Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    06-02-2024 03:19

General

  • Target

    a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe

  • Size

    916KB

  • MD5

    bdbe50403b411db0e07511e098bdb9ff

  • SHA1

    5772743e950c1c647a5cab202fc3cc29039e2749

  • SHA256

    a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284

  • SHA512

    9531b3c7572f07aaac342635369732b77c1df58c262e32b21327cd2ac47afe6e3042d79a6a72e30c07b03e420cd9b47b1781bc5ed875b8d7b973b480090261f9

  • SSDEEP

    24576:+cI4MROxnFD3jEsYxrZlI0AilFEvxHiH0h9:+crMiJWrZlI0AilFEvxHi

Malware Config

Extracted

Family

orcus

C2

obfuscated.us:8080

Mutex

0133d229c4e24006957c0e4ab3a52531

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

  • Orcus main payload 3 IoCs
  • Orcurs Rat Executable 4 IoCs
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe
    "C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v_rnwj6f.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC61.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC60.tmp"
        3⤵
          PID:2700
      • C:\Windows\SysWOW64\WindowsInput.exe
        "C:\Windows\SysWOW64\WindowsInput.exe" --install
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:2704
      • C:\Program Files\Orcus\Orcus.exe
        "C:\Program Files\Orcus\Orcus.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
          "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 2636
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1556
          • C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
            "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 2636
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1792
    • C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe"
      1⤵
      • Executes dropped EXE
      PID:2732
    • C:\Program Files\Orcus\Orcus.exe
      "C:\Program Files\Orcus\Orcus.exe"
      1⤵
      • Executes dropped EXE
      PID:1592
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {6F003D09-5B03-4BF8-96DC-EF18B039EFD2} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2756

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Orcus\Orcus.exe

      Filesize

      54KB

      MD5

      c20bff1e83762cb5cf619bf222007ea9

      SHA1

      791d8570ac2a74e49a3b011ff8264caecf703b61

      SHA256

      e78e900bd574696060b63b27a233924d1491ec610f7ab3a209d09e2c2c733a7c

      SHA512

      c12f144f662fa0575eb8a54056e401dda5ac467687002bf0daadeb4c06197a1260f85b84f82c1756d3b5bf7a670961d4ce966898af81b4ed3080ceb270e76caf

    • C:\Program Files\Orcus\Orcus.exe

      Filesize

      88KB

      MD5

      c705999739ed0db21d95ea849bb2a6a7

      SHA1

      5616da9d06f8fd0b4f75d9a3ae155310dda152be

      SHA256

      837e602008829475e9512f2da0d4a6c5f9cb161d0df6522a016f9f9697bc0fb4

      SHA512

      bda3b74d3c3c70082e9da03a655ebc748e523861960f46c357fe5ced17560925923adadb66027db755571fc5f5c1be7334683afdcedc9db323f7d7b0097658fc

    • C:\Program Files\Orcus\Orcus.exe

      Filesize

      513KB

      MD5

      3b4c984843b0ba72431e3b3f12bee682

      SHA1

      8317ce08a460cc7750808d3ce6f9d7b898b73651

      SHA256

      428e1c1668aa9cbeb5ecea55d36843cafad40d61b5fa5fb299a4b714601d211f

      SHA512

      4bc52c52096519b32f49d30a62c14d6de7b36535c3c70a9515486f4de63301dd4af53ab7976086d073addc6c60c72bf3da7a755cdc0bf55558120826c620c9a6

    • C:\Users\Admin\AppData\Local\Temp\RESC61.tmp

      Filesize

      1KB

      MD5

      dba980306593c02a7c64edc4daf945e3

      SHA1

      27c167548d8c623b24095b08c66f56876354d0f5

      SHA256

      f364ddcb471e44c8fc6cafafbedb2f2240a7f305b10e12cecb223631d13fb83a

      SHA512

      8a0fbeccd0e2564886ff1c93cc1ac1dc695b04b5b9b2eb38afbeeba5368cb9e853915b167044fd862c5e3700d5f72cbc7782c831b466dc9a8e6f965b63fcfb3e

    • C:\Users\Admin\AppData\Local\Temp\v_rnwj6f.dll

      Filesize

      76KB

      MD5

      3aca15683e3c4eb8d1b6ea0a3d3d3631

      SHA1

      aa34769ad93b0247aa3854e217e07c68e05b5111

      SHA256

      54fcb2464172c14b1e6fe6cf893a118f120886c5c50790a5fe64c1fb8435c68a

      SHA512

      fbd965906553a56769ca3e4dc4a7e9383241a6b3300be9e2d1e7be4615d893e807f6568cd04e068e2b82ac01aab15bf3fe5ca57098167b43cf1e9c39c903c29e

    • C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

      Filesize

      9KB

      MD5

      913967b216326e36a08010fb70f9dba3

      SHA1

      7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

      SHA256

      8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

      SHA512

      c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

    • C:\Windows\SysWOW64\WindowsInput.exe

      Filesize

      21KB

      MD5

      e6fcf516d8ed8d0d4427f86e08d0d435

      SHA1

      c7691731583ab7890086635cb7f3e4c22ca5e409

      SHA256

      8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

      SHA512

      c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

    • C:\Windows\SysWOW64\WindowsInput.exe.config

      Filesize

      357B

      MD5

      a2b76cea3a59fa9af5ea21ff68139c98

      SHA1

      35d76475e6a54c168f536e30206578babff58274

      SHA256

      f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

      SHA512

      b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

    • \??\c:\Users\Admin\AppData\Local\Temp\CSCC60.tmp

      Filesize

      676B

      MD5

      7b686591ec1c6ade91b6792bd418c91c

      SHA1

      55a60b9a6000702d70132d6474944f281ae86359

      SHA256

      fb2399a133544190d7f955f580d2d04943e89d761d9370f77fa503172c8f5be7

      SHA512

      f07e2b61f9cee0a0e4b200df228c8dfd00745773ff3056acc10aad8d2ea163b9ea73af0f5a0e618c7f680522d7d817a455bed55950dcdb6c9f3de6c4be951b93

