orcus | 5a7e4eb21012621383ec2a556e63202d42334c02da350c1eaa7af7d1c9088691

Analysis

max time kernel
131s
max time network
138s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27/01/2024, 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a7e4eb21012621383ec2a556e63202d42334c02da350c1eaa7af7d1c9088691.exe
Size

3.0MB
MD5

f210202bfa18db14c6ec346037e4cb64
SHA1

be0a794a92753d152eebf2c9478da14156d1084f
SHA256

5a7e4eb21012621383ec2a556e63202d42334c02da350c1eaa7af7d1c9088691
SHA512

a6b5d64679a0a52a1357ae23890ee324788c2fedfcb03059f9d083ae423df060a93983053a277a3f577b296821754596cd0b876d160a309b888569cde738a49d
SSDEEP

49152:Y1HS7p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpbu/nRFfjI7L0qb:YUHTPJg8z1mKnypSbRxo9JCm

Score

10^/10

orcus новый тег rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

Новый тег

31.44.184.52:23303

Mutex

sudo_ofcp37vv54izlwrf1h65z8l5gj4mqi71

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%appdata%\toprocessorcdn\local_.exe
reconnect_delay
10000
registry_keyname
Sudik
taskscheduler_taskname
sudik
watchdog_path
AppData\aga.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 6 IoCs

resource	yara_rule
behavioral1/files/0x0030000000016d7b-10.dat	family_orcus
behavioral1/files/0x0030000000016d7b-12.dat	family_orcus
behavioral1/files/0x0030000000016d7b-13.dat	family_orcus
behavioral1/files/0x0030000000016d7b-15.dat	family_orcus
behavioral1/files/0x0030000000016d7b-22.dat	family_orcus
behavioral1/files/0x0030000000016d7b-79.dat	family_orcus

Orcurs Rat Executable 15 IoCs

resource	yara_rule
behavioral1/memory/2988-0-0x0000000000E20000-0x000000000111E000-memory.dmp	orcus
behavioral1/files/0x0030000000016d7b-10.dat	orcus
behavioral1/files/0x0030000000016d7b-12.dat	orcus
behavioral1/files/0x0030000000016d7b-13.dat	orcus
behavioral1/memory/2844-17-0x0000000000310000-0x000000000060E000-memory.dmp	orcus
behavioral1/files/0x0030000000016d7b-15.dat	orcus
behavioral1/memory/2724-34-0x0000000000400000-0x00000000006FE000-memory.dmp	orcus
behavioral1/memory/2724-32-0x0000000000400000-0x00000000006FE000-memory.dmp	orcus
behavioral1/memory/2724-29-0x0000000000400000-0x00000000006FE000-memory.dmp	orcus
behavioral1/memory/2724-36-0x0000000000400000-0x00000000006FE000-memory.dmp	orcus
behavioral1/memory/2724-28-0x0000000000400000-0x00000000006FE000-memory.dmp	orcus
behavioral1/files/0x0030000000016d7b-22.dat	orcus
behavioral1/files/0x0030000000016d7b-79.dat	orcus
behavioral1/memory/2532-81-0x00000000009E0000-0x0000000000CDE000-memory.dmp	orcus
behavioral1/memory/3040-86-0x0000000000080000-0x000000000037E000-memory.dmp	orcus

