Malware Analysis Report

2025-01-22 15:05

Sample ID 240204-y2x3esbhgj
Target file.bin
SHA256 a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284
Tags
orcus persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284

Threat Level: Known bad

The file file.bin was found to be: Known bad.

Malicious Activity Summary

orcus persistence rat spyware stealer

Orcurs Rat Executable

Orcus

Orcus family

Orcus main payload

Orcurs Rat Executable

Checks computer location settings

Executes dropped EXE

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 20:17

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 20:17

Reported

2024-02-04 20:20

Platform

win7-20231215-en

Max time kernel

150s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\"" C:\Program Files\Orcus\Orcus.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2224 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2224 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2016 wrote to memory of 2232 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2016 wrote to memory of 2232 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2016 wrote to memory of 2232 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2224 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2224 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2224 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2224 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Orcus\Orcus.exe
PID 2224 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Orcus\Orcus.exe
PID 2224 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Orcus\Orcus.exe
PID 1492 wrote to memory of 1612 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Orcus\Orcus.exe
PID 1492 wrote to memory of 1612 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Orcus\Orcus.exe
PID 1492 wrote to memory of 1612 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Orcus\Orcus.exe
PID 2504 wrote to memory of 2628 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2504 wrote to memory of 2628 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2504 wrote to memory of 2628 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2504 wrote to memory of 2628 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2628 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2628 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2628 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2628 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1xgjy0uj.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9F6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA9F5.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {B8AF6BFB-34C7-4DBF-8716-C1247186631D} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 2504

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 2504

Network

Country Destination Domain Proto
US 8.8.8.8:53 obfuscated.us udp
NL 103.13.210.210:8080 obfuscated.us tcp

Files

memory/2224-0-0x000000001B020000-0x000000001B07C000-memory.dmp

memory/2224-1-0x00000000009C0000-0x00000000009CE000-memory.dmp

memory/2224-2-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

memory/2224-3-0x0000000000AA0000-0x0000000000B20000-memory.dmp

memory/2224-4-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\1xgjy0uj.cmdline

MD5 3bbc072d2fc040d28e8476090630f73a
SHA1 63d30dca24e387258ae48255f98ffdf94e8bc0b2
SHA256 f78db59a6b092acfbb3bea059464c73b7e16a891b85975dbd82fb4b202253813
SHA512 82c15b4f94b1982760c879d9eb0b3931c9b1ef37611ae55330ad20b8bc9d8a23ba3634aa79e8dc0a4552554a8c02d28c1864339fc2d3eb15dd6d994f02c1fc81

\??\c:\Users\Admin\AppData\Local\Temp\1xgjy0uj.0.cs

MD5 568d7ffc9a98566be8af1fa2176dac14
SHA1 92315df4d98746cb07ea146ee10edebd29991398
SHA256 d9dbebd739a0e72993b7fa7537c8e9cb18937dd932ddc689965ba532d1cd89bd
SHA512 0f2db73015bdb6d337673ed802c1e86b2f089083f502c2fe44bbe31fbeb015f59e6a751ce2897e64e9b126b95b686395699a9e0976838fafe1eb9e6ddc2a0626

memory/2016-10-0x0000000002290000-0x0000000002310000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSCA9F5.tmp

MD5 81b9ccd9901cad888236050e722562e6
SHA1 7b091c63b47a47e217b42beb5a5ddd07eab8aadc
SHA256 b674b16ab648f3f969e9ca74b26a23a1325ab662d45e86a899257f3760bd1bdb
SHA512 c85196bacf12398b6d84ce7181cc2cdbb2100e9f264bd5983e36fb8bbb3ea0903d3f6a5990d6f0108f45908ce3b0e8267a83b3c661d1b143c1ef6239bd92defe

C:\Users\Admin\AppData\Local\Temp\RESA9F6.tmp

MD5 0898d958ec474f3e22db11ac130a926b
SHA1 36cfb023971319b587b05c6761f5d4be5d1a1b08
SHA256 abb5c171bcabbf9243cfae3a44b9a2d87d46a22d5afd5d69d18b7cb2f0ea4f8b
SHA512 1b7d12fcd32b8ae7002629090436f21825907c41907a6a7bc37a5af3c17c5390ff7c0fad1e9b315034f865d2fdeae7b622c255a7a152fe414bedb12a9c4c6dbc