    • \??\c:\Users\Admin\AppData\Local\Temp\v_rnwj6f.0.cs

      Filesize

      208KB

      MD5

      2b14ae8b54d216abf4d228493ceca44a

      SHA1

      d134351498e4273e9d6391153e35416bc743adef

      SHA256

      4e1cc3da1f7bf92773aae6cffa6d61bfc3e25aead3ad947f6215f93a053f346c

      SHA512

      5761b605add10ae3ef80f3b8706c8241b4e8abe4ac3ce36b7be8a97d08b08da5a72fedd5e976b3c9e1c463613a943ebb5d323e6a075ef6c7c3b1abdc0d53ac05

    • \??\c:\Users\Admin\AppData\Local\Temp\v_rnwj6f.cmdline

      Filesize

      349B

      MD5

      fcb66f4cd88219d4470d9eb4189ca40b

      SHA1

      51e5302b1f9c629097ca43119ad3b5e4c156910c

      SHA256

      2a84aba5aca929f0067ab7ef7a9c29af59d5487f5e82d8519b46c04c3e3a513a

      SHA512

      8ba7b172c367d364e388c16bbd3e9fc9bd824305664387f740ed2992923273adec49d04b34b64c7107b51a2092551a38145d000df2b7cabae1cef3ff7d2a81a5

    • memory/1556-65-0x0000000074BC0000-0x00000000752AE000-memory.dmp

      Filesize

      6.9MB

    • memory/1556-62-0x0000000074BC0000-0x00000000752AE000-memory.dmp

      Filesize

      6.9MB

    • memory/1556-61-0x0000000000C90000-0x0000000000C98000-memory.dmp

      Filesize

      32KB

    • memory/1592-67-0x000007FEEE890000-0x000007FEEF27C000-memory.dmp

      Filesize

      9.9MB

    • memory/1592-63-0x000000001B120000-0x000000001B1A0000-memory.dmp

      Filesize

      512KB

    • memory/1592-60-0x000007FEEE890000-0x000007FEEF27C000-memory.dmp

      Filesize

      9.9MB

    • memory/1792-71-0x0000000074BC0000-0x00000000752AE000-memory.dmp

      Filesize

      6.9MB

    • memory/1792-66-0x0000000074BC0000-0x00000000752AE000-memory.dmp

      Filesize

      6.9MB

    • memory/1992-0-0x000000001AEE0000-0x000000001AF3C000-memory.dmp

      Filesize

      368KB

    • memory/1992-2-0x0000000000300000-0x000000000030E000-memory.dmp

      Filesize

      56KB

    • memory/1992-45-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

      Filesize

      9.6MB

    • memory/1992-17-0x00000000005A0000-0x00000000005B6000-memory.dmp

      Filesize

      88KB

    • memory/1992-19-0x0000000000320000-0x0000000000332000-memory.dmp

      Filesize

      72KB

    • memory/1992-4-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

      Filesize

      9.6MB

    • memory/1992-3-0x00000000020B0000-0x0000000002130000-memory.dmp

      Filesize

      512KB

    • memory/1992-1-0x000007FEF5F10000-0x000007FEF68AD000-memory.dmp

      Filesize

      9.6MB

    • memory/2636-47-0x000000001B2D0000-0x000000001B350000-memory.dmp

      Filesize

      512KB

    • memory/2636-44-0x00000000011C0000-0x00000000012AA000-memory.dmp

      Filesize

      936KB

    • memory/2636-49-0x0000000000CB0000-0x0000000000CC8000-memory.dmp

      Filesize

      96KB

    • memory/2636-48-0x0000000000C40000-0x0000000000C8E000-memory.dmp

      Filesize

      312KB

    • memory/2636-50-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

      Filesize

      64KB

    • memory/2636-46-0x000007FEEE890000-0x000007FEEF27C000-memory.dmp

      Filesize

      9.9MB

    • memory/2636-70-0x000000001B2D0000-0x000000001B350000-memory.dmp

      Filesize

      512KB

    • memory/2636-69-0x000007FEEE890000-0x000007FEEF27C000-memory.dmp

      Filesize

      9.9MB

    • memory/2704-32-0x000007FEEF280000-0x000007FEEFC6C000-memory.dmp

      Filesize

      9.9MB

    • memory/2704-27-0x00000000000E0000-0x00000000000EC000-memory.dmp

      Filesize

      48KB

    • memory/2704-28-0x000007FEEF280000-0x000007FEEFC6C000-memory.dmp

      Filesize

      9.9MB

    • memory/2704-29-0x0000000000370000-0x00000000003F0000-memory.dmp

      Filesize

      512KB

    • memory/2732-35-0x000007FEEE890000-0x000007FEEF27C000-memory.dmp

      Filesize

      9.9MB

    • memory/2732-68-0x000007FEEE890000-0x000007FEEF27C000-memory.dmp

      Filesize

      9.9MB

    • memory/2732-34-0x0000000000C40000-0x0000000000C4C000-memory.dmp

      Filesize

      48KB