orcus | 509cfaac45f23bf4bba6fd9f0a631d483d44c04930eeb5a3e68f3badcbd9bba0

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
06-01-2024 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

509cfaac45f23bf4bba6fd9f0a631d483d44c04930eeb5a3e68f3badcbd9bba0.exe
Size

5.0MB
MD5

149bf9d2125e78f56f5b8af10d1016ed
SHA1

f64771515acabec2e1b092a929a4fdbd6b4b4307
SHA256

509cfaac45f23bf4bba6fd9f0a631d483d44c04930eeb5a3e68f3badcbd9bba0
SHA512

3996192663ce95a872f636585bfd815fbea22fc9f7fbd46fa4a0b2747d5625e98d34c8565ad7cfee158be9d3c2d2a5472ba6a728c1b36ab0867539ef279e2e13
SSDEEP

24576:uWM4MROxnFE3jdc1RrrZlI0AilFEvxHioRn:uWfMiuObrrZlI0AilFEvxHio

Score

10^/10

orcus persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

10.0.2.15:4444

Mutex

afe4268b3e1340c8b922890ff0856cb0

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
explorer
taskscheduler_taskname
java
watchdog_path
AppData\java.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 1 IoCs

resource	yara_rule
behavioral1/memory/3040-48-0x0000000000960000-0x0000000000A4E000-memory.dmp	orcus

Executes dropped EXE 6 IoCs

pid	Process
2864	WindowsInput.exe
2580	WindowsInput.exe
3040	Orcus.exe
2776	Orcus.exe
1528	java.exe
2984	java.exe

Loads dropped DLL 1 IoCs

pid	Process
1528	java.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Orcus\\Orcus.exe\""	Orcus.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe	509cfaac45f23bf4bba6fd9f0a631d483d44c04930eeb5a3e68f3badcbd9bba0.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	509cfaac45f23bf4bba6fd9f0a631d483d44c04930eeb5a3e68f3badcbd9bba0.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	509cfaac45f23bf4bba6fd9f0a631d483d44c04930eeb5a3e68f3badcbd9bba0.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	509cfaac45f23bf4bba6fd9f0a631d483d44c04930eeb5a3e68f3badcbd9bba0.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	509cfaac45f23bf4bba6fd9f0a631d483d44c04930eeb5a3e68f3badcbd9bba0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2984	java.exe
2984	java.exe
3040	Orcus.exe
3040	Orcus.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe
3040	Orcus.exe
2984	java.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	Orcus.exe
Token: SeDebugPrivilege	1528	java.exe
Token: SeDebugPrivilege	2984	java.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3040	Orcus.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2416	2908	509cfaac45f23bf4bba6fd9f0a631d483d44c04930eeb5a3e68f3badcbd9bba0.exe	28
PID 2908 wrote to memory of 2416	2908	509cfaac45f23bf4bba6fd9f0a631d483d44c04930eeb5a3e68f3badcbd9bba0.exe	28
PID 2908 wrote to memory of 2416	2908	509cfaac45f23bf4bba6fd9f0a631d483d44c04930eeb5a3e68f3badcbd9bba0.exe	28
PID 2416 wrote to memory of 960	2416	csc.exe	29
PID 2416 wrote to memory of 960	2416	csc.exe	29
PID 2416 wrote to memory of 960	2416	csc.exe	29
PID 2908 wrote to memory of 2864	2908	509cfaac45f23bf4bba6fd9f0a631d483d44c04930eeb5a3e68f3badcbd9bba0.exe	31
PID 2908 wrote to memory of 2864	2908	509cfaac45f23bf4bba6fd9f0a631d483d44c04930eeb5a3e68f3badcbd9bba0.exe	31
PID 2908 wrote to memory of 2864	2908	509cfaac45f23bf4bba6fd9f0a631d483d44c04930eeb5a3e68f3badcbd9bba0.exe	31
PID 2908 wrote to memory of 3040	2908	509cfaac45f23bf4bba6fd9f0a631d483d44c04930eeb5a3e68f3badcbd9bba0.exe	34
PID 2908 wrote to memory of 3040	2908	509cfaac45f23bf4bba6fd9f0a631d483d44c04930eeb5a3e68f3badcbd9bba0.exe	34
PID 2908 wrote to memory of 3040	2908	509cfaac45f23bf4bba6fd9f0a631d483d44c04930eeb5a3e68f3badcbd9bba0.exe	34
PID 2180 wrote to memory of 2776	2180	taskeng.exe	35
PID 2180 wrote to memory of 2776	2180	taskeng.exe	35
PID 2180 wrote to memory of 2776	2180	taskeng.exe	35
PID 3040 wrote to memory of 1528	3040	Orcus.exe	36
PID 3040 wrote to memory of 1528	3040	Orcus.exe	36
PID 3040 wrote to memory of 1528	3040	Orcus.exe	36
PID 3040 wrote to memory of 1528	3040	Orcus.exe	36
PID 3040 wrote to memory of 1528	3040	Orcus.exe	36
PID 3040 wrote to memory of 1528	3040	Orcus.exe	36
PID 3040 wrote to memory of 1528	3040	Orcus.exe	36
PID 1528 wrote to memory of 2984	1528	java.exe	37
PID 1528 wrote to memory of 2984	1528	java.exe	37
PID 1528 wrote to memory of 2984	1528	java.exe	37
PID 1528 wrote to memory of 2984	1528	java.exe	37
PID 1528 wrote to memory of 2984	1528	java.exe	37
PID 1528 wrote to memory of 2984	1528	java.exe	37
PID 1528 wrote to memory of 2984	1528	java.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\509cfaac45f23bf4bba6fd9f0a631d483d44c04930eeb5a3e68f3badcbd9bba0.exe
"C:\Users\Admin\AppData\Local\Temp\509cfaac45f23bf4bba6fd9f0a631d483d44c04930eeb5a3e68f3badcbd9bba0.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\76shxxts.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC81C.tmp"
    3⤵
    PID:960
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2864
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Users\Admin\AppData\Roaming\java.exe
    "C:\Users\Admin\AppData\Roaming\java.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 3040 /protectFile
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Users\Admin\AppData\Roaming\java.exe
      "C:\Users\Admin\AppData\Roaming\java.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 3040 "/protectFile"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2984

