Overview

overview

10

Static

static

3

Calculator14VGA.exe

windows7-x64

10

Calculator14VGA.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    299s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-01-2024 12:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Calculator14VGA.exe

  • Size

    1.7MB

  • MD5

    4c969f76c5c1150669e1a54cfa20ed1c

  • SHA1

    037f9b972c732222ba259754f75868caaefd03a3

  • SHA256

    be235c670fa83853dfdd3c668df58da88289d2a8ef44e734fbc646f27cba9588

  • SHA512

    5246dd5f6ee9c747360431bc140779a4d316af51186c6bcc0d6d0f3bb20e633cbdee2296432fd08e4f9234089bbcb5c868e8c9d75b05b523af53c5d34cc3ea15

  • SSDEEP

    49152:ODQxkKWUoI8cQFrqxevo2NdQNBwLPVhF6WT:j2KWUoILC3nQDwrVn6WT

Score
10/10
orcustgpersistenceratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

tg

C2

10.0.2.15:6969

Mutex

a867e8d19abf423285769fa6d8e47601

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\Java8update\updaterjava9.exe

  • reconnect_delay

    10000

  • registry_keyname

    RobloxJavaMaster

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\RobloxUpdater04.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcurs Rat Executable 7 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 32 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Calculator14VGA.exe
    "C:\Users\Admin\AppData\Local\Temp\Calculator14VGA.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3968
    • C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe" --install
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:2072
    • C:\Program Files (x86)\Java8update\updaterjava9.exe
      "C:\Program Files (x86)\Java8update\updaterjava9.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:548
      • C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe
        "C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe" /launchSelfAndExit "C:\Program Files (x86)\Java8update\updaterjava9.exe" 548 /protectFile
        3⤵
          PID:2440
    • C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe"
      1⤵
      • Executes dropped EXE
      PID:4812
    • C:\Program Files (x86)\Java8update\updaterjava9.exe
      "C:\Program Files (x86)\Java8update\updaterjava9.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetWindowsHookEx
      PID:3524
    • C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe
      "C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe" /watchProcess "C:\Program Files (x86)\Java8update\updaterjava9.exe" 548 "/protectFile"
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4436
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2440

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Java8update\updaterjava9.exe
      Filesize

      100KB

      MD5

      0aa65b10d374282aa76f5a0d5b69520a

      SHA1

      f0ed0ad1bb268fe07dc1667ed7263cbfe1f64a05

      SHA256

      0076ce17c175001a5c288e0c88bec45ced8c88fba16e513fd69a4b6914ddd475

      SHA512

      da97a81f7d72b5c286ceb33ee94eb7bfd908dd5497004fd17d7bb922002de3c77404f35314107f2ff4b09a681dcbe3913932bb3c287ed389810f853c1b6a9dba

      Download Submit
    • C:\Program Files (x86)\Java8update\updaterjava9.exe
      Filesize

      59KB

      MD5

      02c1ee5e053873320848d4bf74999f4b

      SHA1

      c4608cf18240f0b8734cf37a272560b269981e02

      SHA256

      11926d5ccb4d4a2abf0c600895c2f83d4cc2cec5ebc04262bf98f7dd2af2ad8e

      SHA512

      1a80ef3678a08206281da19dded7116439c0c2bdafd74f55bd474acc0cef5085ec196554dc6d67004ae2eb1157fcf6f201077a2eedc73a93d5fc6c9366426e7e

      Download Submit
    • C:\Program Files (x86)\Java8update\updaterjava9.exe
      Filesize

      92KB

      MD5

      4062e2eb0afc37ce533d45484da81c30

      SHA1

      cc796fd73388adcdc7962db9cda99bcbabc4f999

      SHA256

      fb5c35dd102b0a3146cd766bd456a766a5bf298583c344b3c08970e16789cdb4

      SHA512

      d88293de5ab6905ed1967f21b7fe0de838ac10b3ac3236cdc626389a4a2469b0b04dd0233c02de898ad29baf75dcd43af6f47464d24e661e6cdae4f546b7b1fa

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RobloxUpdater04.exe.log
      Filesize

      425B

      MD5

      4eaca4566b22b01cd3bc115b9b0b2196

      SHA1

      e743e0792c19f71740416e7b3c061d9f1336bf94

      SHA256

      34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

      SHA512

      bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

      Download Submit
    • C:\Users\Admin\AppData\Roaming\NVIDlA\err_a867e8d19abf423285769fa6d8e47601.dat
      Filesize

      1KB

      MD5

      7ed0ab4b9fa517f2d1585048e3e376e7

      SHA1

      afb3641d0917f2bb99183a91118b7884c2085d27

      SHA256

      269af47ce4c88dfbabb6b1d1fa9c9ac05ba54bcadb9ed93a7985939bb2ea8856

      SHA512

      7ad51aeab341a53581137210624e64b196a521479add7a4c10a6a7b5c429c758d5d301f8cc071429dfebdc565467db9fcbc0a043b00752f60c172b961f53f3c1

      Download Submit
    • C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe
      Filesize

