Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows11-21h2_x64 -
resource
win11-20231215-en -
resource tags
arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system -
submitted
04-02-2024 20:17
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10-20231220-en
Behavioral task
behavioral3
Sample
file.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
file.exe
Resource
win11-20231215-en
General
-
Target
file.exe
-
Size
916KB
-
MD5
bdbe50403b411db0e07511e098bdb9ff
-
SHA1
5772743e950c1c647a5cab202fc3cc29039e2749
-
SHA256
a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284
-
SHA512
9531b3c7572f07aaac342635369732b77c1df58c262e32b21327cd2ac47afe6e3042d79a6a72e30c07b03e420cd9b47b1781bc5ed875b8d7b973b480090261f9
-
SSDEEP
24576:+cI4MROxnFD3jEsYxrZlI0AilFEvxHiH0h9:+crMiJWrZlI0AilFEvxHi
Malware Config
Extracted
orcus
obfuscated.us:8080
0133d229c4e24006957c0e4ab3a52531
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcus main payload 4 IoCs
resource yara_rule behavioral4/files/0x000200000002a784-66.dat family_orcus behavioral4/files/0x000200000002a784-63.dat family_orcus behavioral4/files/0x000200000002a784-73.dat family_orcus behavioral4/files/0x000200000002a784-57.dat family_orcus -
Orcurs Rat Executable 5 IoCs
resource yara_rule behavioral4/files/0x000200000002a784-66.dat orcus behavioral4/memory/2400-69-0x0000000000B80000-0x0000000000C6A000-memory.dmp orcus behavioral4/files/0x000200000002a784-63.dat orcus behavioral4/files/0x000200000002a784-73.dat orcus behavioral4/files/0x000200000002a784-57.dat orcus -
Executes dropped EXE 6 IoCs
pid Process 3616 WindowsInput.exe 4792 WindowsInput.exe 2400 Orcus.exe 3860 Orcus.exe 2092 OrcusWatchdog.exe 1384 OrcusWatchdog.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\"" Orcus.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini file.exe File opened for modification C:\Windows\assembly\Desktop.ini file.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsInput.exe file.exe File created C:\Windows\SysWOW64\WindowsInput.exe.config file.exe File created C:\Windows\SysWOW64\WindowsInput.InstallState WindowsInput.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Orcus\Orcus.exe file.exe File opened for modification C:\Program Files\Orcus\Orcus.exe file.exe File created C:\Program Files\Orcus\Orcus.exe.config file.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly file.exe File created C:\Windows\assembly\Desktop.ini file.exe File opened for modification C:\Windows\assembly\Desktop.ini file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2400 Orcus.exe 2400 Orcus.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 1384 OrcusWatchdog.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe 2400 Orcus.exe 1384 OrcusWatchdog.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2400 Orcus.exe Token: SeDebugPrivilege 2092 OrcusWatchdog.exe Token: SeDebugPrivilege 1384 OrcusWatchdog.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2400 Orcus.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2400 Orcus.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 944 wrote to memory of 4612 944 file.exe 77 PID 944 wrote to memory of 4612 944 file.exe 77 PID 4612 wrote to memory of 1436 4612 csc.exe 78 PID 4612 wrote to memory of 1436 4612 csc.exe 78 PID 944 wrote to memory of 3616 944 file.exe 80 PID 944 wrote to memory of 3616 944 file.exe 80 PID 944 wrote to memory of 2400 944 file.exe 83 PID 944 wrote to memory of 2400 944 file.exe 83 PID 2400 wrote to memory of 2092 2400 Orcus.exe 82 PID 2400 wrote to memory of 2092 2400 Orcus.exe 82 PID 2400 wrote to memory of 2092 2400 Orcus.exe 82 PID 2092 wrote to memory of 1384 2092 OrcusWatchdog.exe 84 PID 2092 wrote to memory of 1384 2092 OrcusWatchdog.exe 84 PID 2092 wrote to memory of 1384 2092 OrcusWatchdog.exe 84 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dr8--g4g.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES782E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC782D.tmp"3⤵PID:1436