C:\Users\Admin\AppData\Local\Temp\1xgjy0uj.dll

MD5 ce9fd353e17d3c7d44284156dc6be93d
SHA1 6cba99c96d890547161d7897190caba6239eca35
SHA256 2f52fb93e54f11a494d67b3d0c93fc4d5efd4d74c4d5634aa2a25330b4bcc764
SHA512 952a5c3abde0929a4975b1ebb341682a3b74ac9377a948bea55e32dc9c15d4845c5d2b5219c9d628bade30de5857333223db386cebe39add5c0289e77f0f470b

memory/2224-18-0x0000000002420000-0x0000000002436000-memory.dmp

memory/2224-20-0x00000000009E0000-0x00000000009F2000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2820-28-0x00000000001B0000-0x00000000001BC000-memory.dmp

memory/2820-29-0x000007FEEEDE0000-0x000007FEEF7CC000-memory.dmp

memory/2820-32-0x000007FEEEDE0000-0x000007FEEF7CC000-memory.dmp

memory/2660-34-0x0000000000E40000-0x0000000000E4C000-memory.dmp

memory/2660-35-0x000007FEEE3F0000-0x000007FEEEDDC000-memory.dmp

memory/2660-36-0x0000000019BF0000-0x0000000019C70000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 08d7b239c7a93100e8a3e2a29f4aac8a
SHA1 d5994253fa0ea5cf6dfa1c30365a244d0386deb3
SHA256 c590ca079cb95e34f9756296876e3579ab17239338fd4306afbeab75a4133059
SHA512 495ae5ee2d9794557f5153da95d89ebda5f16e396a2eea4470169d1e11f0dbe43d900512e5cfe2bb1a663f3d82a4fd720504f1806610d66b2bdacce5365e92a2

C:\Program Files\Orcus\Orcus.exe

MD5 bdbe50403b411db0e07511e098bdb9ff
SHA1 5772743e950c1c647a5cab202fc3cc29039e2749
SHA256 a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284
SHA512 9531b3c7572f07aaac342635369732b77c1df58c262e32b21327cd2ac47afe6e3042d79a6a72e30c07b03e420cd9b47b1781bc5ed875b8d7b973b480090261f9

memory/2224-45-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

memory/2504-46-0x000007FEEE3F0000-0x000007FEEEDDC000-memory.dmp

memory/2504-47-0x00000000009A0000-0x0000000000A8A000-memory.dmp

memory/2504-48-0x000000001AE10000-0x000000001AE90000-memory.dmp

memory/2504-49-0x0000000000900000-0x0000000000912000-memory.dmp

memory/2504-50-0x0000000000910000-0x000000000095E000-memory.dmp

memory/2504-51-0x0000000002020000-0x0000000002038000-memory.dmp

memory/1612-53-0x000007FEEE3F0000-0x000007FEEEDDC000-memory.dmp

memory/2504-54-0x0000000002050000-0x0000000002060000-memory.dmp

memory/1612-55-0x000000001AF40000-0x000000001AFC0000-memory.dmp

memory/2504-56-0x000000001AE10000-0x000000001AE90000-memory.dmp

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

C:\Users\Admin\AppData\Local\Temp\CabD0D8.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2628-81-0x0000000000F70000-0x0000000000F78000-memory.dmp

memory/2628-82-0x0000000074960000-0x000000007504E000-memory.dmp

memory/2628-84-0x0000000074960000-0x000000007504E000-memory.dmp

memory/2172-85-0x0000000074960000-0x000000007504E000-memory.dmp

memory/2660-86-0x000007FEEE3F0000-0x000007FEEEDDC000-memory.dmp

memory/1612-87-0x000007FEEE3F0000-0x000007FEEEDDC000-memory.dmp

memory/2660-88-0x0000000019BF0000-0x0000000019C70000-memory.dmp

memory/2504-89-0x000007FEEE3F0000-0x000007FEEEDDC000-memory.dmp

memory/2504-90-0x000000001AE10000-0x000000001AE90000-memory.dmp

memory/2504-91-0x000000001AE10000-0x000000001AE90000-memory.dmp

memory/2172-92-0x0000000074960000-0x000000007504E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 20:17

