Malware Analysis Report

2025-01-22 15:08

Sample ID 240204-y2w55ahhc9
Target file.bin.zip
SHA256 2a689fee9a10c060404a966ec83ed213241573a9bc96b3758379091a00d818d4
Tags
orcus persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a689fee9a10c060404a966ec83ed213241573a9bc96b3758379091a00d818d4

Threat Level: Known bad

The file file.bin.zip was found to be: Known bad.

Malicious Activity Summary

orcus persistence rat spyware stealer

Orcus

Orcus family

Orcurs Rat Executable

Orcus main payload

Orcurs Rat Executable

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 20:17

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 20:17

Reported

2024-02-04 20:20

Platform

win7-20231215-en

Max time kernel

150s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\"" C:\Program Files\Orcus\Orcus.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1516 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1516 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1516 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2100 wrote to memory of 2764 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2100 wrote to memory of 2764 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2100 wrote to memory of 2764 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1516 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1516 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1516 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1516 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Orcus\Orcus.exe
PID 1516 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Orcus\Orcus.exe
PID 1516 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Orcus\Orcus.exe
PID 1600 wrote to memory of 2732 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Orcus\Orcus.exe
PID 1600 wrote to memory of 2732 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Orcus\Orcus.exe
PID 1600 wrote to memory of 2732 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Orcus\Orcus.exe
PID 2288 wrote to memory of 2872 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2288 wrote to memory of 2872 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2288 wrote to memory of 2872 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2288 wrote to memory of 2872 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2872 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2872 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2872 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2872 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tvghrsus.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A2B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4A1A.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {BA5A95B8-3CC2-44CA-84FD-37BB0CADBA5E} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 2288

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 2288

Network

Country Destination Domain Proto
US 8.8.8.8:53 obfuscated.us udp
NL 103.13.210.210:8080 obfuscated.us tcp

Files

memory/1516-0-0x0000000002170000-0x00000000021CC000-memory.dmp

memory/1516-1-0x0000000000300000-0x000000000030E000-memory.dmp

memory/1516-2-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

memory/1516-3-0x0000000002220000-0x00000000022A0000-memory.dmp

memory/1516-4-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\tvghrsus.cmdline

MD5 d1ab971daae1b254d1c48eeadf7c71ad
SHA1 0fcfbca2a0801d1439369b6672c30f8495d1240e
SHA256 42ab5f3a5bfe45ae90a34df0ad97559320cde29acd0b18889547f4ebebcb46ce
SHA512 4e1bb31e08321ab20d734a78fa411f0a762428d48d21731331ed7a30d30507b2eba986194de412f581206f90602e0991790e3cbeca40a16828aea2ba9ef7a97e

\??\c:\Users\Admin\AppData\Local\Temp\tvghrsus.0.cs

MD5 c555d9796194c1d9a1310a05a2264e08
SHA1 82641fc4938680519c3b2e925e05e1001cbd71d7
SHA256 ccbb8fd27ab2f27fbbd871793886ff52ff1fbd9117c98b8d190c1a96b67e498a
SHA512 0b85ca22878998c7697c589739905b218f9b264a32c8f99a9f9dd73d0687a5de46cc7e851697ee16424baf94d301e411648aa2d061ac149a6d2e06b085e07090

memory/2100-10-0x00000000021B0000-0x0000000002230000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC4A1A.tmp

MD5 f33962d7d09d8b2789bbd6977c34a784
SHA1 b421d2b8a132f396c15591889420ded0d4746c41
SHA256 7875ffca7f7fc56cdd2e1667b6c0726689589644e8c802d58dd3b225669a4f71
SHA512 10591f62aa756536814186351c5eccc1beba2b8f411b10b5e2d013721231902b43605b0ff56ae7ff3250b4e1c911a514e08ed68a4cab49388cf33640c031c3f9

memory/1516-18-0x0000000000B50000-0x0000000000B66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tvghrsus.dll

MD5 e8f545bc8bd70bf73ea5bb685cc9c403
SHA1 f2baf3264d4a38a5b2ca7cb58781edbab0ff5e67
SHA256 fa2cb3f1b5daa335c3350dc2aba8f8ea26828b28e33fd22b6d31325cb294e97f
SHA512 ff45225c67c71755179046432c6bf901a41186674fbde0e7b0d198a8b9644804d623f61e27dc46d36ab9d698be8774c04a0cbd17561ee2b79597d086afe10989