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3616
-
-
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2400
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
PID:4792
-
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"1⤵
- Executes dropped EXE
PID:3860
-
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 24001⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 24002⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
225KB
MD54dc1f3f0c8fd1f69a085a15496d68947
SHA12b76bd6a9f90bf266b3aed41a999517f2abf1658
SHA2560c200050ac8bb6e68915faa9e22142e47452d2db9e7d49f3805ff04174e001d9
SHA512705aa4e9d694d4880cd1223b1a0bafeb5b7f3e9dda2815ac8684932243d981205dcdfc833275577f3ac278e948d39ae882f427d5d8494225d95e813b0e5600b0
-
Filesize
305KB
MD59035c83f3d0492f35dc96b4ae49defb9
SHA15bf81099f9741bcda0cb640ed7039fb1eaf471ce
SHA2568e7b1959d62794533a818e2187494203abd9764929c7b761a3b6df96604385d6
SHA51217f1d73a2e579ebff44cc08df5e6be8a44e56ffe6e57a3df4a38804a737fb1e8ff3dcf4cb81440e96a0174be5529c4adcd8c34b46da140586a6b3d9e2f554511
-
Filesize
80KB
MD5fed0a26b5d04a60f3a0f9bb2f657faa4
SHA1632004f23dd4b492228b290bfeee497a92807ca6
SHA25663b9e2cb9813e6620e67df2f9621fe78ee9369b44c86de824430adf47270dbbb
SHA512723a36ad7ec71759c5defe6a4e88f521d4028c4e0f11c69eb4306d7725cae7bffa34bc021dbe5dd64b8273ba1f4c8c6b4d1108d24cd1284e74edbc7266befae4
-
Filesize
85KB
MD51442ce2584b137d0c0e441090506be10
SHA190ec4698b77784667bdd3bf3d69f20bfda4fdfe1
SHA2561430b448163bf6d4dac646d16fbc1e2baf026eb9a2abf46a190c2400fdfe6456
SHA51273b46bf5654a318d2f5384eefedb9eba4764ac25ee60322c0ab5b7f82efd07e16c40b297d99c0f5ec1a4d86a1205eeae75f38808374cab710b7de842d5da0029
-
Filesize
425B
MD5bb27934be8860266d478c13f2d65f45e
SHA1a69a0e171864dcac9ade1b04fc0313e6b4024ccb
SHA25685ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4
SHA51287dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb
-
Filesize
1KB
MD566fdb6422da2fc9d6926b1f5087ac71c
SHA1a5dbb6e1f5517c02b53cca254bf3256e5b83cf2b
SHA256c4618e7fe9fd095908eb5fa577098a1b44014658ea4733150dd45028fd9be0a9
SHA5128e2f5e198a979064b38cd7abcff84c078f7b56ed4c89d2416a53d2ef99dd3c426992b14bdb64ae825f7e07f41cb801fd74fd27a676b34a982ec8127870784cdc
-
Filesize
76KB
MD5717ece6b58e7c80c16ab7514d6b0209c
SHA1e5961161ce13fc65b8a4f378c9cbfcd8e591b750
SHA256a017a12a1ec094f98e6663fba31f1d073249295484c0e902b36026f16076dcd6
SHA51256a3d8644fcacea077dbeb3c07582959cbf3853e8aa7a9f8ea99e56aafd7814ae496b15319541b8e6f58c51c6ccd13f7c6993258e95fd51a96cc66bef2c74e46
-
Filesize
9KB
MD5913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
676B
MD52ca2f8e365f7bc5d3804db12879cb8cb
SHA1044ff587d5bd7385f9e87efd9b6ba00a3a86288f
SHA25680953b58a871c56349bbd8f5c961de0d0c07b8e323bf5150afdf9ddf585f653b
SHA512c1dfbf8c3293a85265c6d36ef2dd0d37dfbac601db816adcb4f0cb77df3c0607309221cf8ea29b1b3b32bdcd70a35745b286c667a79703aba24c3bb0e4cedd67
-
Filesize
208KB
MD5ccb9306704948bc3f20bd7777769dc90
SHA154ceabf8801f5d36f0bc87a19c0735c52b9780c3
SHA2564fe40981c744a18586d716d60053fdf77b5dd90834a395622a04e4d58f2cc66f
SHA512d22613b544feb44254679990be0322acf466bf0b3e5ed4563503effdcbea3c68c886572605dee7b89e704171e65cf0b48c19300d30073c829c1ae2a14a965a50
-
Filesize
349B
MD551ffbe53b586b3b71601a92a1575f6ee
SHA150906e43220e3fb762db8608549a0298738ce16c
SHA256a246207cc921c397fb757072df0cbfc67494015fc8f598ccd4bd5ffa651d018c
SHA512052f53c6418cb282a84dd3bec14e74bfd7aa960a9e8f74b1cb189556847f334b2c22e1b3a8279654efd93e3b5d23007429d96149f39494fc5a879950f51b0fbb