Reported

2024-02-04 20:20

Platform

win10-20231215-en

Max time kernel

151s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000\Software\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\"" C:\Program Files\Orcus\Orcus.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 660 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 660 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3500 wrote to memory of 5008 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3500 wrote to memory of 5008 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 660 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 660 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 660 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Orcus\Orcus.exe
PID 660 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Orcus\Orcus.exe
PID 1436 wrote to memory of 3860 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1436 wrote to memory of 3860 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1436 wrote to memory of 3860 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 3860 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 3860 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 3860 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zqmlgxom.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9655.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9654.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 1436

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 1436

Network

Country Destination Domain Proto
US 8.8.8.8:53 obfuscated.us udp
NL 103.13.210.210:8080 obfuscated.us tcp
US 8.8.8.8:53 210.210.13.103.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/660-0-0x00007FFA043A0000-0x00007FFA04D40000-memory.dmp

memory/660-1-0x00007FFA043A0000-0x00007FFA04D40000-memory.dmp

memory/660-2-0x000000001BCC0000-0x000000001BD1C000-memory.dmp

memory/660-3-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

memory/660-6-0x000000001BE60000-0x000000001BE6E000-memory.dmp

memory/660-7-0x000000001C400000-0x000000001C8CE000-memory.dmp

memory/660-8-0x000000001C8D0000-0x000000001C96C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\zqmlgxom.cmdline

MD5 1b86eae15ea283efb42c79eff5b76756
SHA1 92c4e1ffca98dad3746073ad89f6057fabd54f03
SHA256 378e463ff7fcf7a95fe24fe35fb856dffe10a5ec909d16d0ec1e573c5d379088
SHA512 d228159dc9b5489b4471d8d09e72d1fd251d643285c65ef5e33c5df204efd94a25889d1194af09d38e22e4e649747ba1bc3e69c37ba0d33beb9aece45a3daa83

\??\c:\Users\Admin\AppData\Local\Temp\zqmlgxom.0.cs

MD5 9966daafc7e31eed4a3f9a05d70dcd02
SHA1 06951b3ca40d683f6b56f7dd23d8d258cd82e8f0
SHA256 e6b85665c5f5331b88487221c841d35753d027d781b10f7857177dcc39f332cb
SHA512 e27a2e262c35669661dde1af2b78a32992aa42e5d57ab519b53140c0b168d898981228a181d2824368100744e9273b1d51864adca66dd8ddeaea94bba6c3a771

\??\c:\Users\Admin\AppData\Local\Temp\CSC9654.tmp

MD5 01bff42bacd9b7c4348b3c0a067c4b9a
SHA1 4f8f155415331821a9878f2af5f128e1bc955e3f
SHA256 887bf9bc3539f559c6496e1a6cf12c9597543569ab0fdca3463cf208c03f16fb
SHA512 d504665b698741a4180b0f8a69269ee17a0808731e9af7bfee7d61668a8c68e62c33e7f2c09456b669d2db439f447c5f333e817ce28c23457e4aafe100b4977a

memory/660-21-0x000000001CF80000-0x000000001CF96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zqmlgxom.dll

MD5 d56b34c0041ff7e8eb404a315c08edd7
SHA1 ca1c5cf68404b0d4f769aecadf2f4909d1711a04
SHA256 edae22a41e4ce178a349a1fe0d03901c9a63318f8d0c923112d50ce21005eba9
SHA512 9dd4483dc00c57f01375f515b7572a942bad0d6e5c31ba89977c19e9a2b3a3fc20e8471466855a054cd949102c276c755f5e3b0c347b5356574ec077f5a9018f

C:\Users\Admin\AppData\Local\Temp\RES9655.tmp

MD5 6b9b6e893ef5997716b26d4d3dd2a446
SHA1 a321ac34b6a8fefe3d5cb58d7f88057f5a460678
SHA256 ea065f56d442d3d0ea6461d5bc613689bbbd9d8afeac68688696a6e2e74e80ad
SHA512 d341c7902f106fd78b7b08b01dafcd6bf2049532a5a2f83ea3f233df1d9dde796a5f005e9298757b7c1a1905de8662516431e91027de12c2211786145b4662e2

memory/660-23-0x0000000002E80000-0x0000000002E92000-memory.dmp

memory/660-24-0x000000001CFC0000-0x000000001CFE0000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/4464-32-0x0000000000230000-0x000000000023C000-memory.dmp

