Analysis

  • max time kernel
    151s
  • max time network
    141s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04-02-2024 20:17

General

  • Target

    file.exe

  • Size

    916KB

  • MD5

    bdbe50403b411db0e07511e098bdb9ff

  • SHA1

    5772743e950c1c647a5cab202fc3cc29039e2749

  • SHA256

    a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284

  • SHA512

    9531b3c7572f07aaac342635369732b77c1df58c262e32b21327cd2ac47afe6e3042d79a6a72e30c07b03e420cd9b47b1781bc5ed875b8d7b973b480090261f9

  • SSDEEP

    24576:+cI4MROxnFD3jEsYxrZlI0AilFEvxHiH0h9:+crMiJWrZlI0AilFEvxHi

Malware Config

Extracted

Family

orcus

C2

obfuscated.us:8080

Mutex

0133d229c4e24006957c0e4ab3a52531

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

  • Orcus main payload 3 IoCs
  • Orcurs Rat Executable 4 IoCs
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:660
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zqmlgxom.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3500
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9655.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9654.tmp"
        3⤵
          PID:5008
      • C:\Windows\SysWOW64\WindowsInput.exe
        "C:\Windows\SysWOW64\WindowsInput.exe" --install
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:4464
      • C:\Program Files\Orcus\Orcus.exe
        "C:\Program Files\Orcus\Orcus.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1436
        • C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
          "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 1436
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3860
          • C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
            "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 1436
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4872
    • C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe"
      1⤵
      • Executes dropped EXE
      PID:4492
    • C:\Program Files\Orcus\Orcus.exe
      "C:\Program Files\Orcus\Orcus.exe"
      1⤵
      • Executes dropped EXE
      PID:3960

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Orcus\Orcus.exe

      Filesize

      701KB

      MD5

      c7502aace3f40c45931ac7e76b5eba59

      SHA1

      0e04ae96e7de24376e32df3630708a3687c7beda

      SHA256

      034c90614f00a8490767d6dc349d14efd522b643d0f51c82d8a6f1a03b3d8531

      SHA512

      d9f08db3f7d55df54cd3d5ebb5a5e3f1941765b0217141427767f074def49ece761795edc43691fb3cd377b6d1ef134fe05814d4be2043816099b357ec0374bf

    • C:\Program Files\Orcus\Orcus.exe

      Filesize

      761KB

      MD5

      20234fb8621606f38d227cbbbc941154

      SHA1

      9bb285ec08f0e270905738df9065412c56c39fee

      SHA256

      b6b68ae3f88044046899fd71fea12e86f51bfa2325fa51dab2b84d4344979171

      SHA512

      f59e248f974c5e29ffcd6a89a70429eb1ba29a679f9e0bd325fafe028faaba11547f6d32d0abe29b6d235ff1c7459c2ef811fcfd6d45182e36034da2bd659c1f

    • C:\Program Files\Orcus\Orcus.exe

      Filesize

      443KB

      MD5

      47cfff16d366ed84f27a227ecede83dc

      SHA1

      b5dbac6e943df19438d4626adbe178368957d34a

      SHA256

      b3b1d91f5b80f95c744a30568df5017c3a4d218821711e3104755f8258f8b2ef

      SHA512

      134e938c15213f9453472472f695c420c1338e1ecf96d107087eb4154b6de83f4244588ad56cca85afec642c5cba86fe0bd3feb41136a7c457dd43b5c543376d

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OrcusWatchdog.exe.log

      Filesize

      425B

      MD5

      605f809fab8c19729d39d075f7ffdb53

      SHA1

      c546f877c9bd53563174a90312a8337fdfc5fdd9

      SHA256

      6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

      SHA512

      82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

    • C:\Users\Admin\AppData\Local\Temp\RES9655.tmp

      Filesize

      1KB

      MD5

      6b9b6e893ef5997716b26d4d3dd2a446

      SHA1

      a321ac34b6a8fefe3d5cb58d7f88057f5a460678

      SHA256

      ea065f56d442d3d0ea6461d5bc613689bbbd9d8afeac68688696a6e2e74e80ad

      SHA512

      d341c7902f106fd78b7b08b01dafcd6bf2049532a5a2f83ea3f233df1d9dde796a5f005e9298757b7c1a1905de8662516431e91027de12c2211786145b4662e2

