Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04-02-2024 20:17
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10-20231215-en
Behavioral task
behavioral3
Sample
file.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
file.exe
Resource
win11-20231222-en
General
-
Target
file.exe
-
Size
916KB
-
MD5
bdbe50403b411db0e07511e098bdb9ff
-
SHA1
5772743e950c1c647a5cab202fc3cc29039e2749
-
SHA256
a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284
-
SHA512
9531b3c7572f07aaac342635369732b77c1df58c262e32b21327cd2ac47afe6e3042d79a6a72e30c07b03e420cd9b47b1781bc5ed875b8d7b973b480090261f9
-
SSDEEP
24576:+cI4MROxnFD3jEsYxrZlI0AilFEvxHiH0h9:+crMiJWrZlI0AilFEvxHi
Malware Config
Extracted
orcus
obfuscated.us:8080
0133d229c4e24006957c0e4ab3a52531
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcus main payload 2 IoCs
resource yara_rule behavioral1/files/0x00090000000167c9-42.dat family_orcus behavioral1/files/0x00090000000167c9-44.dat family_orcus -
Orcurs Rat Executable 3 IoCs
resource yara_rule behavioral1/files/0x00090000000167c9-42.dat orcus behavioral1/files/0x00090000000167c9-44.dat orcus behavioral1/memory/2504-47-0x00000000009A0000-0x0000000000A8A000-memory.dmp orcus -
Executes dropped EXE 6 IoCs
pid Process 2820 WindowsInput.exe 2660 WindowsInput.exe 2504 Orcus.exe 1612 Orcus.exe 2628 OrcusWatchdog.exe 2172 OrcusWatchdog.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\"" Orcus.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsInput.exe file.exe File created C:\Windows\SysWOW64\WindowsInput.exe.config file.exe File created C:\Windows\SysWOW64\WindowsInput.InstallState WindowsInput.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Orcus\Orcus.exe file.exe File opened for modification C:\Program Files\Orcus\Orcus.exe file.exe File created C:\Program Files\Orcus\Orcus.exe.config file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2504 Orcus.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe 2504 Orcus.exe 2172 OrcusWatchdog.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2504 Orcus.exe Token: SeDebugPrivilege 2628 OrcusWatchdog.exe Token: SeDebugPrivilege 2172 OrcusWatchdog.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2504 Orcus.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2504 Orcus.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2224 wrote to memory of 2016 2224 file.exe 28 PID 2224 wrote to memory of 2016 2224 file.exe 28 PID 2224 wrote to memory of 2016 2224 file.exe 28 PID 2016 wrote to memory of 2232 2016 csc.exe 30 PID 2016 wrote to memory of 2232 2016 csc.exe 30 PID 2016 wrote to memory of 2232 2016 csc.exe 30 PID 2224 wrote to memory of 2820 2224 file.exe 31 PID 2224 wrote to memory of 2820 2224 file.exe 31 PID 2224 wrote to memory of 2820 2224 file.exe 31 PID 2224 wrote to memory of 2504 2224 file.exe 33 PID 2224 wrote to memory of 2504 2224 file.exe 33 PID 2224 wrote to memory of 2504 2224 file.exe 33 PID 1492 wrote to memory of 1612 1492 taskeng.exe 35 PID 1492 wrote to memory of 1612 1492 taskeng.exe 35 PID 1492 wrote to memory of 1612 1492 taskeng.exe 35 PID 2504 wrote to memory of 2628 2504 Orcus.exe 36 PID 2504 wrote to memory of 2628 2504 Orcus.exe 36 PID 2504 wrote to memory of 2628 2504 Orcus.exe 36 PID 2504 wrote to memory of 2628 2504 Orcus.exe 36 PID 2628 wrote to memory of 2172 2628 OrcusWatchdog.exe 37 PID 2628 wrote to memory of 2172 2628 OrcusWatchdog.exe 37 PID 2628 wrote to memory of 2172 2628 OrcusWatchdog.exe 37 PID 2628 wrote to memory of 2172 2628 OrcusWatchdog.exe 37 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1xgjy0uj.