memory/4464-33-0x00007FFA02090000-0x00007FFA02A7C000-memory.dmp

memory/4464-34-0x000000001ADF0000-0x000000001AE00000-memory.dmp

memory/4464-35-0x0000000000AF0000-0x0000000000B02000-memory.dmp

memory/4464-36-0x000000001AE40000-0x000000001AE7E000-memory.dmp

memory/4464-40-0x00007FFA02090000-0x00007FFA02A7C000-memory.dmp

memory/4492-42-0x00007FFA02090000-0x00007FFA02A7C000-memory.dmp

memory/4492-43-0x000000001A3A0000-0x000000001A3B0000-memory.dmp

memory/4492-44-0x000000001A8C0000-0x000000001A9CA000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 c7502aace3f40c45931ac7e76b5eba59
SHA1 0e04ae96e7de24376e32df3630708a3687c7beda
SHA256 034c90614f00a8490767d6dc349d14efd522b643d0f51c82d8a6f1a03b3d8531
SHA512 d9f08db3f7d55df54cd3d5ebb5a5e3f1941765b0217141427767f074def49ece761795edc43691fb3cd377b6d1ef134fe05814d4be2043816099b357ec0374bf

C:\Program Files\Orcus\Orcus.exe

MD5 20234fb8621606f38d227cbbbc941154
SHA1 9bb285ec08f0e270905738df9065412c56c39fee
SHA256 b6b68ae3f88044046899fd71fea12e86f51bfa2325fa51dab2b84d4344979171
SHA512 f59e248f974c5e29ffcd6a89a70429eb1ba29a679f9e0bd325fafe028faaba11547f6d32d0abe29b6d235ff1c7459c2ef811fcfd6d45182e36034da2bd659c1f

memory/1436-54-0x0000000000AB0000-0x0000000000B9A000-memory.dmp

memory/660-56-0x00007FFA043A0000-0x00007FFA04D40000-memory.dmp

memory/1436-57-0x000000001B800000-0x000000001B810000-memory.dmp

memory/1436-55-0x00007FFA02090000-0x00007FFA02A7C000-memory.dmp

memory/1436-58-0x0000000001270000-0x0000000001282000-memory.dmp

memory/1436-59-0x0000000002B40000-0x0000000002B8E000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 47cfff16d366ed84f27a227ecede83dc
SHA1 b5dbac6e943df19438d4626adbe178368957d34a
SHA256 b3b1d91f5b80f95c744a30568df5017c3a4d218821711e3104755f8258f8b2ef
SHA512 134e938c15213f9453472472f695c420c1338e1ecf96d107087eb4154b6de83f4244588ad56cca85afec642c5cba86fe0bd3feb41136a7c457dd43b5c543376d

memory/1436-61-0x0000000002BD0000-0x0000000002BE8000-memory.dmp

memory/3960-62-0x00007FFA02090000-0x00007FFA02A7C000-memory.dmp

memory/3960-63-0x0000000002E00000-0x0000000002E10000-memory.dmp

memory/1436-64-0x000000001B7A0000-0x000000001B7B0000-memory.dmp

memory/1436-67-0x000000001B800000-0x000000001B810000-memory.dmp

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/3860-73-0x00000000006B0000-0x00000000006B8000-memory.dmp

memory/3860-74-0x0000000073750000-0x0000000073E3E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OrcusWatchdog.exe.log

MD5 605f809fab8c19729d39d075f7ffdb53
SHA1 c546f877c9bd53563174a90312a8337fdfc5fdd9
SHA256 6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556
SHA512 82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

memory/4872-79-0x0000000073750000-0x0000000073E3E000-memory.dmp

memory/3860-78-0x0000000073750000-0x0000000073E3E000-memory.dmp

memory/4492-82-0x00007FFA02090000-0x00007FFA02A7C000-memory.dmp

memory/3960-84-0x00007FFA02090000-0x00007FFA02A7C000-memory.dmp

memory/1436-85-0x000000001D0B0000-0x000000001D272000-memory.dmp

memory/4492-86-0x000000001A3A0000-0x000000001A3B0000-memory.dmp

memory/1436-87-0x00007FFA02090000-0x00007FFA02A7C000-memory.dmp

memory/1436-88-0x000000001B800000-0x000000001B810000-memory.dmp

memory/1436-89-0x000000001B800000-0x000000001B810000-memory.dmp

memory/4872-90-0x0000000073750000-0x0000000073E3E000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-04 20:17