    • C:\Users\Admin\AppData\Local\Temp\zqmlgxom.dll

      Filesize

      76KB

      MD5

      d56b34c0041ff7e8eb404a315c08edd7

      SHA1

      ca1c5cf68404b0d4f769aecadf2f4909d1711a04

      SHA256

      edae22a41e4ce178a349a1fe0d03901c9a63318f8d0c923112d50ce21005eba9

      SHA512

      9dd4483dc00c57f01375f515b7572a942bad0d6e5c31ba89977c19e9a2b3a3fc20e8471466855a054cd949102c276c755f5e3b0c347b5356574ec077f5a9018f

    • C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

      Filesize

      9KB

      MD5

      913967b216326e36a08010fb70f9dba3

      SHA1

      7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

      SHA256

      8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

      SHA512

      c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

    • C:\Windows\SysWOW64\WindowsInput.exe

      Filesize

      21KB

      MD5

      e6fcf516d8ed8d0d4427f86e08d0d435

      SHA1

      c7691731583ab7890086635cb7f3e4c22ca5e409

      SHA256

      8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

      SHA512

      c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

    • C:\Windows\SysWOW64\WindowsInput.exe.config

      Filesize

      357B

      MD5

      a2b76cea3a59fa9af5ea21ff68139c98

      SHA1

      35d76475e6a54c168f536e30206578babff58274

      SHA256

      f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

      SHA512

      b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

    • \??\c:\Users\Admin\AppData\Local\Temp\CSC9654.tmp

      Filesize

      676B

      MD5

      01bff42bacd9b7c4348b3c0a067c4b9a

      SHA1

      4f8f155415331821a9878f2af5f128e1bc955e3f

      SHA256

      887bf9bc3539f559c6496e1a6cf12c9597543569ab0fdca3463cf208c03f16fb

      SHA512

      d504665b698741a4180b0f8a69269ee17a0808731e9af7bfee7d61668a8c68e62c33e7f2c09456b669d2db439f447c5f333e817ce28c23457e4aafe100b4977a

    • \??\c:\Users\Admin\AppData\Local\Temp\zqmlgxom.0.cs

      Filesize

      208KB

      MD5

      9966daafc7e31eed4a3f9a05d70dcd02

      SHA1

      06951b3ca40d683f6b56f7dd23d8d258cd82e8f0

      SHA256

      e6b85665c5f5331b88487221c841d35753d027d781b10f7857177dcc39f332cb

      SHA512

      e27a2e262c35669661dde1af2b78a32992aa42e5d57ab519b53140c0b168d898981228a181d2824368100744e9273b1d51864adca66dd8ddeaea94bba6c3a771

    • \??\c:\Users\Admin\AppData\Local\Temp\zqmlgxom.cmdline

      Filesize

      349B

      MD5

      1b86eae15ea283efb42c79eff5b76756

      SHA1

      92c4e1ffca98dad3746073ad89f6057fabd54f03

      SHA256

      378e463ff7fcf7a95fe24fe35fb856dffe10a5ec909d16d0ec1e573c5d379088

      SHA512

      d228159dc9b5489b4471d8d09e72d1fd251d643285c65ef5e33c5df204efd94a25889d1194af09d38e22e4e649747ba1bc3e69c37ba0d33beb9aece45a3daa83