C:\Users\Admin\AppData\Local\Temp\RES4A2B.tmp

MD5 de153a3c129ee9d436dd6d703e23ffbb
SHA1 1ec85e3634533f2d8638cf1989d2cbfab2a0dd99
SHA256 f7140ac1f77e36f3c1bfabb82e36d2079042c2d47ffd4b3ab3b8defcfc90620c
SHA512 feb96f6bd58f8a567b84a27632c2b6e0123a09834ea96aae3ed1a473323d13ccb72231654d5ab3fbeab77b78f860a40ce043424022cd16a7f3573a446aa6b4ba

memory/1516-20-0x0000000000330000-0x0000000000342000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2744-28-0x0000000000900000-0x000000000090C000-memory.dmp

memory/2744-29-0x000007FEEF400000-0x000007FEEFDEC000-memory.dmp

memory/2744-30-0x000000001ADE0000-0x000000001AE60000-memory.dmp

memory/2744-33-0x000007FEEF400000-0x000007FEEFDEC000-memory.dmp

memory/2804-35-0x0000000001350000-0x000000000135C000-memory.dmp

memory/2804-36-0x000007FEEEA10000-0x000007FEEF3FC000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 bdbe50403b411db0e07511e098bdb9ff
SHA1 5772743e950c1c647a5cab202fc3cc29039e2749
SHA256 a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284
SHA512 9531b3c7572f07aaac342635369732b77c1df58c262e32b21327cd2ac47afe6e3042d79a6a72e30c07b03e420cd9b47b1781bc5ed875b8d7b973b480090261f9

memory/2288-45-0x0000000000DC0000-0x0000000000EAA000-memory.dmp

memory/2288-47-0x000007FEEEA10000-0x000007FEEF3FC000-memory.dmp

memory/1516-46-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

memory/2288-48-0x0000000000C10000-0x0000000000C5E000-memory.dmp

memory/2288-49-0x0000000000D80000-0x0000000000D98000-memory.dmp

memory/2288-51-0x00000000005E0000-0x00000000005F0000-memory.dmp

memory/2732-52-0x000007FEEEA10000-0x000007FEEF3FC000-memory.dmp

memory/2288-55-0x00000000022E0000-0x0000000002360000-memory.dmp

memory/2732-56-0x000000001AF90000-0x000000001B010000-memory.dmp

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/2872-63-0x0000000000850000-0x0000000000858000-memory.dmp

memory/2872-64-0x00000000747D0000-0x0000000074EBE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab64BE.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/1860-82-0x00000000747D0000-0x0000000074EBE000-memory.dmp

memory/2804-83-0x000007FEEEA10000-0x000007FEEF3FC000-memory.dmp

memory/2732-84-0x000007FEEEA10000-0x000007FEEF3FC000-memory.dmp

memory/2288-85-0x000007FEEEA10000-0x000007FEEF3FC000-memory.dmp

memory/2288-86-0x00000000022E0000-0x0000000002360000-memory.dmp

memory/2288-87-0x00000000022E0000-0x0000000002360000-memory.dmp

memory/2872-88-0x00000000747D0000-0x0000000074EBE000-memory.dmp

memory/1860-89-0x00000000747D0000-0x0000000074EBE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 20:17

Reported

2024-02-04 20:20

Platform

win10-20231220-en

Max time kernel

149s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000\Software\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\"" C:\Program Files\Orcus\Orcus.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 652 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 652 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 4724 wrote to memory of 2004 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4724 wrote to memory of 2004 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 652 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 652 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 652 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Orcus\Orcus.exe
PID 652 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Orcus\Orcus.exe
PID 4488 wrote to memory of 1364 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 4488 wrote to memory of 1364 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 4488 wrote to memory of 1364 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1364 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1364 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1364 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0w64no2w.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES72FE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC72FD.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 4488

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 4488

Network

Country Destination Domain Proto
US 8.8.8.8:53 obfuscated.us udp
NL 103.13.210.210:8080 obfuscated.us tcp
US 8.8.8.8:53 210.210.13.103.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/652-0-0x00007FFC45C40000-0x00007FFC465E0000-memory.dmp

memory/652-1-0x000000001B1F0000-0x000000001B24C000-memory.dmp

memory/652-5-0x00007FFC45C40000-0x00007FFC465E0000-memory.dmp

memory/652-4-0x000000001B320000-0x000000001B32E000-memory.dmp

memory/652-7-0x000000001B850000-0x000000001BD1E000-memory.dmp

memory/652-6-0x0000000000A00000-0x0000000000A10000-memory.dmp

memory/652-8-0x000000001BDC0000-0x000000001BE5C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\0w64no2w.cmdline

MD5 1383ca7a34518ec7c77a6b1da4d515b4
SHA1 dcedd5c0e4fcef86aa2c4a73544692d9c1828646
SHA256 2a63506f17d111d010ca24333890004be5243c8afc9d1b65ca40e871bce86594
SHA512 fa3a4fa7915dbc0d19830b6c6b84c56a355df8208c1eca12343a0ba662175c95cba0a25eca62d67092dd347732d108868d8fd50a15a025e38619b26c8f8b2a33

\??\c:\Users\Admin\AppData\Local\Temp\0w64no2w.0.cs

MD5 2f26a3e125b54e8a003eef10de7a0665
SHA1 e1c1d9b14d91b461146b5bed98b880083123ca4b
SHA256 2770c8786e5c82f31683c4f5e78393f9a369497e53aa0018b2f26a5d7616f110
SHA512 ac8439eaf1e16c51e5b0a5f1668b40cb2e011e172eccceb3825f3a3c018200c82e33d3a67c4974fae9bcbbcab161772172fa14a122aadf89be9cef6ac2876723

memory/4724-14-0x0000000002300000-0x0000000002310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RES72FE.tmp

MD5 f0d1cc05e3e193d5040816cc359c5d73
SHA1 5a4ec8a67e69b1d4d144a7dc9100c30d7eddfc1b
SHA256 3cf89bb0566ef2f5643ee7bb9d48471b31611bc1e709f74f8878f3dd4186af19
SHA512 291bac402d388c3c0d17bc8a0406725152624efcdf23fee9ebf80460da746ed90ec57f748e1138c8a4fd433c79a33c3ef1f60508a582b6e4f1a1c20c6773c0f7

memory/652-22-0x000000001BE90000-0x000000001BEA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0w64no2w.dll

MD5 eab12e20808c50923c049a941e0fa6d0
SHA1 594649c456f0c02cf8a5d58a7959fc28f35cc773
SHA256 7347601cd7078684c2cd931d76e97d03ee315f442294a3c4ac7852f519978f00
SHA512 046f10b29f04fa549fffbf310b2f1c6c2aa92314e90587c76a8c916d5ccb9ef7a1060c1d7479a4558931acdc68f9ddba1255ebd8c040b0c8d37abb4bf0a5de52

\??\c:\Users\Admin\AppData\Local\Temp\CSC72FD.tmp

MD5 2bc7bdb989b2d845ae89bdde495da117
SHA1 1ffb95e35c8289057e7af97b3cdec12da4e764fb
SHA256 5103d09770638b76775fd632e36e79de141c14db8e35e5d52fe41cdfd2079d8d
SHA512 3c844f67b28f915f6e3482c9c5c6589f876dfc56d3f6fd44f5e933a2509bce92d135b42905d513dc89d4fc429eb0533ac74695a825f7e3ec4333872570c48110

memory/652-25-0x000000001C4C0000-0x000000001C4E0000-memory.dmp

memory/652-24-0x0000000000AF0000-0x0000000000B02000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/4440-33-0x0000000000C70000-0x0000000000C7C000-memory.dmp

memory/4440-34-0x0000000002CF0000-0x0000000002D02000-memory.dmp

memory/4440-36-0x00007FFC34470000-0x00007FFC34E5C000-memory.dmp

memory/4440-37-0x000000001B850000-0x000000001B860000-memory.dmp

memory/4440-35-0x000000001B740000-0x000000001B77E000-memory.dmp

memory/4440-41-0x00007FFC34470000-0x00007FFC34E5C000-memory.dmp

memory/3764-43-0x00007FFC34470000-0x00007FFC34E5C000-memory.dmp

memory/3764-44-0x000000001A340000-0x000000001A350000-memory.dmp

memory/3764-45-0x000000001A760000-0x000000001A86A000-memory.dmp

memory/4488-55-0x0000000000B90000-0x0000000000C7A000-memory.dmp

memory/652-57-0x00007FFC45C40000-0x00007FFC465E0000-memory.dmp

memory/4488-56-0x00007FFC34470000-0x00007FFC34E5C000-memory.dmp

memory/4488-58-0x000000001B980000-0x000000001B990000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 59b8b5ecb53f10e71b44d71892cfa5f6
SHA1 1887146baaffa64c9dae672d616054b56ff10524
SHA256 be37e496f05537c59dda7f614cdaa6e64128f0f0278fcddf242e897879140649
SHA512 be0be78a8425b2c35cb59daa0f868f54f7ecb1ca87066873c7f206ffba00eb60a6c094024b1698f99f85f700f52319b53d42e9659692a6bc46deebee702e9cab