Reported

2024-02-04 20:20

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Program Files\Orcus\Orcus.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\"" C:\Program Files\Orcus\Orcus.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 324 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 324 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1632 wrote to memory of 4172 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1632 wrote to memory of 4172 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 324 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 324 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 324 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Orcus\Orcus.exe
PID 324 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Orcus\Orcus.exe
PID 2592 wrote to memory of 3268 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2592 wrote to memory of 3268 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 2592 wrote to memory of 3268 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 3268 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 3268 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 3268 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m4ywvehs.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC332.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC321.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 2592

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 2592

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 188.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 obfuscated.us udp
NL 103.13.210.210:8080 obfuscated.us tcp
US 8.8.8.8:53 210.210.13.103.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp

Files

memory/324-0-0x00007FFD8F0D0000-0x00007FFD8FA71000-memory.dmp

memory/324-1-0x00007FFD8F0D0000-0x00007FFD8FA71000-memory.dmp

memory/324-2-0x0000000001730000-0x0000000001740000-memory.dmp

memory/324-3-0x000000001BC80000-0x000000001BCDC000-memory.dmp

memory/324-6-0x000000001BE70000-0x000000001BE7E000-memory.dmp

memory/324-7-0x000000001C350000-0x000000001C81E000-memory.dmp

memory/324-8-0x000000001C8C0000-0x000000001C95C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\m4ywvehs.cmdline

MD5 a6c9750805ebb61abbb42b98b3c9d94c
SHA1 a818e2f631e283e520797cf43c8f0d739fa8878c
SHA256 6247ae294b0d5fd08ca2e193a271e9c06a3ce48c7fcdbcc8a47fa6ce41b5d86f
SHA512 94094ba6ef3d56ebc34c7ff24bfd8b4f20d4c70a7b35f8c70a54692c5c38ca009a4bdb3e4594e9f4ae1a67176978cbd42761792b4dc29d454c56fcde95b339fd

\??\c:\Users\Admin\AppData\Local\Temp\m4ywvehs.0.cs

MD5 486ddbcee88dbec70780d0faba2a2650
SHA1 7938cacb06db6ff68183e527a4e4d756ded33782
SHA256 0115db5d7f9dc999644a204ac269e64cc2d440f52e0fec3709edf19520d1fad5
SHA512 49e2c299b82f54d247f46f21e373315dd0cf3677aa56a512e2fbdd659a1b47f8b2ee7e0fea86c8a75ae1380eadaa8ab9b3553ba8868da2a3f06a7d3e1ce417bd

memory/1632-14-0x0000000002370000-0x0000000002380000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSCC321.tmp

MD5 f26b22f7875178240598501df9d070e9
SHA1 5107fec4e5b77b439d5ca6107888aaa0e6137fcf
SHA256 75a2c744872699358cc5cdd49770f8e48c5f300b3037ee0a700a182de8fd715f
SHA512 8f0813d1d78a3ef543ee99a118ea1278297d79a103f6eaf8ea73431869b618afffee6e63072e9e9c68ea58c4275ddc33c7c5d1a1eb6825712399968ed4973633

C:\Users\Admin\AppData\Local\Temp\RESC332.tmp

MD5 cb99c0944ec7c4a22942056d69d59229
SHA1 75a878aaec47ab5b8faf3f73112b2677e073a596
SHA256 800f20caf4a04820be4b8c30353be05e0af819b8f911644b871e266fa72f8f70
SHA512 29b31af8c042baa8ba01316b683c0c9a62647a5e0963913aff55d590a63c7475e175346ec42405a18afabf36cc11921a0618a9743c39c4caddc4faff5d51e74b