    • memory/660-23-0x0000000002E80000-0x0000000002E92000-memory.dmp

      Filesize

      72KB

    • memory/660-7-0x000000001C400000-0x000000001C8CE000-memory.dmp

      Filesize

      4.8MB

    • memory/660-24-0x000000001CFC0000-0x000000001CFE0000-memory.dmp

      Filesize

      128KB

    • memory/660-21-0x000000001CF80000-0x000000001CF96000-memory.dmp

      Filesize

      88KB

    • memory/660-8-0x000000001C8D0000-0x000000001C96C000-memory.dmp

      Filesize

      624KB

    • memory/660-1-0x00007FFA043A0000-0x00007FFA04D40000-memory.dmp

      Filesize

      9.6MB

    • memory/660-2-0x000000001BCC0000-0x000000001BD1C000-memory.dmp

      Filesize

      368KB

    • memory/660-3-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

      Filesize

      64KB

    • memory/660-0-0x00007FFA043A0000-0x00007FFA04D40000-memory.dmp

      Filesize

      9.6MB

    • memory/660-56-0x00007FFA043A0000-0x00007FFA04D40000-memory.dmp

      Filesize

      9.6MB

    • memory/660-6-0x000000001BE60000-0x000000001BE6E000-memory.dmp

      Filesize

      56KB

    • memory/1436-59-0x0000000002B40000-0x0000000002B8E000-memory.dmp

      Filesize

      312KB

    • memory/1436-64-0x000000001B7A0000-0x000000001B7B0000-memory.dmp

      Filesize

      64KB

    • memory/1436-89-0x000000001B800000-0x000000001B810000-memory.dmp

      Filesize

      64KB

    • memory/1436-88-0x000000001B800000-0x000000001B810000-memory.dmp

      Filesize

      64KB

    • memory/1436-87-0x00007FFA02090000-0x00007FFA02A7C000-memory.dmp

      Filesize

      9.9MB

    • memory/1436-54-0x0000000000AB0000-0x0000000000B9A000-memory.dmp

      Filesize

      936KB

    • memory/1436-85-0x000000001D0B0000-0x000000001D272000-memory.dmp

      Filesize

      1.8MB

    • memory/1436-57-0x000000001B800000-0x000000001B810000-memory.dmp

      Filesize

      64KB

    • memory/1436-55-0x00007FFA02090000-0x00007FFA02A7C000-memory.dmp

      Filesize

      9.9MB

    • memory/1436-58-0x0000000001270000-0x0000000001282000-memory.dmp

      Filesize

      72KB

    • memory/1436-67-0x000000001B800000-0x000000001B810000-memory.dmp

      Filesize

      64KB

    • memory/1436-61-0x0000000002BD0000-0x0000000002BE8000-memory.dmp

      Filesize

      96KB

    • memory/3860-73-0x00000000006B0000-0x00000000006B8000-memory.dmp

      Filesize

      32KB

    • memory/3860-78-0x0000000073750000-0x0000000073E3E000-memory.dmp

      Filesize

      6.9MB

    • memory/3860-74-0x0000000073750000-0x0000000073E3E000-memory.dmp

      Filesize

      6.9MB

    • memory/3960-62-0x00007FFA02090000-0x00007FFA02A7C000-memory.dmp

      Filesize

      9.9MB

    • memory/3960-63-0x0000000002E00000-0x0000000002E10000-memory.dmp

      Filesize

      64KB

    • memory/3960-84-0x00007FFA02090000-0x00007FFA02A7C000-memory.dmp

      Filesize

      9.9MB

    • memory/4464-35-0x0000000000AF0000-0x0000000000B02000-memory.dmp

      Filesize

      72KB

    • memory/4464-33-0x00007FFA02090000-0x00007FFA02A7C000-memory.dmp

      Filesize

      9.9MB

    • memory/4464-32-0x0000000000230000-0x000000000023C000-memory.dmp

      Filesize

      48KB

    • memory/4464-34-0x000000001ADF0000-0x000000001AE00000-memory.dmp

      Filesize

      64KB

    • memory/4464-36-0x000000001AE40000-0x000000001AE7E000-memory.dmp

      Filesize

      248KB

    • memory/4464-40-0x00007FFA02090000-0x00007FFA02A7C000-memory.dmp

      Filesize

      9.9MB

    • memory/4492-82-0x00007FFA02090000-0x00007FFA02A7C000-memory.dmp

      Filesize

      9.9MB

    • memory/4492-43-0x000000001A3A0000-0x000000001A3B0000-memory.dmp

      Filesize

      64KB

    • memory/4492-86-0x000000001A3A0000-0x000000001A3B0000-memory.dmp

      Filesize

      64KB

    • memory/4492-42-0x00007FFA02090000-0x00007FFA02A7C000-memory.dmp

      Filesize

      9.9MB

    • memory/4492-44-0x000000001A8C0000-0x000000001A9CA000-memory.dmp

      Filesize

      1.0MB

    • memory/4872-79-0x0000000073750000-0x0000000073E3E000-memory.dmp

      Filesize

      6.9MB

    • memory/4872-90-0x0000000073750000-0x0000000073E3E000-memory.dmp

      Filesize

      6.9MB