C:\Program Files\Orcus\Orcus.exe

MD5 32f505b5c4698d7c12cea203932da956
SHA1 c7d333abd546d32793acdee9fea0372a5615462a
SHA256 bc830a82b052ba7e8168a4fa13be71270911fc152f7626277bb9cfca8e80c00a
SHA512 9c8c75336aa90e59bb906d737a78c22996c512f5906f5f057963f44126cf449cc037b56937175ce969580aacbbc1313863bfc036670efd794823f952def64319

memory/4488-60-0x0000000002DE0000-0x0000000002E2E000-memory.dmp

memory/4488-59-0x0000000002DD0000-0x0000000002DE2000-memory.dmp

memory/4488-62-0x000000001B950000-0x000000001B968000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 ef91594b08b4edcad2067c33449ca995
SHA1 cbca038ba58db9d3c60b0f3fc5da13f25aa09ec3
SHA256 e109f7f574ac2b6538186d21531e7d1272115c2bf5597530d2357c94a2e4b7c9
SHA512 cdf8476f884a3f690fbead42034aa0e066b85d58bcd63f144911104e0d7de3f4f91db4920e67c0fdceed90325e5b6d0cb1861a10439cd0fef8ca5083c030db3a

memory/1876-64-0x00007FFC34470000-0x00007FFC34E5C000-memory.dmp

memory/1876-65-0x000000001B3E0000-0x000000001B3F0000-memory.dmp

memory/4488-63-0x000000001B970000-0x000000001B980000-memory.dmp

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/1364-73-0x00000000003C0000-0x00000000003C8000-memory.dmp

memory/1364-74-0x0000000073860000-0x0000000073F4E000-memory.dmp

memory/1608-78-0x0000000073860000-0x0000000073F4E000-memory.dmp

memory/1364-77-0x0000000073860000-0x0000000073F4E000-memory.dmp

memory/4488-81-0x000000001D140000-0x000000001D302000-memory.dmp

memory/1876-83-0x00007FFC34470000-0x00007FFC34E5C000-memory.dmp

memory/3764-84-0x00007FFC34470000-0x00007FFC34E5C000-memory.dmp

memory/4488-86-0x00007FFC34470000-0x00007FFC34E5C000-memory.dmp

memory/3764-85-0x000000001A340000-0x000000001A350000-memory.dmp

memory/4488-87-0x000000001B980000-0x000000001B990000-memory.dmp

memory/1608-88-0x0000000073860000-0x0000000073F4E000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-04 20:17

Reported

2024-02-04 20:20

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Program Files\Orcus\Orcus.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\"" C:\Program Files\Orcus\Orcus.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4160 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 4160 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3748 wrote to memory of 2308 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3748 wrote to memory of 2308 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4160 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 4160 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 4160 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Orcus\Orcus.exe
PID 4160 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Orcus\Orcus.exe
PID 3120 wrote to memory of 2940 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 3120 wrote to memory of 2940 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 3120 wrote to memory of 2940 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2940 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2940 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2940 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5lhlun0o.cmdline"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4DB3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4DB2.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 3120

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 3120

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 195.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 obfuscated.us udp
NL 103.13.210.210:8080 obfuscated.us tcp
US 8.8.8.8:53 210.210.13.103.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 203.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

memory/4160-0-0x00007FFA314D0000-0x00007FFA31E71000-memory.dmp

memory/4160-1-0x0000000001710000-0x0000000001720000-memory.dmp

memory/4160-3-0x00007FFA314D0000-0x00007FFA31E71000-memory.dmp

memory/4160-6-0x000000001C0B0000-0x000000001C0BE000-memory.dmp

memory/4160-2-0x000000001BED0000-0x000000001BF2C000-memory.dmp

memory/4160-8-0x000000001CB10000-0x000000001CBAC000-memory.dmp

memory/4160-7-0x000000001C5A0000-0x000000001CA6E000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\5lhlun0o.0.cs