C:\Users\Admin\AppData\Local\Temp\m4ywvehs.dll

MD5 cd633ddfc0059d959889f0250f0db034
SHA1 a8ba6369c216465315031143f342ee3d7e5b4646
SHA256 8f08e98b35ed765f35d3af8bbcb18bc5afb7b141c732128477586a5e8226d362
SHA512 11e7f1d48c9f7f4d837864576ca019f74ef245b3e1169b52a22492d9ac7e5d0c0e1c23edfcaafe7e512b51a170bf2e2c07cda595b6db7c74dcb30157e7d517c9

memory/324-22-0x000000001CF80000-0x000000001CF96000-memory.dmp

memory/324-24-0x000000001BBE0000-0x000000001BBF2000-memory.dmp

memory/324-25-0x000000001CFC0000-0x000000001CFE0000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/4900-39-0x0000000000170000-0x000000000017C000-memory.dmp

memory/4900-40-0x00007FFD8C9A0000-0x00007FFD8D461000-memory.dmp

memory/4900-41-0x000000001AE40000-0x000000001AE50000-memory.dmp

memory/4900-42-0x0000000002200000-0x0000000002212000-memory.dmp

memory/4900-43-0x000000001ADB0000-0x000000001ADEC000-memory.dmp

memory/4900-47-0x00007FFD8C9A0000-0x00007FFD8D461000-memory.dmp

memory/3568-49-0x00007FFD8C9A0000-0x00007FFD8D461000-memory.dmp

memory/3568-50-0x000000001A260000-0x000000001A270000-memory.dmp

memory/3568-51-0x000000001A680000-0x000000001A78A000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 bdbe50403b411db0e07511e098bdb9ff
SHA1 5772743e950c1c647a5cab202fc3cc29039e2749
SHA256 a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284
SHA512 9531b3c7572f07aaac342635369732b77c1df58c262e32b21327cd2ac47afe6e3042d79a6a72e30c07b03e420cd9b47b1781bc5ed875b8d7b973b480090261f9

memory/324-67-0x00007FFD8F0D0000-0x00007FFD8FA71000-memory.dmp

memory/324-68-0x00007FFD8F0D0000-0x00007FFD8FA71000-memory.dmp

memory/2592-69-0x0000000000EC0000-0x0000000000FAA000-memory.dmp

memory/2592-70-0x00007FFD8C9A0000-0x00007FFD8D461000-memory.dmp

memory/2592-71-0x0000000003170000-0x0000000003180000-memory.dmp

memory/2592-72-0x000000001BB10000-0x000000001BB22000-memory.dmp

memory/2592-73-0x000000001C9E0000-0x000000001CA2E000-memory.dmp

memory/2592-75-0x000000001CB80000-0x000000001CB98000-memory.dmp

memory/4996-76-0x00007FFD8C9A0000-0x00007FFD8D461000-memory.dmp

memory/4996-77-0x000000001BB40000-0x000000001BB50000-memory.dmp

memory/2592-78-0x000000001CCB0000-0x000000001CCC0000-memory.dmp

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/3268-94-0x0000000075180000-0x0000000075930000-memory.dmp

memory/3268-95-0x0000000000620000-0x0000000000628000-memory.dmp

memory/3568-97-0x00007FFD8C9A0000-0x00007FFD8D461000-memory.dmp

memory/2920-98-0x0000000075180000-0x0000000075930000-memory.dmp

memory/4996-101-0x00007FFD8C9A0000-0x00007FFD8D461000-memory.dmp

memory/3268-102-0x0000000075180000-0x0000000075930000-memory.dmp

memory/2592-103-0x000000001DF10000-0x000000001E0D2000-memory.dmp

memory/3568-104-0x000000001A260000-0x000000001A270000-memory.dmp

memory/2592-105-0x00007FFD8C9A0000-0x00007FFD8D461000-memory.dmp

memory/2592-106-0x0000000003170000-0x0000000003180000-memory.dmp

memory/2920-107-0x0000000075180000-0x0000000075930000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-04 20:17

Reported

2024-02-04 20:20

Platform

win11-20231222-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000\Software\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\"" C:\Program Files\Orcus\Orcus.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1164 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 1164 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2780 wrote to memory of 2036 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2780 wrote to memory of 2036 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1164 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1164 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1164 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Orcus\Orcus.exe
PID 1164 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Program Files\Orcus\Orcus.exe
PID 1832 wrote to memory of 4408 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1832 wrote to memory of 4408 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 1832 wrote to memory of 4408 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 4408 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 4408 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
PID 4408 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jngxey_p.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4AC5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4AC4.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 1832

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 1832

Network

Country Destination Domain Proto
US 8.8.8.8:53 obfuscated.us udp
NL 103.13.210.210:8080 obfuscated.us tcp
IE 52.111.236.22:443 tcp

Files

memory/1164-1-0x00000000016D0000-0x00000000016E0000-memory.dmp

memory/1164-3-0x000000001BFA0000-0x000000001BFFC000-memory.dmp

memory/1164-2-0x00007FFF59D60000-0x00007FFF5A701000-memory.dmp

memory/1164-6-0x000000001C150000-0x000000001C15E000-memory.dmp

memory/1164-0-0x00007FFF59D60000-0x00007FFF5A701000-memory.dmp

memory/1164-7-0x000000001C630000-0x000000001CAFE000-memory.dmp

memory/1164-8-0x000000001CBA0000-0x000000001CC3C000-memory.dmp

memory/1164-22-0x000000001CC70000-0x000000001CC86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jngxey_p.dll

MD5 6926d7e6a114bb6c05afd994d0c1b4dc
SHA1 38ca2cde176be7dde985791ca188efbd6bdcf2d8
SHA256 b05638192154d816ddd3f67f19fbe5e53dddce905c4be117c6740cb4e5bec2ed
SHA512 2bc347af6d485983dad97bf79f6c255d7a9d99d9ac7d895ec75565bd8035c0cf5da89fc62fdd0be9f63aa3feaaab76877e74e14bbef7397f3276b8c77676118b

C:\Users\Admin\AppData\Local\Temp\RES4AC5.tmp

MD5 cfe35af97a21f410a519176bed3bb190
SHA1 1a3ea97b778215e185021317812ab3acba5594df
SHA256 f432933a1c4e9a2e4421a2f3702f6ad6683b5ac35c8c092d22524f3818691d49
SHA512 c57591eadc9bb79eba497e481b07392d5951b9abf090b1069fb264a33e3dc72e9881c9619554dd5526e7f9c7ec04780bd12a17208385135419711250acc19a49

\??\c:\Users\Admin\AppData\Local\Temp\CSC4AC4.tmp

MD5 0e0e79f12b421a2b9d81d8a102842ffe
SHA1 4df5876f5bd477f7b0dad596fb8d4343836e34cb
SHA256 0c284696f54faa6d54ccb816eb7369bb0e7ef0e9bab7efb3e4392e1978ec2bba
SHA512 1d41ff9c327bc34116be4c7dde139b8f2711ba8e028c3f6cea065c9070f59cabd7f22adac1a04a22531760be58d0f81f7ed24a2f4d8b1ac19a72a20bef25d9c8

memory/2780-14-0x0000000002530000-0x0000000002540000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\jngxey_p.0.cs

MD5 c705d204b823c3ba754037202df38901
SHA1 4bca76258d5b56eb864309e2818b024eeb021f26
SHA256 b724548785a5308db7719519326ab7b4c94dfe320090cf7958a1c3586978bc1b
SHA512 235b38e9e60aafd619254d8fdc94cfe5cb80c1a89929196283ef880a994840e639a10036bd87246406b5644fb9a38048663bec13a2f4f05b0f53ed9a74455e65

memory/1164-24-0x000000001BEB0000-0x000000001BEC2000-memory.dmp

memory/1164-25-0x000000001D2A0000-0x000000001D2C0000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

memory/1572-39-0x0000000000C30000-0x0000000000C3C000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/1572-41-0x0000000002D30000-0x0000000002D42000-memory.dmp

memory/1572-43-0x0000000002DB0000-0x0000000002DEC000-memory.dmp

memory/1572-47-0x00007FFF571B0000-0x00007FFF57C72000-memory.dmp

memory/2396-50-0x0000000019D90000-0x0000000019DA0000-memory.dmp

memory/2396-49-0x00007FFF571B0000-0x00007FFF57C72000-memory.dmp

memory/1572-42-0x000000001B9A0000-0x000000001B9B0000-memory.dmp

memory/1572-40-0x00007FFF571B0000-0x00007FFF57C72000-memory.dmp

memory/2396-51-0x000000001A2B0000-0x000000001A3BA000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\jngxey_p.cmdline

MD5 9ccd114686243dfce30cee4a26c9a7b5
SHA1 0a96f4b5382979aa709558680e5ca94a49ab5139
SHA256 e685b9a2f01c8f9b5bdf7ef72ba28750e90b2d7840d6f5a2abc3789ef0cf6b17
SHA512 98a17677b1f882df5f1c66b0f6636b0b651768ec5a47906f127d40290c7123b945051252ebc779a1afa926a01921162c8c25ded1738ed6f8b9fb699cf8ef88b5

