Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
05-02-2024 22:31
Behavioral task
behavioral1
Sample
932cb9ca236e1e8c6740d9db01410778.exe
Resource
win7-20231215-en
General
-
Target
932cb9ca236e1e8c6740d9db01410778.exe
-
Size
924KB
-
MD5
932cb9ca236e1e8c6740d9db01410778
-
SHA1
91c9efd93a353ba556a8b0acb6ffd8557756ad37
-
SHA256
1a4284cd084b609aa03892894e379c630505b5e4b9ccfc278138d36668f4526f
-
SHA512
675e9b5e1aec3c260d80cc4db6acdc1c877692541004ab0db1df245c6dc7c1d5c7742a2026ea7ef9b13f81cc73aa1ff3d98ca90eb9cf097bf04c54df75327f42
-
SSDEEP
24576:sBB4MROxnFE3WO3XrrcI0AilFEvxHPbooR:sQMiuDXrrcI0AilFEvxHP
Malware Config
Extracted
orcus
yes
192.168.56.1:10134
1b7ce9defeb04df0a5b7ca29bd8e43e6
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
Temp\OrcusWatchdog.exe
Signatures
-
Orcus main payload 4 IoCs
resource yara_rule behavioral2/files/0x000600000002321c-55.dat family_orcus behavioral2/files/0x000600000002321c-58.dat family_orcus behavioral2/files/0x000600000002321c-49.dat family_orcus behavioral2/files/0x000600000002321c-66.dat family_orcus -
Orcurs Rat Executable 5 IoCs
resource yara_rule behavioral2/memory/4268-1-0x00000000001A0000-0x000000000028E000-memory.dmp orcus behavioral2/files/0x000600000002321c-55.dat orcus behavioral2/files/0x000600000002321c-58.dat orcus behavioral2/files/0x000600000002321c-49.dat orcus behavioral2/files/0x000600000002321c-66.dat orcus -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 932cb9ca236e1e8c6740d9db01410778.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation Orcus.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation OrcusWatchdog.exe -
Executes dropped EXE 6 IoCs
pid Process 1848 WindowsInput.exe 1980 WindowsInput.exe 3060 Orcus.exe 5260 Orcus.exe 2860 OrcusWatchdog.exe 4120 OrcusWatchdog.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files (x86)\\Orcus\\Orcus.exe\"" Orcus.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsInput.InstallState WindowsInput.exe File created C:\Windows\SysWOW64\WindowsInput.exe 932cb9ca236e1e8c6740d9db01410778.exe File created C:\Windows\SysWOW64\WindowsInput.exe.config 932cb9ca236e1e8c6740d9db01410778.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Orcus\Orcus.exe 932cb9ca236e1e8c6740d9db01410778.exe File opened for modification C:\Program Files (x86)\Orcus\Orcus.exe 932cb9ca236e1e8c6740d9db01410778.exe File created C:\Program Files (x86)\Orcus\Orcus.exe.config 932cb9ca236e1e8c6740d9db01410778.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4120 OrcusWatchdog.exe 4120 OrcusWatchdog.exe 3060 Orcus.exe 3060 Orcus.exe 4120 OrcusWatchdog.exe 3060 Orcus.exe 3060 Orcus.exe 4120 OrcusWatchdog.exe 4120 OrcusWatchdog.exe 3060 Orcus.exe 4120 OrcusWatchdog.exe 3060 Orcus.exe 4120 OrcusWatchdog.exe 3060 Orcus.exe 4120 OrcusWatchdog.exe 3060 Orcus.exe 3060 Orcus.exe 4120 OrcusWatchdog.exe 4120 OrcusWatchdog.exe 3060 Orcus.exe 4120 OrcusWatchdog.exe 3060 Orcus.exe 4120 OrcusWatchdog.exe 3060 Orcus.exe 3060 Orcus.exe 4120 OrcusWatchdog.exe 3060 Orcus.exe 4120 OrcusWatchdog.exe 3060 Orcus.exe 4120 OrcusWatchdog.exe 3060 Orcus.exe 4120 OrcusWatchdog.exe 4120 OrcusWatchdog.exe 3060 Orcus.exe 3060 Orcus.exe 4120 OrcusWatchdog.exe 3060 Orcus.exe 4120 OrcusWatchdog.exe 3060 Orcus.exe 4120 OrcusWatchdog.exe 4120 OrcusWatchdog.exe 3060 Orcus.exe 3060 Orcus.exe 4120 OrcusWatchdog.exe 3060 Orcus.exe 4120 OrcusWatchdog.exe 3060 Orcus.exe 4120 OrcusWatchdog.exe 4120 OrcusWatchdog.exe 3060 Orcus.exe 4120 OrcusWatchdog.exe 3060 Orcus.exe 3060 Orcus.exe 4120 OrcusWatchdog.exe 3060 Orcus.exe 4120 OrcusWatchdog.exe 4120 OrcusWatchdog.exe 3060 Orcus.exe 3060 Orcus.exe 4120 OrcusWatchdog.exe 3060 Orcus.exe 4120 OrcusWatchdog.exe 3060 Orcus.exe 4120 OrcusWatchdog.