MD5 1c51133523657fb9797b5a3dcd86e292
SHA1 fec53d42b1e142a57180b61cae1f80c2300f8407
SHA256 985dffb1e6b644064ccac128a8590cbed6cbf119964ebe3d6a396c4cd68e54be
SHA512 cafdec469dc6f5f7da4576404f9f03da2ed3b86282a80ca4dcd358d16e779bff096f298ed97e194a32a1a62402a4ad35ce2196a1f33dc470974767a02e2ccd6e

\??\c:\Users\Admin\AppData\Local\Temp\CSC4DB2.tmp

MD5 37860063532ef5ea41ec9c89543c114d
SHA1 789279fe9cf093174d6e837844deb578aa70bd55
SHA256 02f55e3db8e6f553ef0054e485e224b7305e3c99a776614f49edba97cffd1664
SHA512 1d7cf48df901b747b96ebad3d1ffe6c6721fece3889a212d2b35eed2d0e85d13566d6608718fef844ce3eacc716ced9f567dab17fff04f811c35a3cbf608e1da

memory/4160-22-0x000000001D1D0000-0x000000001D1E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5lhlun0o.dll

MD5 d338849f33c4d8f4001909e038c3a2ff
SHA1 8b8ec6dd22cbd0038000d2af3f09a71079b3fd7b
SHA256 25ec91954d7a37256bffbe9d3b192c9e99e2c4fc007bc235dd9b59abdf716d34
SHA512 04a75139cc4cc0049e8d3aa9c6b7073cda49c6b9f96cf0b881b899f02dfe082671dad26eb1c5159dd2f6a8be057b65da71724e0affab4c8b7b9ea0ea107ac52e

memory/4160-25-0x000000001D210000-0x000000001D230000-memory.dmp

memory/4160-24-0x000000001BE30000-0x000000001BE42000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Users\Admin\AppData\Local\Temp\RES4DB3.tmp

MD5 9cdc91049a62eb0b0ca7d93d7e678d77
SHA1 a8a0dcccdd3560a515971a5fce121665594148b0
SHA256 7169942138765ed9e457f9fc335fdd6308b83649c75dddaa28671b0c604122e5
SHA512 27b380ea8099a44ef755a0b48fbed2994096b52ca072918be79537939d025cd516573b31449dce35c3b7d4c0140478911829f1817dbef52731d766b7e50177da

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2012-39-0x0000000000DD0000-0x0000000000DDC000-memory.dmp

memory/2012-41-0x00000000015F0000-0x0000000001600000-memory.dmp

memory/2012-43-0x0000000003010000-0x000000000304C000-memory.dmp

memory/2012-42-0x00000000015B0000-0x00000000015C2000-memory.dmp

memory/2012-40-0x00007FFA2EBB0000-0x00007FFA2F671000-memory.dmp

memory/3748-14-0x0000000000930000-0x0000000000940000-memory.dmp

memory/2012-47-0x00007FFA2EBB0000-0x00007FFA2F671000-memory.dmp

memory/2008-50-0x0000000001020000-0x0000000001030000-memory.dmp

memory/2008-49-0x00007FFA2EBB0000-0x00007FFA2F671000-memory.dmp

memory/2008-51-0x000000001A010000-0x000000001A11A000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\5lhlun0o.cmdline

MD5 ee2a9c253688baa62dfb0bc9f617624f
SHA1 ef378e6ffd13bbd95e644c6104825ccff677f9ff
SHA256 ed8bfb5540760ccdaf1cd06d274549e13c684c2b851a619130dcf9a63ff860bd
SHA512 4a8215a9a2ffbc3b2c59409c8db4d0d61aa804f7ddc0ed2071a1333323c10e58412f6da8500aaaa4965b1e9f26f85ad7b67b326353715a06924a17b37b0a8903

C:\Program Files\Orcus\Orcus.exe

MD5 17f3405c2a93ed6405423e35e10c6756
SHA1 91300933e6ecdbb5123c1e5820c03a21bab14781
SHA256 d92774df195c75c7caa22906075e53bcca325686de50518ab00aeef3d928066c
SHA512 0ca652dab3381acdb57456211727e46214059b827fb7a388dce7c51e4512dfd53da0fdfbb2fc287c5b037d648200b38018960dd20293e9f4628703fde54e6125

memory/4160-69-0x00007FFA314D0000-0x00007FFA31E71000-memory.dmp

memory/3120-70-0x000000001B1E0000-0x000000001B1F0000-memory.dmp

memory/3120-68-0x00007FFA2EBB0000-0x00007FFA2F671000-memory.dmp

memory/3120-67-0x0000000000230000-0x000000000031A000-memory.dmp

memory/3120-71-0x0000000000C10000-0x0000000000C22000-memory.dmp

memory/3120-72-0x000000001AFA0000-0x000000001AFEE000-memory.dmp

memory/3120-74-0x000000001B170000-0x000000001B188000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 3bd85de5e14149af07514536ae2798be
SHA1 2df51c015d17f57bd5fe62c1ad87eb6b702df8e5
SHA256 e1600a55935a63cdfd41762c8c4a7f186792359e00b6692da2274e255ee91deb
SHA512 99573a80851520582ce09fd85b6ab336dffa1f637869f32ee4ef4c809a33c64a833dc06e05c1f4c00952032ceb5ee3f0f9ab50ebfc8cbb48903e59f068d3bdd3

memory/3120-76-0x000000001B190000-0x000000001B1A0000-memory.dmp

memory/3152-77-0x000000001B860000-0x000000001B870000-memory.dmp

memory/3152-75-0x00007FFA2EBB0000-0x00007FFA2F671000-memory.dmp

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/2940-91-0x00000000006B0000-0x00000000006B8000-memory.dmp

memory/2940-92-0x0000000074880000-0x0000000075030000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 d27820e8a8ef8ba8a4819a02d83e3747
SHA1 db61b885eac771246b26e7a12a67ec348bb10e70
SHA256 1b7083cb4e78821792aef28f1667b3f104de4efb6611301bf5f3db534ba08959
SHA512 2c383e64d6b6d6876de7738e267fdd42d931ea417b9f14afb0cd0d009fa007de81af72289d0a7b17b1fc41afad18e6047d7788a2c4cb051f7562f4affef6eda2

C:\Program Files\Orcus\Orcus.exe

MD5 ce3f7034563c490bccc6c2de62bfeaa5
SHA1 eaf37815e57356f3738b389375242eeef6e62e99
SHA256 36d4111303b09eb9e5f86d25fcbd7f5e5717b763da199315cc05f305fe9c62da
SHA512 93ae4d76f0234fa3eb5e4f5c4935bd6d20896c27b560b9efa9fac2a768373c4b37f89346c586327cd7765d85700e54809201245dd73fc1f6d39d03931ab1cd8f

memory/1760-96-0x0000000074880000-0x0000000075030000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OrcusWatchdog.exe.log

MD5 4eaca4566b22b01cd3bc115b9b0b2196
SHA1 e743e0792c19f71740416e7b3c061d9f1336bf94
SHA256 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512 bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

memory/3120-97-0x000000001D1C0000-0x000000001D382000-memory.dmp

memory/3152-99-0x00007FFA2EBB0000-0x00007FFA2F671000-memory.dmp

memory/2008-100-0x00007FFA2EBB0000-0x00007FFA2F671000-memory.dmp

memory/2008-101-0x0000000001020000-0x0000000001030000-memory.dmp

memory/3120-102-0x00007FFA2EBB0000-0x00007FFA2F671000-memory.dmp

memory/3120-103-0x000000001B1E0000-0x000000001B1F0000-memory.dmp

memory/2940-104-0x0000000074880000-0x0000000075030000-memory.dmp

memory/1760-105-0x0000000074880000-0x0000000075030000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-04 20:17

Reported

2024-02-04 20:20

Platform

win11-20231215-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-334598701-2770630493-3015612279-1000\Software\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\"" C:\Program Files\Orcus\Orcus.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 944 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 944 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 4612 wrote to memory of 1436 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4612 wrote to memory of 1436 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 944 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 944 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 944 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Orcus\Orcus.exe
PID 944 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Orcus\Orcus.exe
PID 2400 wrote to memory of 2092 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2400 wrote to memory of 2092 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2400 wrote to memory of 2092 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2092 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2092 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2092 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dr8--g4g.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES782E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC782D.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 2400