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9F6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA9F5.tmp"3⤵PID:2232
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2820
-
-
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 25043⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 25044⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
PID:2660
-
C:\Windows\system32\taskeng.exetaskeng.exe {B8AF6BFB-34C7-4DBF-8716-C1247186631D} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"2⤵
- Executes dropped EXE
PID:1612
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD508d7b239c7a93100e8a3e2a29f4aac8a
SHA1d5994253fa0ea5cf6dfa1c30365a244d0386deb3
SHA256c590ca079cb95e34f9756296876e3579ab17239338fd4306afbeab75a4133059
SHA512495ae5ee2d9794557f5153da95d89ebda5f16e396a2eea4470169d1e11f0dbe43d900512e5cfe2bb1a663f3d82a4fd720504f1806610d66b2bdacce5365e92a2
-
Filesize
916KB
MD5bdbe50403b411db0e07511e098bdb9ff
SHA15772743e950c1c647a5cab202fc3cc29039e2749
SHA256a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284
SHA5129531b3c7572f07aaac342635369732b77c1df58c262e32b21327cd2ac47afe6e3042d79a6a72e30c07b03e420cd9b47b1781bc5ed875b8d7b973b480090261f9
-
Filesize
76KB
MD5ce9fd353e17d3c7d44284156dc6be93d
SHA16cba99c96d890547161d7897190caba6239eca35
SHA2562f52fb93e54f11a494d67b3d0c93fc4d5efd4d74c4d5634aa2a25330b4bcc764
SHA512952a5c3abde0929a4975b1ebb341682a3b74ac9377a948bea55e32dc9c15d4845c5d2b5219c9d628bade30de5857333223db386cebe39add5c0289e77f0f470b
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
1KB
MD50898d958ec474f3e22db11ac130a926b
SHA136cfb023971319b587b05c6761f5d4be5d1a1b08
SHA256abb5c171bcabbf9243cfae3a44b9a2d87d46a22d5afd5d69d18b7cb2f0ea4f8b
SHA5121b7d12fcd32b8ae7002629090436f21825907c41907a6a7bc37a5af3c17c5390ff7c0fad1e9b315034f865d2fdeae7b622c255a7a152fe414bedb12a9c4c6dbc
-
Filesize
9KB
MD5913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
208KB
MD5568d7ffc9a98566be8af1fa2176dac14
SHA192315df4d98746cb07ea146ee10edebd29991398
SHA256d9dbebd739a0e72993b7fa7537c8e9cb18937dd932ddc689965ba532d1cd89bd
SHA5120f2db73015bdb6d337673ed802c1e86b2f089083f502c2fe44bbe31fbeb015f59e6a751ce2897e64e9b126b95b686395699a9e0976838fafe1eb9e6ddc2a0626
-
Filesize
349B
MD53bbc072d2fc040d28e8476090630f73a
SHA163d30dca24e387258ae48255f98ffdf94e8bc0b2
SHA256f78db59a6b092acfbb3bea059464c73b7e16a891b85975dbd82fb4b202253813
SHA51282c15b4f94b1982760c879d9eb0b3931c9b1ef37611ae55330ad20b8bc9d8a23ba3634aa79e8dc0a4552554a8c02d28c1864339fc2d3eb15dd6d994f02c1fc81
-
Filesize
676B
MD581b9ccd9901cad888236050e722562e6
SHA17b091c63b47a47e217b42beb5a5ddd07eab8aadc
SHA256b674b16ab648f3f969e9ca74b26a23a1325ab662d45e86a899257f3760bd1bdb
SHA512c85196bacf12398b6d84ce7181cc2cdbb2100e9f264bd5983e36fb8bbb3ea0903d3f6a5990d6f0108f45908ce3b0e8267a83b3c661d1b143c1ef6239bd92defe