfef1c2dd97e75ace8e38e08221d150d685552b6a4a23e3aa139af12a72630ea77d5f830ec041f348

memory/1640-57-0x00000000059E0000-0x00000000059F8000-memory.dmp

memory/1640-60-0x0000000005BB0000-0x0000000005BC0000-memory.dmp

memory/1928-61-0x00000000058D0000-0x00000000058E0000-memory.dmp

memory/1640-62-0x00000000060B0000-0x00000000060BA000-memory.dmp

memory/1928-59-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/3848-76-0x0000000000C20000-0x0000000000C28000-memory.dmp

memory/3848-81-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/3548-82-0x0000000074ED0000-0x0000000075680000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WindowsUpdate.exe.log

MD5 4eaca4566b22b01cd3bc115b9b0b2196
SHA1 e743e0792c19f71740416e7b3c061d9f1336bf94
SHA256 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512 bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/3848-77-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/1640-58-0x0000000005D90000-0x0000000005F52000-memory.dmp

memory/1928-84-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/4980-85-0x00007FFCA03F0000-0x00007FFCA0EB1000-memory.dmp

memory/4980-86-0x000000001A230000-0x000000001A240000-memory.dmp

memory/1640-87-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/1640-88-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

memory/3548-89-0x0000000074ED0000-0x0000000075680000-memory.dmp