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 2400

Network

Country Destination Domain Proto
US 8.8.8.8:53 obfuscated.us udp
NL 103.13.210.210:8080 obfuscated.us tcp
US 52.111.229.48:443 tcp

Files

memory/944-1-0x0000000001A90000-0x0000000001AA0000-memory.dmp

memory/944-0-0x00007FF9AFFB0000-0x00007FF9B0951000-memory.dmp

memory/944-6-0x000000001C260000-0x000000001C26E000-memory.dmp

memory/944-3-0x00007FF9AFFB0000-0x00007FF9B0951000-memory.dmp

memory/944-2-0x000000001C080000-0x000000001C0DC000-memory.dmp

memory/944-7-0x000000001C740000-0x000000001CC0E000-memory.dmp

memory/944-8-0x000000001CCB0000-0x000000001CD4C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\dr8--g4g.0.cs

MD5 ccb9306704948bc3f20bd7777769dc90
SHA1 54ceabf8801f5d36f0bc87a19c0735c52b9780c3
SHA256 4fe40981c744a18586d716d60053fdf77b5dd90834a395622a04e4d58f2cc66f
SHA512 d22613b544feb44254679990be0322acf466bf0b3e5ed4563503effdcbea3c68c886572605dee7b89e704171e65cf0b48c19300d30073c829c1ae2a14a965a50

\??\c:\Users\Admin\AppData\Local\Temp\CSC782D.tmp

MD5 2ca2f8e365f7bc5d3804db12879cb8cb
SHA1 044ff587d5bd7385f9e87efd9b6ba00a3a86288f
SHA256 80953b58a871c56349bbd8f5c961de0d0c07b8e323bf5150afdf9ddf585f653b
SHA512 c1dfbf8c3293a85265c6d36ef2dd0d37dfbac601db816adcb4f0cb77df3c0607309221cf8ea29b1b3b32bdcd70a35745b286c667a79703aba24c3bb0e4cedd67

memory/944-22-0x000000001CD80000-0x000000001CD96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dr8--g4g.dll

MD5 717ece6b58e7c80c16ab7514d6b0209c
SHA1 e5961161ce13fc65b8a4f378c9cbfcd8e591b750
SHA256 a017a12a1ec094f98e6663fba31f1d073249295484c0e902b36026f16076dcd6
SHA512 56a3d8644fcacea077dbeb3c07582959cbf3853e8aa7a9f8ea99e56aafd7814ae496b15319541b8e6f58c51c6ccd13f7c6993258e95fd51a96cc66bef2c74e46

C:\Users\Admin\AppData\Local\Temp\RES782E.tmp

MD5 66fdb6422da2fc9d6926b1f5087ac71c
SHA1 a5dbb6e1f5517c02b53cca254bf3256e5b83cf2b
SHA256 c4618e7fe9fd095908eb5fa577098a1b44014658ea4733150dd45028fd9be0a9
SHA512 8e2f5e198a979064b38cd7abcff84c078f7b56ed4c89d2416a53d2ef99dd3c426992b14bdb64ae825f7e07f41cb801fd74fd27a676b34a982ec8127870784cdc

memory/944-24-0x0000000001A70000-0x0000000001A82000-memory.dmp

memory/944-25-0x000000001D3B0000-0x000000001D3D0000-memory.dmp

memory/4612-14-0x00000000023D0000-0x00000000023E0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\dr8--g4g.cmdline

MD5 51ffbe53b586b3b71601a92a1575f6ee
SHA1 50906e43220e3fb762db8608549a0298738ce16c
SHA256 a246207cc921c397fb757072df0cbfc67494015fc8f598ccd4bd5ffa651d018c
SHA512 052f53c6418cb282a84dd3bec14e74bfd7aa960a9e8f74b1cb189556847f334b2c22e1b3a8279654efd93e3b5d23007429d96149f39494fc5a879950f51b0fbb