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2580

C:\Program Files\Orcus\Orcus.exe
"C:\Program Files\Orcus\Orcus.exe"
1⤵
- Executes dropped EXE
PID:2776

C:\Windows\system32\taskeng.exe
taskeng.exe {EAFDFA8A-6FD6-4A2E-A43F-26FCDEC229F2} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES81D.tmp

Filesize
1KB

MD5
e51a2a1102175a33176bcde6a933eea2

SHA1
3f691078c1f03e01c48e096002d8ccc000967503

SHA256
6a1cd6214f81d0bc822bae52829e777715244493bfd516cabd5695747d07500f

SHA512
11389b4cd234ec061d816cc6f1f3969919a2a27dd2421da25f4ad8e44640147904068e18a524f2f2c243b29f5bb0962e39eae8f5324a2e461db8ba03109665ef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\76shxxts.0.cs

Filesize
208KB

MD5
6011503497b1b9250a05debf9690e52c

SHA1
897aea61e9bffc82d7031f1b3da12fb83efc6d82

SHA256
08f42b8d57bb61bc8f9628c8a80953b06ca4149d50108083fca6dc26bdd49434

SHA512
604c33e82e8b5bb5c54389c2899c81e5482a06e69db08268173a5b4574327ee5de656d312011d07e50a2e398a4c9b0cd79029013f76e05e18cf67ce5a916ffd9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\76shxxts.cmdline

Filesize
349B

MD5
d17b3bf59f9795cb220fdf3ebd53a0a0

SHA1
a9ed88cdb10e2e4053a8944dd5a189928623e56a

SHA256
c86f7d1966802f70356b8bb87ddcf7d7dece2efb3e4b20409e8a854ef05c8229

SHA512
b135ad2e2f16997673fa146ea9dd72ea0cb808f690b713084eac3e394c1b67096da91f2d6d4261f871c05fbd6d5b18f3a4f35ca3c6ce373222f9efef4371c5bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC81C.tmp