      9KB

      MD5

      913967b216326e36a08010fb70f9dba3

      SHA1

      7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

      SHA256

      8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

      SHA512

      c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

      Download Submit
    • C:\Windows\SysWOW64\WindowsInput.exe
      Filesize

      21KB

      MD5

      e6fcf516d8ed8d0d4427f86e08d0d435

      SHA1

      c7691731583ab7890086635cb7f3e4c22ca5e409

      SHA256

      8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

      SHA512

      c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

      Download Submit
    • C:\Windows\SysWOW64\WindowsInput.exe.config
      Filesize

      357B

      MD5

      a2b76cea3a59fa9af5ea21ff68139c98

      SHA1

      35d76475e6a54c168f536e30206578babff58274

      SHA256

      f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

      SHA512

      b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

      Download Submit
    • \??\c:\program files (x86)\java8update\updaterjava9.exe
      Filesize

      42KB

      MD5

      28ba1b29d5b8daaa5eb83465247df378

      SHA1

      07c6ec94ae2d7fdd079153ed709ea8634ac42b1c

      SHA256

      bcced6d9681a45681079f13b0d5f26433f8d2e35318cc4253564c76ef6daccca

      SHA512

      a82e8ea6bc100afd712af417be74b6868a6abe63fe7a76062d56160870836bae1c95c3d4030e578e2e22ee06fd7da3a5a7fcf7c7526efb3f355098f4c050ad14

      Download Submit
    • memory/548-59-0x0000000000560000-0x00000000009D4000-memory.dmp
      Filesize

      4.5MB

      Download
    • memory/548-67-0x0000000002A80000-0x0000000002A90000-memory.dmp
      Filesize

      64KB

      Download
    • memory/548-74-0x00000000071F0000-0x0000000007200000-memory.dmp
      Filesize

      64KB

      Download
    • memory/548-70-0x0000000006800000-0x000000000684E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/548-73-0x00000000073C0000-0x0000000007582000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/548-72-0x0000000007020000-0x0000000007038000-memory.dmp
      Filesize

      96KB

      Download
    • memory/548-75-0x0000000007350000-0x000000000735A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/548-64-0x0000000000560000-0x00000000009D4000-memory.dmp
      Filesize

      4.5MB

      Download
    • memory/548-65-0x0000000000560000-0x00000000009D4000-memory.dmp
      Filesize

      4.5MB

      Download
    • memory/548-107-0x0000000000560000-0x00000000009D4000-memory.dmp
      Filesize

      4.5MB

      Download
    • memory/548-106-0x0000000074C80000-0x0000000075430000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/548-109-0x0000000002A80000-0x0000000002A90000-memory.dmp
      Filesize

      64KB

      Download
    • memory/548-66-0x0000000074C80000-0x0000000075430000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/2072-40-0x00007FFA818B0000-0x00007FFA82371000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2072-35-0x0000000001840000-0x0000000001852000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2072-33-0x00007FFA818B0000-0x00007FFA82371000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2072-36-0x0000000003180000-0x00000000031BC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/2072-34-0x0000000003200000-0x0000000003210000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2072-32-0x0000000000F60000-0x0000000000F6C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/2440-94-0x0000000000870000-0x0000000000878000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2440-98-0x0000000074C80000-0x0000000075430000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/2440-93-0x0000000074C80000-0x0000000075430000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3524-76-0x0000000074C80000-0x0000000075430000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3524-104-0x0000000074C80000-0x0000000075430000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3524-103-0x0000000000560000-0x00000000009D4000-memory.dmp
      Filesize

      4.5MB

      Download
    • memory/3524-79-0x0000000000560000-0x00000000009D4000-memory.dmp
      Filesize

      4.5MB

      Download
    • memory/3524-89-0x0000000005910000-0x0000000005920000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3524-87-0x0000000000560000-0x00000000009D4000-memory.dmp
      Filesize

      4.5MB

      Download
    • memory/3968-15-0x0000000006860000-0x00000000068AC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/3968-16-0x00000000069E0000-0x0000000006AEA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3968-13-0x00000000067C0000-0x00000000067D2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3968-8-0x0000000006090000-0x00000000060A2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3968-9-0x00000000060A0000-0x00000000060A8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/3968-11-0x0000000006140000-0x00000000061A6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3968-10-0x00000000060B0000-0x00000000060B8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/3968-3-0x0000000005C30000-0x0000000005C40000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3968-2-0x0000000074C80000-0x0000000075430000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3968-7-0x0000000005B90000-0x0000000005C22000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3968-14-0x0000000006820000-0x000000000685C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/3968-6-0x00000000061F0000-0x0000000006794000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3968-0-0x0000000000690000-0x0000000000B04000-memory.dmp
      Filesize

      4.5MB

      Download
    • memory/3968-12-0x0000000006DC0000-0x00000000073D8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/3968-18-0x0000000006D70000-0x0000000006D92000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3968-1-0x0000000000690000-0x0000000000B04000-memory.dmp
      Filesize

      4.5MB

      Download
    • memory/3968-4-0x0000000003090000-0x000000000309E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/3968-5-0x0000000003900000-0x000000000395C000-memory.dmp
      Filesize

      368KB

      Download
    • memory/3968-61-0x0000000000690000-0x0000000000B04000-memory.dmp
      Filesize

      4.5MB

      Download
    • memory/3968-63-0x0000000074C80000-0x0000000075430000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4436-100-0x0000000074C80000-0x0000000075430000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4436-111-0x0000000074C80000-0x0000000075430000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4812-43-0x000000001A560000-0x000000001A570000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4812-42-0x00007FFA818B0000-0x00007FFA82371000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4812-105-0x000000001A560000-0x000000001A570000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4812-99-0x00007FFA818B0000-0x00007FFA82371000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4812-44-0x000000001AA80000-0x000000001AB8A000-memory.dmp
      Filesize

      1.0MB

      Download