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3060 Orcus.exe Token: SeDebugPrivilege 2860 OrcusWatchdog.exe Token: SeDebugPrivilege 4120 OrcusWatchdog.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3060 Orcus.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3060 Orcus.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3060 Orcus.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4268 wrote to memory of 1848 4268 932cb9ca236e1e8c6740d9db01410778.exe 86 PID 4268 wrote to memory of 1848 4268 932cb9ca236e1e8c6740d9db01410778.exe 86 PID 4268 wrote to memory of 3060 4268 932cb9ca236e1e8c6740d9db01410778.exe 88 PID 4268 wrote to memory of 3060 4268 932cb9ca236e1e8c6740d9db01410778.exe 88 PID 4268 wrote to memory of 3060 4268 932cb9ca236e1e8c6740d9db01410778.exe 88 PID 3060 wrote to memory of 2860 3060 Orcus.exe 92 PID 3060 wrote to memory of 2860 3060 Orcus.exe 92 PID 3060 wrote to memory of 2860 3060 Orcus.exe 92 PID 2860 wrote to memory of 4120 2860 OrcusWatchdog.exe 93 PID 2860 wrote to memory of 4120 2860 OrcusWatchdog.exe 93 PID 2860 wrote to memory of 4120 2860 OrcusWatchdog.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\932cb9ca236e1e8c6740d9db01410778.exe"C:\Users\Admin\AppData\Local\Temp\932cb9ca236e1e8c6740d9db01410778.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1848
-
-
C:\Program Files (x86)\Orcus\Orcus.exe"C:\Program Files (x86)\Orcus\Orcus.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe"C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files (x86)\Orcus\Orcus.exe" 30603⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe"C:\Users\Admin\AppData\Local\Temp\OrcusWatchdog.exe" /watchProcess "C:\Program Files (x86)\Orcus\Orcus.exe" 30604⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4120
-
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
PID:1980
-
C:\Program Files (x86)\Orcus\Orcus.exe"C:\Program Files (x86)\Orcus\Orcus.exe"1⤵
- Executes dropped EXE
PID:5260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
443KB
MD5dfedea6607f921c4a15800fc81ce5e0d
SHA1f14a51a203598ae9a5f59d9ae2a85e69a9ccac26
SHA256be28621395c74edf5c0af24d3a6f5808e0fa2ca38fcca06d26eac4c47c04e937
SHA51282625f76c04aaae708429552e7f32b36af7fc6e103919e4d19f2c30868e8f0fa7bc1908b2d18ad397c2fec906e8c000a827998d702437f09cd68dd6441092168
-
Filesize
526KB
MD58b4db7bc35e6dba9933240036619244b
SHA10d3009db9f3c3c84949019a5d966f3f3f700da7d
SHA256b033d1b5a514f995592c4780bb5e00f969497a438acc472df9364f5310fd5b6c
SHA5128d3b961324207660d61eb7b24f9a04c77c5a746d5734bf90ff317a214e0e142c820e45fbff69e7b0b82e1630bb8899721119ccce2736f2f4c3dc09369394ff9d
-
Filesize
456KB
MD5f53994b1e5b222caf320cb9ab9b69237
SHA1139335cb0e41356cebfda52d81fb053615fe05fd
SHA256b34c6bd589e4b50352ddcea73a9fd963e6706b5757c600751f7937d287e33034
SHA512eeb47923823c7b2dd147128580b781a1500de7d4805352f101b22da57299cec88d1bfe32f6a0832a8b734c302e7184232cd40cc0c1195e67d43d3c32e3ae3531
-
Filesize
871KB
MD560ccd6ec2bebb17f087d2c1b81ea691f
SHA15ffaeb207cdc75731f35522da3e04c7416785784
SHA2568e8e0cdf242e832dbced5213aba9e39673fba86297e9f19084e5b86c2e1b08ba
SHA5121d0476a5c777c2d75345ec6ef84ed6450764883c17e18355b2946d2ea054865e40d9d348e89dbd429f91ec9c379ed4eca0d93d509252f5ba87a92069c250de63
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
9KB
MD5913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
Filesize
1KB
MD5a69a0475d876393473d42c6965379933
SHA13cda454f2b705b0d13f42e0904903647f6791aec
SHA256e2493876add1d5128f492dcdf06a1324629d9fbb0841c3419d0728a9a65e18c7
SHA512794aa92fe0a5e4f890e72647ab2a8e2063312f1de28aaad982407c4edab9f7dc2914bb26cc90acb9f711629fe0c5e9e9c5a27a33bd633b460fb9e86b6574852d
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad