Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-02-2024 20:18

General

  • Target

    file.bin.exe

  • Size

    916KB

  • MD5

    bdbe50403b411db0e07511e098bdb9ff

  • SHA1

    5772743e950c1c647a5cab202fc3cc29039e2749

  • SHA256

    a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284

  • SHA512

    9531b3c7572f07aaac342635369732b77c1df58c262e32b21327cd2ac47afe6e3042d79a6a72e30c07b03e420cd9b47b1781bc5ed875b8d7b973b480090261f9

  • SSDEEP

    24576:+cI4MROxnFD3jEsYxrZlI0AilFEvxHiH0h9:+crMiJWrZlI0AilFEvxHi

Malware Config

Extracted

Family

orcus

C2

obfuscated.us:8080

Mutex

0133d229c4e24006957c0e4ab3a52531

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

  • Orcus main payload 4 IoCs
  • Orcurs Rat Executable 5 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\file.bin.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4976
    • C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe" --install
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:4756
    • C:\Program Files\Orcus\Orcus.exe
      "C:\Program Files\Orcus\Orcus.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4728
      • C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
        "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 4728
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2412
        • C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
          "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 4728
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4160
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rx0_tnzf.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1212
  • C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe"
    1⤵
    • Executes dropped EXE
    PID:976
  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4BCF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4BBE.tmp"
    1⤵
      PID:2560
    • C:\Program Files\Orcus\Orcus.exe
      "C:\Program Files\Orcus\Orcus.exe"
      1⤵
      • Executes dropped EXE
      PID:1380

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Orcus\Orcus.exe

      Filesize

      193KB

      MD5

      13548c85de46215be1616c25787b8fd0

      SHA1

      7e759bf01c2f6be569124c0a331d1ab850ba53c0

      SHA256

      9c710bb79b245c372805993d02b94c823cbdf2aa1a972f37b85d8e9b14cadcae

      SHA512

      92cabf754b9bff252f3be724d1488e0ed0a08eec5bb70ae9f284f21c1db4cd98fac1990e52fae2709bb1a8b04c40b88ab7290aae2542ebb5945e19db89a7ff04

    • C:\Program Files\Orcus\Orcus.exe

      Filesize

      248KB

      MD5

      22757c5a042451184cca0d0e212bb337

      SHA1

      1bbaf1e09b6f2573332c0729859ceb38b5b37902

      SHA256

      84ec3ca982cdbda3ff4454be520c762dc841a16eabcfe143c369bdca90726ec4

      SHA512

      cd5f4b871522f74f4e3330c41048aa3f3b578f2ef4c4e8ab5f9e92f1abce8330753b92da5ec18d96cfc106372a7104afe4c926112dfc2ce8bbc20b6503b4058d

    • C:\Program Files\Orcus\Orcus.exe

      Filesize

      66KB

      MD5

      d7601356b62960846e32b42d84ed5cc8

      SHA1

      4e08f3a2d3a3bdf9fa2769c332a62c1348059445

      SHA256

      733f563601decd2810f13bfa501225e97ff57c9882cf966c8387a5a0efd33364

      SHA512

      df6f742f79695de1041f3a2e81020ba290b3e80c117e64e46615404fa704604615319bf0727f9f2f6e3bb0f1863a4226333a9082de1f2c94a9a9cf9a7a9cf945

    • C:\Program Files\Orcus\Orcus.exe

      Filesize

      198KB

      MD5

      80670cd4af923ee42b9fd671c2ee3710

      SHA1

      32f054f68dc037ec67e544847f7da0ab631e9c2a

      SHA256

      121ca01585ba0b775476f0f82a18ee07497a1243b0813cc5539b96e894264e0c

      SHA512

      c83702b5b7a7b43bff245633541ab67589530e0379a7c745808330edb3430f07d5fd92fff093d1fc62a6adaf31ef56e1508db219eff508918a3e69fa145ded21

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OrcusWatchdog.exe.log

      Filesize

      425B

      MD5

      4eaca4566b22b01cd3bc115b9b0b2196

      SHA1

      e743e0792c19f71740416e7b3c061d9f1336bf94

      SHA256

      34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

      SHA512

      bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

    • C:\Users\Admin\AppData\Local\Temp\RES4BCF.tmp

      Filesize

      1KB

      MD5

      90961861148ff51035b61bc270d0499d

      SHA1

      69f9c41db4a6d9a1c9c8c3222907b66bee7b50fd

      SHA256

      a607e8bf55bc34b10bec3e5fa5db41342f8dfb4b187a5723b03951921286517d

      SHA512

      63e9b1200fbc64ad2ade5acc3053abfa998f605c8a3cd952263a8bfe6fe0760b5f7a185e1d3d252f0c1b98c4cd3397e4069084671ba93947449860efb6be7e83

    • C:\Users\Admin\AppData\Local\Temp\rx0_tnzf.dll

      Filesize

      76KB

      MD5

      3bc8f8445e46344722bf9d2aa0a896ad

      SHA1

      a228cf62fd49064d33720e5a87a7622ebed50f3a

      SHA256

      3fe6dc1cf8c7cc501be5d83d6c7e85e7aea797d6d646f4311a7260a3bc2e3879

      SHA512

      3e51f3abb0491f4f2853a1384a61181223522f0de165748cb609cd962f7e2b045547bd9d9376bbc6e35a90366330f940d6a7f13581faf8451b391012e1d39bc6

    • C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

      Filesize

      9KB

      MD5

      913967b216326e36a08010fb70f9dba3

      SHA1

      7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

      SHA256

      8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

      SHA512

      c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

    • C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

      Filesize

      5KB

      MD5

      ee25658b21c76273d2941e1d22d46a42

      SHA1

      9a408590703de5ec603cdd9880768e1291c7e102

      SHA256

      d6ee97f5616473b9a65a764f47c4266c7ef53c36563644494b95df19c127230d

      SHA512

      47cfdaba8b415c843342891f612905ad14ff79aea9747b72951a1e65f5eff8cd6f4f68e37358e06969bcdc63477011b68a3287ba3b48204d1f704998af2b4551

    • C:\Windows\SysWOW64\WindowsInput.exe

      Filesize

      21KB

      MD5

      e6fcf516d8ed8d0d4427f86e08d0d435

      SHA1

      c7691731583ab7890086635cb7f3e4c22ca5e409

      SHA256

      8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

      SHA512

      c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

    • C:\Windows\SysWOW64\WindowsInput.exe.config

      Filesize

      357B

      MD5

      a2b76cea3a59fa9af5ea21ff68139c98

      SHA1

      35d76475e6a54c168f536e30206578babff58274

      SHA256

      f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

      SHA512

      b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

    • \??\c:\Users\Admin\AppData\Local\Temp\CSC4BBE.tmp

      Filesize

      676B

      MD5

      7cc487ee0f8a84ec59a3248184fe83fe

      SHA1

      932b08a6805e146972be583c168ff8b7c66ed2e9

      SHA256

      7e9634f0f083c679bd0509510a80b7b7fb86e8fed6a9e6f988f3e9a1142c5b86

      SHA512

      bfb743238f37799806ad5268e89c2bd3d8df4e7b09aa20745f2fd65b4aaeae8c27450bd4013448c4915770ca79a5ee778d68e594701ceae36fd31b58e91440ec

    • \??\c:\Users\Admin\AppData\Local\Temp\rx0_tnzf.0.cs

      Filesize

      208KB

      MD5

      457190f349c99de86bcdbb08316bcbf8

      SHA1

      716a01c540c0b73cea241335010ef5272a3d7800

      SHA256

      3f9196d9e3f32ead068c40f8e38c844e9f7fc059adaf757af20ed93bfa7f1023

      SHA512

      4a16206798269ee168abc92f78974bab8f83f2034769b5a653bbda7f6ebd41b0b18d5b78896566f54bdf312b52825cf5c512c304469972e1f554ccc104fbcb79

    • \??\c:\Users\Admin\AppData\Local\Temp\rx0_tnzf.cmdline

      Filesize

      349B

      MD5

      78d6bc417ce7fad724ca814eb5a756ff

      SHA1

      559f7b4bce918887e95d124624bc6d31d2ef9b54

      SHA256

      81a3a0031bdc3f5296b16ee165265c32f99bf0f9733efcc287ed41de67c9578f

      SHA512

      e1a79fbaa5135f3622a9e8d4a72966b22a73f462d087f4e142840c70430f1279c8eeba7b8b796bc5400f9f9d125122030a27686e722a8a5a9dd105ed6d0d3117

