Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2024 03:19
Behavioral task
behavioral1
Sample
a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe
Resource
win10v2004-20231222-en
General
-
Target
a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe
-
Size
916KB
-
MD5
bdbe50403b411db0e07511e098bdb9ff
-
SHA1
5772743e950c1c647a5cab202fc3cc29039e2749
-
SHA256
a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284
-
SHA512
9531b3c7572f07aaac342635369732b77c1df58c262e32b21327cd2ac47afe6e3042d79a6a72e30c07b03e420cd9b47b1781bc5ed875b8d7b973b480090261f9
-
SSDEEP
24576:+cI4MROxnFD3jEsYxrZlI0AilFEvxHiH0h9:+crMiJWrZlI0AilFEvxHi
Malware Config
Extracted
orcus
obfuscated.us:8080
0133d229c4e24006957c0e4ab3a52531
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcus main payload 4 IoCs
resource yara_rule behavioral2/files/0x000800000002323b-56.dat family_orcus behavioral2/files/0x000800000002323b-65.dat family_orcus behavioral2/files/0x000800000002323b-62.dat family_orcus behavioral2/files/0x000800000002323b-72.dat family_orcus -
Orcurs Rat Executable 5 IoCs
resource yara_rule behavioral2/files/0x000800000002323b-56.dat orcus behavioral2/files/0x000800000002323b-65.dat orcus behavioral2/files/0x000800000002323b-62.dat orcus behavioral2/memory/2680-68-0x00000000005B0000-0x000000000069A000-memory.dmp orcus behavioral2/files/0x000800000002323b-72.dat orcus -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation Orcus.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation OrcusWatchdog.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe -
Executes dropped EXE 6 IoCs
pid Process 1152 WindowsInput.exe 2324 WindowsInput.exe 2680 Orcus.exe 4364 Orcus.exe 832 OrcusWatchdog.exe 1280 OrcusWatchdog.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\"" Orcus.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe File opened for modification C:\Windows\assembly\Desktop.ini a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsInput.exe a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe File created C:\Windows\SysWOW64\WindowsInput.exe.config a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe File created C:\Windows\SysWOW64\WindowsInput.InstallState WindowsInput.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Orcus\Orcus.exe a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe File opened for modification C:\Program Files\Orcus\Orcus.exe a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe File created C:\Program Files\Orcus\Orcus.exe.config a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly\Desktop.ini a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe File opened for modification C:\Windows\assembly a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe File created C:\Windows\assembly\Desktop.ini a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1280 OrcusWatchdog.exe 1280 OrcusWatchdog.exe 2680 Orcus.exe 2680 Orcus.exe 2680 Orcus.exe 1280 OrcusWatchdog.exe 2680 Orcus.exe 1280 OrcusWatchdog.exe 2680 Orcus.exe 1280 OrcusWatchdog.exe 1280 OrcusWatchdog.exe 2680 Orcus.exe 2680 Orcus.exe 1280 OrcusWatchdog.exe 1280 OrcusWatchdog.exe 2680 Orcus.exe 1280 OrcusWatchdog.exe 2680 Orcus.exe 2680 Orcus.exe 1280 OrcusWatchdog.exe 1280 OrcusWatchdog.exe 2680 Orcus.exe 2680 Orcus.exe 1280 OrcusWatchdog.exe 1280 OrcusWatchdog.exe 2680 Orcus.exe 1280 OrcusWatchdog.exe 2680 Orcus.exe 2680 Orcus.exe 1280 OrcusWatchdog.exe 1280 OrcusWatchdog.exe 2680 Orcus.exe 2680 Orcus.exe 1280 OrcusWatchdog.exe 1280 OrcusWatchdog.exe 2680 Orcus.exe 1280 OrcusWatchdog.exe 2680 Orcus.exe 1280 OrcusWatchdog.exe 2680 Orcus.exe 2680 Orcus.exe 1280 OrcusWatchdog.exe 1280 OrcusWatchdog.exe 2680 Orcus.exe 2680 Orcus.exe 1280 OrcusWatchdog.exe 2680 Orcus.exe 1280 OrcusWatchdog.exe 2680 Orcus.exe 1280 OrcusWatchdog.exe 2680 Orcus.exe 1280 OrcusWatchdog.exe 2680 Orcus.exe 1280 OrcusWatchdog.exe 2680 Orcus.exe 1280 OrcusWatchdog.exe 1280 OrcusWatchdog.exe 2680 Orcus.exe 1280 OrcusWatchdog.exe 2680 Orcus.exe 2680 Orcus.exe 1280 OrcusWatchdog.exe 2680 Orcus.exe 1280 OrcusWatchdog.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 832 OrcusWatchdog.exe Token: SeDebugPrivilege 1280 OrcusWatchdog.exe Token: SeDebugPrivilege 2680 Orcus.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2680 Orcus.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2680 Orcus.