Executes dropped EXE 4 IoCs

pid	Process
2844	local_.exe
2564	local_.exe
2532	local_.exe
3040	local_.exe

Loads dropped DLL 1 IoCs

pid	Process
2988	5a7e4eb21012621383ec2a556e63202d42334c02da350c1eaa7af7d1c9088691.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2844 set thread context of 2724	2844	local_.exe	30
PID 2564 set thread context of 800	2564	local_.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2988	5a7e4eb21012621383ec2a556e63202d42334c02da350c1eaa7af7d1c9088691.exe
2844	local_.exe
2844	local_.exe
2564	local_.exe
2564	local_.exe
800	caspol.exe
800	caspol.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	5a7e4eb21012621383ec2a556e63202d42334c02da350c1eaa7af7d1c9088691.exe
Token: SeDebugPrivilege	2844	local_.exe
Token: SeDebugPrivilege	2564	local_.exe
Token: SeDebugPrivilege	800	caspol.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2844	2988	5a7e4eb21012621383ec2a556e63202d42334c02da350c1eaa7af7d1c9088691.exe	28
PID 2988 wrote to memory of 2844	2988	5a7e4eb21012621383ec2a556e63202d42334c02da350c1eaa7af7d1c9088691.exe	28
PID 2988 wrote to memory of 2844	2988	5a7e4eb21012621383ec2a556e63202d42334c02da350c1eaa7af7d1c9088691.exe	28
PID 2988 wrote to memory of 2844	2988	5a7e4eb21012621383ec2a556e63202d42334c02da350c1eaa7af7d1c9088691.exe	28
PID 2844 wrote to memory of 2724	2844	local_.exe	30
PID 2844 wrote to memory of 2724	2844	local_.exe	30
PID 2844 wrote to memory of 2724	2844	local_.exe	30
PID 2844 wrote to memory of 2724	2844	local_.exe	30
PID 2844 wrote to memory of 2724	2844	local_.exe	30
PID 2844 wrote to memory of 2724	2844	local_.exe	30
PID 2844 wrote to memory of 2724	2844	local_.exe	30
PID 2584 wrote to memory of 2564	2584	taskeng.exe	31
PID 2584 wrote to memory of 2564	2584	taskeng.exe	31
PID 2584 wrote to memory of 2564	2584	taskeng.exe	31
PID 2584 wrote to memory of 2564	2584	taskeng.exe	31
PID 2844 wrote to memory of 2724	2844	local_.exe	30
PID 2844 wrote to memory of 2724	2844	local_.exe	30
PID 2844 wrote to memory of 2724	2844	local_.exe	30
PID 2844 wrote to memory of 2724	2844	local_.exe	30
PID 2844 wrote to memory of 2724	2844	local_.exe	30
PID 2564 wrote to memory of 800	2564	local_.exe	32
PID 2564 wrote to memory of 800	2564	local_.exe	32
PID 2564 wrote to memory of 800	2564	local_.exe	32
PID 2564 wrote to memory of 800	2564	local_.exe	32
PID 2564 wrote to memory of 800	2564	local_.exe	32
PID 2564 wrote to memory of 800	2564	local_.exe	32
PID 2564 wrote to memory of 800	2564	local_.exe	32
PID 2564 wrote to memory of 800	2564	local_.exe	32
PID 2564 wrote to memory of 800	2564	local_.exe	32
PID 2584 wrote to memory of 2532	2584	taskeng.exe	37
PID 2584 wrote to memory of 2532	2584	taskeng.exe	37
PID 2584 wrote to memory of 2532	2584	taskeng.exe	37
PID 2584 wrote to memory of 2532	2584	taskeng.exe	37
PID 2584 wrote to memory of 3040	2584	taskeng.exe	38
PID 2584 wrote to memory of 3040	2584	taskeng.exe	38
PID 2584 wrote to memory of 3040	2584	taskeng.exe	38
PID 2584 wrote to memory of 3040	2584	taskeng.exe	38

C:\Users\Admin\AppData\Local\Temp\5a7e4eb21012621383ec2a556e63202d42334c02da350c1eaa7af7d1c9088691.exe
"C:\Users\Admin\AppData\Local\Temp\5a7e4eb21012621383ec2a556e63202d42334c02da350c1eaa7af7d1c9088691.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Roaming\toprocessorcdn\local_.exe
  "C:\Users\Admin\AppData\Roaming\toprocessorcdn\local_.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    PID:2724

C:\Windows\system32\taskeng.exe
taskeng.exe {4CFB56DA-F260-4E05-B5FB-495F34B585D9} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Roaming\toprocessorcdn\local_.exe
  C:\Users\Admin\AppData\Roaming\toprocessorcdn\local_.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:800
- C:\Users\Admin\AppData\Roaming\toprocessorcdn\local_.exe
  C:\Users\Admin\AppData\Roaming\toprocessorcdn\local_.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Users\Admin\AppData\Roaming\toprocessorcdn\local_.exe
  C:\Users\Admin\AppData\Roaming\toprocessorcdn\local_.exe
  2⤵
  - Executes dropped EXE
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab7BC7.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Roaming\toprocessorcdn\local_.exe

Filesize
2.0MB

MD5
6cdcb62ec16050829cdcf6128492a6f3

SHA1
5ba28f74a0f26d24a94fea7931c47ed327f6c16e

SHA256
453d006977dc6b4598ce4eae6a18eb5ab9828ca5f5b1e629dda8bf4427af24d5

SHA512
2f8f3253492fab1245667bf55d0f59463dd7ece95ce067df6ad952dd8c0b97028d61d3aab8e030446e3b700113aec2803c85024897fcdc4fdb18307e12ac1dd0

Download Submit
C:\Users\Admin\AppData\Roaming\toprocessorcdn\local_.exe

Filesize
1000KB

MD5
3890d1e2537a1b33a54c7e58898469a1

SHA1
976a07858d1941f1a89e18d71a020fbffc546c1b

SHA256
aa9237caddfac25ed312ea459635dc9dded81b6fd72e34ede72f37ca420bf4ec

SHA512
d964d932699fcf9e22a9223f7bb3c1217bd8ba14989c9ef9aeabb30e5a5618ab07bf0bdad0bcc21ad92270869a4a22f20bb82f92800881e5922d3c9a9fe67711