Filesize
676B

MD5
e347f080350d2dad32fa1d0b4ba54534

SHA1
76ca812a4b85a41401ceb3efc2ce372424132bf2

SHA256
759f726f469ad978ceff29e9952a50004db4efc983d7a92b2eab77e48fc6381a

SHA512
a7a8d65872d955a20dff0da2c2c46c9366d647339608afe912756c193c9a7abdd10ccb81609d5f9b178df5aece29109b04c6f0629d52dc87a227b1f3aa3549bf

Download Submit
memory/1528-70-0x0000000074B60000-0x000000007524E000-memory.dmp

Filesize
6.9MB

Download
memory/1528-73-0x0000000074B60000-0x000000007524E000-memory.dmp

Filesize
6.9MB

Download
memory/1528-69-0x0000000001200000-0x0000000001208000-memory.dmp

Filesize
32KB

Download
memory/2416-10-0x0000000002260000-0x00000000022E0000-memory.dmp

Filesize
512KB

Download
memory/2580-38-0x00000000000A0000-0x00000000000AC000-memory.dmp

Filesize
48KB

Download
memory/2580-76-0x000007FEECF10000-0x000007FEED8FC000-memory.dmp

Filesize
9.9MB

Download
memory/2580-39-0x000007FEECF10000-0x000007FEED8FC000-memory.dmp

Filesize
9.9MB

Download
memory/2776-75-0x000007FEECF10000-0x000007FEED8FC000-memory.dmp

Filesize
9.9MB

Download
memory/2776-62-0x000007FEECF10000-0x000007FEED8FC000-memory.dmp

Filesize
9.9MB

Download
memory/2776-65-0x000000001AE10000-0x000000001AE90000-memory.dmp

Filesize
512KB

Download
memory/2864-32-0x00000000009C0000-0x00000000009CC000-memory.dmp

Filesize
48KB

Download
memory/2864-33-0x000007FEED900000-0x000007FEEE2EC000-memory.dmp

Filesize
9.9MB

Download
memory/2864-36-0x000007FEED900000-0x000007FEEE2EC000-memory.dmp

Filesize
9.9MB

Download
memory/2908-0-0x0000000000A40000-0x0000000000A9C000-memory.dmp

Filesize
368KB

Download
memory/2908-20-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2908-1-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/2908-21-0x00000000009F0000-0x00000000009F8000-memory.dmp

Filesize
32KB

Download
memory/2908-22-0x0000000000A20000-0x0000000000A28000-memory.dmp

Filesize
32KB

Download
memory/2908-49-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

Filesize
9.6MB

Download
memory/2908-4-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

Filesize
9.6MB

Download
memory/2908-3-0x0000000000AF0000-0x0000000000B70000-memory.dmp

Filesize
512KB

Download
memory/2908-2-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

Filesize
9.6MB

Download
memory/2908-18-0x0000000000AA0000-0x0000000000AB6000-memory.dmp

Filesize
88KB

Download
memory/2908-26-0x0000000000AF0000-0x0000000000B70000-memory.dmp

Filesize
512KB

Download
memory/2984-74-0x0000000074B60000-0x000000007524E000-memory.dmp

Filesize
6.9MB

Download
memory/2984-80-0x0000000074B60000-0x000000007524E000-memory.dmp

Filesize
6.9MB

Download
memory/3040-58-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download
memory/3040-56-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/3040-55-0x0000000002350000-0x0000000002368000-memory.dmp

Filesize
96KB

Download
memory/3040-54-0x00000000020F0000-0x000000000213E000-memory.dmp

Filesize
312KB

Download
memory/3040-48-0x0000000000960000-0x0000000000A4E000-memory.dmp

Filesize
952KB

Download
memory/3040-51-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download
memory/3040-50-0x000007FEECF10000-0x000007FEED8FC000-memory.dmp

Filesize
9.9MB

Download
memory/3040-77-0x000007FEECF10000-0x000007FEED8FC000-memory.dmp

Filesize
9.9MB

Download
memory/3040-78-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download
memory/3040-79-0x00000000023D0000-0x0000000002450000-memory.dmp

Filesize
512KB

Download