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4040 wrote to memory of 1844 4040 a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe 86 PID 4040 wrote to memory of 1844 4040 a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe 86 PID 1844 wrote to memory of 5076 1844 csc.exe 87 PID 1844 wrote to memory of 5076 1844 csc.exe 87 PID 4040 wrote to memory of 1152 4040 a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe 88 PID 4040 wrote to memory of 1152 4040 a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe 88 PID 4040 wrote to memory of 2680 4040 a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe 90 PID 4040 wrote to memory of 2680 4040 a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe 90 PID 2680 wrote to memory of 832 2680 Orcus.exe 93 PID 2680 wrote to memory of 832 2680 Orcus.exe 93 PID 2680 wrote to memory of 832 2680 Orcus.exe 93 PID 832 wrote to memory of 1280 832 OrcusWatchdog.exe 95 PID 832 wrote to memory of 1280 832 OrcusWatchdog.exe 95 PID 832 wrote to memory of 1280 832 OrcusWatchdog.exe 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe"C:\Users\Admin\AppData\Local\Temp\a758763a7fb30398cbdab370be24c389a1927fb376772fcb31f4017ca942a284.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1czizdxl.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES54F7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC54F6.tmp"3⤵PID:5076
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1152
-
-
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 26803⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 26804⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280
-
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
PID:2324
-
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"1⤵
- Executes dropped EXE
PID:4364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
391KB
MD547762042c5aa2d592308ad42713b491a
SHA1429329a90b36fa500d6849167fc87f9bdf0a2144
SHA256059bb4329da629cd52210265abbb05ad356c1911cf2c9624801bdbb99734d713
SHA5123751a3321be43d92086df8fac3587db483f7eabe97f838f87b23fa8ebb896c2d4764bb1e265a092784d9fc1301339efcb5f65425f9fd03cc2cb6cac9a0d06f1e
-
Filesize
217KB
MD5de4f011cac5e5cca525735c0cf19b75f
SHA17d9440464d1c85cf7adc7a2b8e19b3b5d5b2efa4
SHA256767d6e358ea50c63f49aceadd7664010069c321f73d9b61ea7d4c293e8cd5793
SHA51284612b663c5351f748591549baa4b505355f6976d080bbfd25e442fbdf4a8c94d35de6cbf2d01a9012e09fa018cddc2e4d601270e1b27d1f34fd6322de75451d
-
Filesize
216KB
MD516c76b56eba386c7449f918e0c32d9a7
SHA154b54afbfe6028aa8c0776a80d318d423533604c
SHA256bdb97088a355dc2bcb80128f066c23fda038366522e4060d408258f6badb4381
SHA5120169513ba8db048a66ddb5c3aa294282fa7591817e65374a592e3341020e2c7aaf9005841cbbd93ea37a3b04307e7ad61c17877af016c5397446ad95d0aa7ebb
-
Filesize
199KB
MD5453f7e4d8361011ab8bd9862a699baf9
SHA136a809b6e4a0e2d4b0cf6ea612201b9519883b21
SHA2563e24007b45ba07caad6ce50d36f018d39c00c72e63e0ba294e2883a5e367a85e
SHA51258a909803351c54aa2b0fec3a96cbcbc11e4e2e2f16fd98a5521ea094b560a1e4c9c261f6ac4ee1a6170727eae9a6ab787c796858f5bca5d737fc98046dbd831
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
76KB
MD53c93720aac3f691a5089dcf42e0d3b05
SHA1d41009296d612e33e48d2eec5e1209da8fa508eb
SHA2566792cb2838e50aff66d1bce236bd219915728c206f1b959eecffc2e06607b9e7
SHA51268d530d59002436753e8353887a1c02906b5f791115d29ef2beb1abc3907c9e66908937617e2629d8e3a7dd37543b91120a1a2589f95e4bd39fb37bcc9280df9
-
Filesize
1KB
MD55a9f1059cf02252db22710e92a3df00d
SHA1ee9b74576b40d3f8b9d8a9fdeb72193da41f97c0
SHA2565905218e7199e4b8d4ac15f22b29f78dc63431e6457f5c14081c21b342322d89
SHA5126ef22001d04777867dbedd262bdd69a6aec03752bae85d44743d0f8b8d08d4cf63d76a26db42c370b9b65192ede92f635c0fd627f8a148f02f62ec85ac6eb64a
-
Filesize
9KB
MD5913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
208KB
MD53311d4c7ce60d3f026d3a46566efb616
SHA186d54f8e98fde711a34235ee59dd2a9452ff0ad7
SHA2568919c9c518f7e06a63f878128142f23b4c6508d17233b271ef8f428dc0019f14
SHA5125640ac4cd9b192b41d2283030c4c2b04061ecdd4a0eb153b9aff41267b0b184996553c7f5f5e28fd6cb711e4c6871e8e37fe73d44bd960995c5536705987986d
-
Filesize
349B
MD51af98284600f36e5183aaa7bf7cc5bc8
SHA116e9ee9ea433ea551b6a77ca37534c4d43d306d2
SHA256b9fe93fe272b84da08a68c7eb9012737d90b1166975d27e8d8b25176d534a67d
SHA51208fa13ca1bbde3509b5ccad8639414d2519e320f6cdab54c89d8eef9bf768b95091fe91d0b1b460b5ee02015b8058da3deeaa3144f615e3db4d0871328455f25
-
Filesize
676B
MD5b86b55ee570e968955b90d041d070d5e
SHA1b3bd6d4892f63959d794a6d50d3380098745aeed
SHA256eb0308cac4533eec1f1cc560a75505d7bbefa465f0dd37fee5e3be1c5e530096
SHA5129ffba8b018a252f036ec56e239ddb0bcb49cd6a2e4f66cadaf420b69f0b858c65b11103ad9dbc7ed7b60c1fbdf5d2482afae3ba0559159f9f7e3a2883a52c46e