Download Submit
C:\Users\Admin\AppData\Roaming\toprocessorcdn\local_.exe

Filesize
1.1MB

MD5
3f430fd75f633c26076fc3ebdb70c2bf

SHA1
a67b9bdc3e00c4078c83455966df696c70e3f1ea

SHA256
fc0313ca05528b1149e702d0cd24c34c418704a7b09a85038cd70503f0dc2fb1

SHA512
23eee8d7aeba1785834cd311d35433a7c8f41755aba1b011c153e37cdc94f0558e58393c788eccb5889ed2961a75a5aec711e7905d259e3669c5e918f88adc0b

Download Submit
C:\Users\Admin\AppData\Roaming\toprocessorcdn\local_.exe

Filesize
758KB

MD5
886f0998ac021f2f0cd507dc2cfa69fd

SHA1
650da45d0a802fc03b08ce82446fb8b96b0689a8

SHA256
36ac615607ae2aa1e22e495a83edc6c13700863f2c63eeb6baece52adf67d333

SHA512
59659bd7284801898da77fe0afe78e144792b5de078a051172419e9503c299dee3f4a6d6bbac605dbcada0d25b9ee3c02d549513393c409fe7e5d31e7ac701e0

Download Submit
C:\Users\Admin\AppData\Roaming\toprocessorcdn\local_.exe

Filesize
3.0MB

MD5
f210202bfa18db14c6ec346037e4cb64

SHA1
be0a794a92753d152eebf2c9478da14156d1084f

SHA256
5a7e4eb21012621383ec2a556e63202d42334c02da350c1eaa7af7d1c9088691

SHA512
a6b5d64679a0a52a1357ae23890ee324788c2fedfcb03059f9d083ae423df060a93983053a277a3f577b296821754596cd0b876d160a309b888569cde738a49d

Download Submit
C:\Users\Admin\AppData\Roaming\toprocessorcdn\local_.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\Users\Admin\AppData\Roaming\toprocessorcdn\local_.exe

Filesize
704KB

MD5
cb413d2c38405ab6f208c65e3423cdca

SHA1
c986abce2c1cfd36b870705b0de9682379709728

SHA256
32248a9077ac70bf1e8c79724455eb71a5e4a775f49d0a505d9902ef56317d14

SHA512
eba078a1b4586c97c158e9eb930f112acc87aae3b2a73276cf629e50e8e2111ad515457603e585c61c1dc5e78eb33927a8f97cfd92a0fed0bbdb021346e4edea

Download Submit
memory/800-57-0x0000000000E10000-0x0000000000E20000-memory.dmp

Filesize
64KB

Download
memory/800-75-0x00000000056B0000-0x00000000056BE000-memory.dmp

Filesize
56KB

Download
memory/800-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/800-54-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/800-55-0x0000000000B20000-0x0000000000B60000-memory.dmp

Filesize
256KB

Download
memory/800-56-0x0000000000CD0000-0x0000000000CE8000-memory.dmp

Filesize
96KB

Download
memory/800-78-0x0000000000B20000-0x0000000000B60000-memory.dmp

Filesize
256KB

Download
memory/800-77-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/800-76-0x0000000005A10000-0x0000000005A12000-memory.dmp

Filesize
8KB

Download
memory/2532-80-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2532-81-0x00000000009E0000-0x0000000000CDE000-memory.dmp

Filesize
3.0MB

Download
memory/2532-82-0x0000000000520000-0x0000000000560000-memory.dmp

Filesize
256KB

Download
memory/2532-83-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2564-25-0x0000000004F30000-0x0000000004F70000-memory.dmp

Filesize
256KB

Download
memory/2564-24-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2564-53-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-34-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/2724-74-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-28-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/2724-21-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/2724-26-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/2724-39-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download
memory/2724-36-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/2724-29-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/2724-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2724-32-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/2724-37-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2844-18-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2844-20-0x0000000000C30000-0x0000000000C7E000-memory.dmp

Filesize
312KB

Download
memory/2844-17-0x0000000000310000-0x000000000060E000-memory.dmp

Filesize
3.0MB

Download
memory/2844-19-0x0000000004C90000-0x0000000004CD0000-memory.dmp

Filesize
256KB

Download
memory/2844-38-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2988-4-0x0000000000A70000-0x0000000000ACC000-memory.dmp

Filesize
368KB

Download
memory/2988-2-0x0000000004C60000-0x0000000004CA0000-memory.dmp

Filesize
256KB

Download
memory/2988-3-0x0000000000430000-0x000000000043E000-memory.dmp

Filesize
56KB

Download
memory/2988-1-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2988-0-0x0000000000E20000-0x000000000111E000-memory.dmp

Filesize
3.0MB

Download
memory/2988-5-0x0000000000750000-0x0000000000762000-memory.dmp

Filesize
72KB

Download
memory/2988-16-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/3040-85-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/3040-86-0x0000000000080000-0x000000000037E000-memory.dmp

Filesize
3.0MB

Download
memory/3040-87-0x0000000004CE0000-0x0000000004D20000-memory.dmp

Filesize
256KB

Download
memory/3040-88-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download