C:\Program Files\Orcus\Orcus.exe

MD5 4821175f5c0939a6215f3e86d60b1568
SHA1 521dae8ced8fd86b0352cfefebb3d1e0bdd9f3ce
SHA256 c1d63a301d38230577f9840e22a27f17cc99bdde668aa73007e3acf49d328d36
SHA512 bdcff2c4c13506209ab531e2f75958d0a5db92cacda7a34a8af06e1ba7200f6fe37bb211177b57d3b04172780ae870ca3053e3439eea3f07ba47d61fe7a673ad

memory/1832-67-0x00007FFF571B0000-0x00007FFF57C72000-memory.dmp

memory/1832-69-0x0000000000F90000-0x000000000107A000-memory.dmp

memory/1164-68-0x00007FFF59D60000-0x00007FFF5A701000-memory.dmp

memory/1832-70-0x000000001BF60000-0x000000001BF70000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 69953e7ea09818a5fcabf3b4e1aafc81
SHA1 455e94f3c1c314321fcb986156668a6de9ca2933
SHA256 e7a7adfdc478c4b3bcf1beafa37c07c3a5e69ef1941eff99e1229f27c9acc1a8
SHA512 033b654f6e7a84a33a107e3de6525b649c89ef2df3220d5d2fd262ed8d3efb32a06b345e7eec07d155cb106e1291c62d3e8e067fc8bf61e9dcbdd9d10345a08f

memory/1832-72-0x000000001BEA0000-0x000000001BEEE000-memory.dmp

memory/1832-74-0x000000001BF00000-0x000000001BF18000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 52989421657b5c806ce886d0adf03196
SHA1 013adb6c45a699bc96c5f18cf3bd0b90e038b4cc
SHA256 ef4b097703a3e7323eb292ca4c63580d5ce56e1b1d87e8d4c79756b04be59cc6
SHA512 d47a1cb2e5754bd16fdaba4d028c5d73068fe9336c4506d3f0e25abd2a08d0bc9758df6972e7405b57173594b9f73f755f127ba873948922b4f3fbb3201ba34d

memory/1832-79-0x000000001BF60000-0x000000001BF70000-memory.dmp

C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/448-89-0x000000001BA90000-0x000000001BAA0000-memory.dmp

memory/448-76-0x00007FFF571B0000-0x00007FFF57C72000-memory.dmp

memory/1832-75-0x000000001BF40000-0x000000001BF50000-memory.dmp

memory/1832-71-0x00000000030F0000-0x0000000003102000-memory.dmp

memory/4408-93-0x0000000074740000-0x0000000074EF1000-memory.dmp

memory/4408-92-0x00000000008A0000-0x00000000008A8000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 ec11769d10795289443f69e65112dcc9
SHA1 58ad7c4d18d428ac7b63c70074014c5384484f05
SHA256 afabce7550c50da87b04bd8bac53cee2beb1769e80f3ca2f2985019133a5ce57
SHA512 9ba9798039f1dac2c9afa11f3f65d0888615cb7e2c5d559e51f6054e41f713bcc1970394d1662139e45957183851f88678380cc105e532f7d6868e89e36d5677

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OrcusWatchdog.exe.log

MD5 bb27934be8860266d478c13f2d65f45e
SHA1 a69a0e171864dcac9ade1b04fc0313e6b4024ccb
SHA256 85ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4
SHA512 87dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb

memory/1820-98-0x0000000074740000-0x0000000074EF1000-memory.dmp

memory/4408-97-0x0000000074740000-0x0000000074EF1000-memory.dmp

memory/1832-101-0x000000001D560000-0x000000001D722000-memory.dmp

memory/448-103-0x00007FFF571B0000-0x00007FFF57C72000-memory.dmp

memory/2396-104-0x00007FFF571B0000-0x00007FFF57C72000-memory.dmp

memory/2396-105-0x0000000019D90000-0x0000000019DA0000-memory.dmp

memory/1832-106-0x00007FFF571B0000-0x00007FFF57C72000-memory.dmp

memory/1832-107-0x000000001BF60000-0x000000001BF70000-memory.dmp

memory/1820-108-0x0000000074740000-0x0000000074EF1000-memory.dmp