    • memory/976-50-0x00000000197F0000-0x0000000019800000-memory.dmp

      Filesize

      64KB

    • memory/976-49-0x00007FFE5E950000-0x00007FFE5F411000-memory.dmp

      Filesize

      10.8MB

    • memory/976-104-0x00000000197F0000-0x0000000019800000-memory.dmp

      Filesize

      64KB

    • memory/976-103-0x00007FFE5E950000-0x00007FFE5F411000-memory.dmp

      Filesize

      10.8MB

    • memory/976-51-0x0000000019E50000-0x0000000019F5A000-memory.dmp

      Filesize

      1.0MB

    • memory/1212-14-0x0000000002430000-0x0000000002440000-memory.dmp

      Filesize

      64KB

    • memory/1380-76-0x0000000002C40000-0x0000000002C50000-memory.dmp

      Filesize

      64KB

    • memory/1380-75-0x00007FFE5E950000-0x00007FFE5F411000-memory.dmp

      Filesize

      10.8MB

    • memory/1380-102-0x00007FFE5E950000-0x00007FFE5F411000-memory.dmp

      Filesize

      10.8MB

    • memory/2412-92-0x00000000745B0000-0x0000000074D60000-memory.dmp

      Filesize

      7.7MB

    • memory/2412-91-0x00000000007E0000-0x00000000007E8000-memory.dmp

      Filesize

      32KB

    • memory/2412-96-0x00000000745B0000-0x0000000074D60000-memory.dmp

      Filesize

      7.7MB

    • memory/4160-107-0x00000000745B0000-0x0000000074D60000-memory.dmp

      Filesize

      7.7MB

    • memory/4160-97-0x00000000745B0000-0x0000000074D60000-memory.dmp

      Filesize

      7.7MB

    • memory/4728-69-0x00007FFE5E950000-0x00007FFE5F411000-memory.dmp

      Filesize

      10.8MB

    • memory/4728-70-0x000000001B440000-0x000000001B450000-memory.dmp

      Filesize

      64KB

    • memory/4728-71-0x00000000027E0000-0x00000000027F2000-memory.dmp

      Filesize

      72KB

    • memory/4728-72-0x000000001B1D0000-0x000000001B21E000-memory.dmp

      Filesize

      312KB

    • memory/4728-74-0x000000001B370000-0x000000001B388000-memory.dmp

      Filesize

      96KB

    • memory/4728-68-0x0000000000480000-0x000000000056A000-memory.dmp

      Filesize

      936KB

    • memory/4728-77-0x000000001B390000-0x000000001B3A0000-memory.dmp

      Filesize

      64KB

    • memory/4728-100-0x000000001D410000-0x000000001D5D2000-memory.dmp

      Filesize

      1.8MB

    • memory/4728-105-0x00007FFE5E950000-0x00007FFE5F411000-memory.dmp

      Filesize

      10.8MB

    • memory/4728-106-0x000000001B440000-0x000000001B450000-memory.dmp

      Filesize

      64KB

    • memory/4756-43-0x0000000002B20000-0x0000000002B5C000-memory.dmp

      Filesize

      240KB

    • memory/4756-47-0x00007FFE5E950000-0x00007FFE5F411000-memory.dmp

      Filesize

      10.8MB

    • memory/4756-39-0x0000000000A00000-0x0000000000A0C000-memory.dmp

      Filesize

      48KB

    • memory/4756-41-0x000000001B7F0000-0x000000001B800000-memory.dmp

      Filesize

      64KB

    • memory/4756-42-0x0000000001480000-0x0000000001492000-memory.dmp

      Filesize

      72KB

    • memory/4756-40-0x00007FFE5E950000-0x00007FFE5F411000-memory.dmp

      Filesize

      10.8MB

    • memory/4976-1-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

      Filesize

      64KB

    • memory/4976-7-0x000000001BDE0000-0x000000001C2AE000-memory.dmp

      Filesize

      4.8MB

    • memory/4976-8-0x000000001C350000-0x000000001C3EC000-memory.dmp

      Filesize

      624KB

    • memory/4976-3-0x00007FFE61500000-0x00007FFE61EA1000-memory.dmp

      Filesize

      9.6MB

    • memory/4976-22-0x000000001CA10000-0x000000001CA26000-memory.dmp

      Filesize

      88KB

    • memory/4976-6-0x000000001B900000-0x000000001B90E000-memory.dmp

      Filesize

      56KB

    • memory/4976-2-0x000000001B710000-0x000000001B76C000-memory.dmp

      Filesize

      368KB

    • memory/4976-0-0x00007FFE61500000-0x00007FFE61EA1000-memory.dmp

      Filesize

      9.6MB

    • memory/4976-24-0x000000001B660000-0x000000001B672000-memory.dmp

      Filesize

      72KB

    • memory/4976-25-0x000000001CA50000-0x000000001CA70000-memory.dmp

      Filesize

      128KB

    • memory/4976-67-0x00007FFE61500000-0x00007FFE61EA1000-memory.dmp

      Filesize

      9.6MB