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/3616-39-0x0000000000500000-0x000000000050C000-memory.dmp

memory/3616-40-0x00007FF9ADBB0000-0x00007FF9AE672000-memory.dmp

memory/3616-43-0x0000000002660000-0x000000000269C000-memory.dmp

memory/3616-42-0x0000000002600000-0x0000000002612000-memory.dmp

memory/3616-41-0x000000001B200000-0x000000001B210000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

memory/3616-47-0x00007FF9ADBB0000-0x00007FF9AE672000-memory.dmp

memory/4792-50-0x0000000019FC0000-0x0000000019FD0000-memory.dmp

memory/4792-49-0x00007FF9ADBB0000-0x00007FF9AE672000-memory.dmp

memory/4792-51-0x000000001A3E0000-0x000000001A4EA000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 fed0a26b5d04a60f3a0f9bb2f657faa4
SHA1 632004f23dd4b492228b290bfeee497a92807ca6
SHA256 63b9e2cb9813e6620e67df2f9621fe78ee9369b44c86de824430adf47270dbbb
SHA512 723a36ad7ec71759c5defe6a4e88f521d4028c4e0f11c69eb4306d7725cae7bffa34bc021dbe5dd64b8273ba1f4c8c6b4d1108d24cd1284e74edbc7266befae4

memory/2400-68-0x00007FF9ADBB0000-0x00007FF9AE672000-memory.dmp

memory/2400-69-0x0000000000B80000-0x0000000000C6A000-memory.dmp

memory/944-67-0x00007FF9AFFB0000-0x00007FF9B0951000-memory.dmp

memory/2400-70-0x0000000002D60000-0x0000000002D70000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 9035c83f3d0492f35dc96b4ae49defb9
SHA1 5bf81099f9741bcda0cb640ed7039fb1eaf471ce
SHA256 8e7b1959d62794533a818e2187494203abd9764929c7b761a3b6df96604385d6
SHA512 17f1d73a2e579ebff44cc08df5e6be8a44e56ffe6e57a3df4a38804a737fb1e8ff3dcf4cb81440e96a0174be5529c4adcd8c34b46da140586a6b3d9e2f554511

memory/2400-72-0x000000001B850000-0x000000001B89E000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 1442ce2584b137d0c0e441090506be10
SHA1 90ec4698b77784667bdd3bf3d69f20bfda4fdfe1
SHA256 1430b448163bf6d4dac646d16fbc1e2baf026eb9a2abf46a190c2400fdfe6456
SHA512 73b46bf5654a318d2f5384eefedb9eba4764ac25ee60322c0ab5b7f82efd07e16c40b297d99c0f5ec1a4d86a1205eeae75f38808374cab710b7de842d5da0029

memory/2400-74-0x000000001B8E0000-0x000000001B8F8000-memory.dmp

memory/2400-75-0x000000001B900000-0x000000001B910000-memory.dmp

memory/2400-79-0x0000000002D60000-0x0000000002D70000-memory.dmp

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/3860-78-0x00007FF9ADBB0000-0x00007FF9AE672000-memory.dmp

memory/2400-71-0x000000001B840000-0x000000001B852000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 4dc1f3f0c8fd1f69a085a15496d68947
SHA1 2b76bd6a9f90bf266b3aed41a999517f2abf1658
SHA256 0c200050ac8bb6e68915faa9e22142e47452d2db9e7d49f3805ff04174e001d9
SHA512 705aa4e9d694d4880cd1223b1a0bafeb5b7f3e9dda2815ac8684932243d981205dcdfc833275577f3ac278e948d39ae882f427d5d8494225d95e813b0e5600b0

memory/2092-91-0x00000000006F0000-0x00000000006F8000-memory.dmp

memory/2092-92-0x0000000074D90000-0x0000000075541000-memory.dmp

memory/1384-97-0x0000000074D90000-0x0000000075541000-memory.dmp

memory/2092-96-0x0000000074D90000-0x0000000075541000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OrcusWatchdog.exe.log

MD5 bb27934be8860266d478c13f2d65f45e
SHA1 a69a0e171864dcac9ade1b04fc0313e6b4024ccb
SHA256 85ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4
SHA512 87dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb

memory/2400-100-0x000000001E9B0000-0x000000001EB72000-memory.dmp

memory/3860-102-0x00007FF9ADBB0000-0x00007FF9AE672000-memory.dmp

memory/4792-104-0x0000000019FC0000-0x0000000019FD0000-memory.dmp

memory/4792-103-0x00007FF9ADBB0000-0x00007FF9AE672000-memory.dmp

memory/2400-105-0x00007FF9ADBB0000-0x00007FF9AE672000-memory.dmp

memory/2400-106-0x0000000002D60000-0x0000000002D70000-memory.dmp

memory/2400-107-0x0000000002D60000-0x0000000002D70000-memory.dmp

memory/1384-108-0x0000000074D90000-0x0000000075541000-memory.dmp