Overview

overview

10

Static

static

3

Calculator14VGA.exe

windows7-x64

10

Calculator14VGA.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    2s
  • max time network
    295s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    09-01-2024 12:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Calculator14VGA.exe

  • Size

    1.7MB

  • MD5

    4c969f76c5c1150669e1a54cfa20ed1c

  • SHA1

    037f9b972c732222ba259754f75868caaefd03a3

  • SHA256

    be235c670fa83853dfdd3c668df58da88289d2a8ef44e734fbc646f27cba9588

  • SHA512

    5246dd5f6ee9c747360431bc140779a4d316af51186c6bcc0d6d0f3bb20e633cbdee2296432fd08e4f9234089bbcb5c868e8c9d75b05b523af53c5d34cc3ea15

  • SSDEEP

    49152:ODQxkKWUoI8cQFrqxevo2NdQNBwLPVhF6WT:j2KWUoILC3nQDwrVn6WT

Score
10/10
orcustgratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

tg

C2

10.0.2.15:6969

Mutex

a867e8d19abf423285769fa6d8e47601

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\Java8update\updaterjava9.exe

  • reconnect_delay

    10000

  • registry_keyname

    RobloxJavaMaster

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\RobloxUpdater04.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcurs Rat Executable 6 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Calculator14VGA.exe
    "C:\Users\Admin\AppData\Local\Temp\Calculator14VGA.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe" --install
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:1424
    • C:\Program Files (x86)\Java8update\updaterjava9.exe
      "C:\Program Files (x86)\Java8update\updaterjava9.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetWindowsHookEx
      PID:2796
  • C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe"
    1⤵
    • Executes dropped EXE
    PID:2288
  • C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe
    "C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe" /watchProcess "C:\Program Files (x86)\Java8update\updaterjava9.exe" 2796 "/protectFile"
    1⤵
      PID:1536
    • C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe
      "C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe" /launchSelfAndExit "C:\Program Files (x86)\Java8update\updaterjava9.exe" 2796 /protectFile
      1⤵
        PID:1576
      • C:\Program Files (x86)\Java8update\updaterjava9.exe
        "C:\Program Files (x86)\Java8update\updaterjava9.exe"
        1⤵
          PID:2580
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {2D4974E8-121E-4E7A-B72E-FB6B9273ED61} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
          1⤵
            PID:2688

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1384-44-0x0000000074060000-0x000000007474E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/1384-1-0x00000000008E0000-0x0000000000D54000-memory.dmp
            Filesize

            4.5MB

            Download
          • memory/1384-0-0x00000000008E0000-0x0000000000D54000-memory.dmp
            Filesize

            4.5MB

            Download
          • memory/1384-3-0x0000000005870000-0x00000000058B0000-memory.dmp
            Filesize

            256KB

            Download
          • memory/1384-42-0x00000000008E0000-0x0000000000D54000-memory.dmp
            Filesize

            4.5MB

            Download
          • memory/1384-4-0x0000000000700000-0x000000000070E000-memory.dmp
            Filesize

            56KB

            Download
          • memory/1384-8-0x0000000002540000-0x0000000002548000-memory.dmp
            Filesize

            32KB

            Download
          • memory/1384-2-0x0000000074060000-0x000000007474E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/1384-6-0x00000000008D0000-0x00000000008E2000-memory.dmp
            Filesize

            72KB

            Download
          • memory/1384-35-0x0000000006B50000-0x0000000006FC4000-memory.dmp
            Filesize

            4.5MB

            Download
          • memory/1384-7-0x0000000002530000-0x0000000002538000-memory.dmp
            Filesize

            32KB

            Download
          • memory/1384-5-0x00000000053C0000-0x000000000541C000-memory.dmp
            Filesize

            368KB

            Download
          • memory/1424-23-0x000007FEF5270000-0x000007FEF5C5C000-memory.dmp
            Filesize

            9.9MB

            Download
          • memory/1424-20-0x000000001B2C0000-0x000000001B340000-memory.dmp
            Filesize

            512KB

            Download
          • memory/1424-19-0x000007FEF5270000-0x000007FEF5C5C000-memory.dmp
            Filesize

            9.9MB

            Download
          • memory/1424-18-0x00000000008E0000-0x00000000008EC000-memory.dmp
            Filesize

            48KB

            Download
          • memory/1536-83-0x0000000074060000-0x000000007474E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/1536-72-0x0000000074060000-0x000000007474E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/1576-68-0x0000000074060000-0x000000007474E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/1576-67-0x0000000000F50000-0x0000000000F58000-memory.dmp
            Filesize

            32KB

            Download
          • memory/1576-73-0x0000000074060000-0x000000007474E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/2288-74-0x0000000000E70000-0x0000000000EF0000-memory.dmp
            Filesize

            512KB

            Download
          • memory/2288-65-0x000007FEF4880000-0x000007FEF526C000-memory.dmp
            Filesize

            9.9MB

            Download
          • memory/2288-25-0x0000000000F00000-0x0000000000F0C000-memory.dmp
            Filesize

            48KB

            Download
          • memory/2288-26-0x000007FEF4880000-0x000007FEF526C000-memory.dmp
            Filesize

            9.9MB

            Download
          • memory/2580-69-0x0000000005B10000-0x0000000005B50000-memory.dmp
            Filesize

            256KB

            Download
          • memory/2580-77-0x0000000074060000-0x000000007474E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/2580-55-0x0000000001100000-0x0000000001574000-memory.dmp
            Filesize

            4.5MB

            Download
          • memory/2580-64-0x0000000001100000-0x0000000001574000-memory.dmp
            Filesize

            4.5MB

            Download
          • memory/2580-66-0x0000000074060000-0x000000007474E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/2580-76-0x0000000001100000-0x0000000001574000-memory.dmp
            Filesize

            4.5MB

            Download
          • memory/2796-51-0x00000000033E0000-0x00000000033F0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2796-49-0x00000000032E0000-0x000000000332E000-memory.dmp
            Filesize

            312KB

            Download
          • memory/2796-40-0x0000000001100000-0x0000000001574000-memory.dmp
            Filesize

            4.5MB

            Download
          • memory/2796-41-0x0000000074060000-0x000000007474E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/2796-46-0x0000000002DD0000-0x0000000002DE2000-memory.dmp
            Filesize

            72KB

            Download
          • memory/2796-45-0x0000000005780000-0x00000000057C0000-memory.dmp
            Filesize

            256KB

            Download
          • memory/2796-43-0x0000000001100000-0x0000000001574000-memory.dmp
            Filesize

            4.5MB

            Download
          • memory/2796-50-0x0000000003380000-0x0000000003398000-memory.dmp
            Filesize

            96KB

            Download
          • memory/2796-56-0x0000000005780000-0x00000000057C0000-memory.dmp
            Filesize

            256KB

            Download
          • memory/2796-79-0x0000000074060000-0x000000007474E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/2796-80-0x0000000005780000-0x00000000057C0000-memory.dmp
            Filesize

            256KB

            Download
          • memory/2796-81-0x0000000005780000-0x00000000057C0000-memory.dmp
            Filesize

            256KB

            Download
          • memory/2796-37-0x0000000001100000-0x0000000001574000-memory.dmp
            Filesize

            4.5MB

            Download