Malware Analysis Report

2025-01-22 15:09

Sample ID 240212-bda7esea5z
Target 793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700
SHA256 793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700
Tags
orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700

Threat Level: Known bad

The file 793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700 was found to be: Known bad.

Malicious Activity Summary

orcus rat spyware stealer

Orcurs Rat Executable

Orcus

Orcus family

Orcus main payload

Orcurs Rat Executable

Executes dropped EXE

Checks computer location settings

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-12 01:01

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-12 01:01

Reported

2024-02-12 01:03

Platform

win7-20231215-en

Max time kernel

6s

Max time network

6s

Command Line

"C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe N/A
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2400 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2400 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3020 wrote to memory of 2680 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3020 wrote to memory of 2680 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3020 wrote to memory of 2680 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2400 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2400 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2400 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2400 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe C:\Program Files\Orcus\Orcus.exe
PID 2400 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe C:\Program Files\Orcus\Orcus.exe
PID 2400 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe C:\Program Files\Orcus\Orcus.exe
PID 860 wrote to memory of 2108 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\nurik.exe
PID 860 wrote to memory of 2108 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\nurik.exe
PID 860 wrote to memory of 2108 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\nurik.exe
PID 860 wrote to memory of 2108 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\nurik.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe

"C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\31c1mhul.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F93.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1F92.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Local\Temp\nurik.exe

"C:\Users\Admin\AppData\Local\Temp\nurik.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 860

C:\Users\Admin\AppData\Local\Temp\nurik.exe

"C:\Users\Admin\AppData\Local\Temp\nurik.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 860

Network

Country Destination Domain Proto
N/A 192.168.237.51:10135 tcp

Files

memory/2400-1-0x0000000000280000-0x000000000028E000-memory.dmp

memory/2400-0-0x0000000000E60000-0x0000000000EBC000-memory.dmp

memory/2400-2-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

memory/2400-3-0x0000000000670000-0x00000000006F0000-memory.dmp

memory/2400-4-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\31c1mhul.cmdline

MD5 18de439a20ebb0d5d9562c014e39bad5
SHA1 9b4fdffb9e3996f31eb34a6cb2aff5f74b3439e3
SHA256 e6d5ce0fbf6e749e6608b73966b199c7e4179a611befd8d57463dfa1ac6b9342
SHA512 574001821c948e4ae12bbc0868b6578804ca64eededa07b9cd31f5486be65e5fc2943d71645e9ce94e0b4ecdefc8eeb8f9a595cf25347571320869a9745f603e

\??\c:\Users\Admin\AppData\Local\Temp\31c1mhul.0.cs

MD5 c555d9796194c1d9a1310a05a2264e08
SHA1 82641fc4938680519c3b2e925e05e1001cbd71d7
SHA256 ccbb8fd27ab2f27fbbd871793886ff52ff1fbd9117c98b8d190c1a96b67e498a
SHA512 0b85ca22878998c7697c589739905b218f9b264a32c8f99a9f9dd73d0687a5de46cc7e851697ee16424baf94d301e411648aa2d061ac149a6d2e06b085e07090

\??\c:\Users\Admin\AppData\Local\Temp\CSC1F92.tmp

MD5 5fd32253cb02acef609a48710e622366
SHA1 ebaa30954f341ff2d06119f46990f9d0b25e5f5a
SHA256 80d8e41ec6114dc27d1f506e8cd28f46790fc8b0c199d95ee075d13f32aa7b97
SHA512 cad240ce2a8bbd40f1300602edc9422bc5bca822d4145c3b40ee51014b9247f3733837bff13e7beeceb2dd7568e7cb8ea53dc9fc5cb5c05d6b9a8bdacf0856f2

C:\Users\Admin\AppData\Local\Temp\RES1F93.tmp

MD5 c0e03b07910ae619682f9ef111bfd909
SHA1 39fab719ee1afb07341979c7e30b03bc59169e1d
SHA256 37534c9f0cde207e8a7a3ad193b9cdb88209eb4b20e29b53517aeae3ea638a7f
SHA512 2150cb675cdc98879a458fc5f44a726a3ea01dc269b4501b751a5b45066363f777a2386eab686b68ceda85cb2104ab7498194d3f692e89a4e7627747f6a2d67b

C:\Users\Admin\AppData\Local\Temp\31c1mhul.dll

MD5 ba4fc5b212a65465cb19b151de67e19c
SHA1 1712364bf1eea49c5cf84bb8bf5843e768cdb7c8
SHA256 928a0a0f20b54f245a6bfbd35a81fab334420b6a743b1296348a675d2582ffa8
SHA512 e507b1ddf2d7c063b13db92560eae6af9d34e7a4e17cd864eac9829eaa4e179c136826c311190af43834cd651e7492b429ac3a39cc7bbd6d05271dc3eac4fe2e

memory/2400-17-0x0000000000920000-0x0000000000936000-memory.dmp

memory/2400-19-0x00000000002C0000-0x00000000002D2000-memory.dmp

memory/2400-20-0x0000000000370000-0x0000000000378000-memory.dmp

memory/2400-21-0x0000000000380000-0x0000000000388000-memory.dmp

memory/2400-22-0x0000000000670000-0x00000000006F0000-memory.dmp

memory/2400-24-0x0000000000670000-0x00000000006F0000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2836-32-0x0000000001200000-0x000000000120C000-memory.dmp

memory/2836-33-0x000007FEED8E0000-0x000007FEEE2CC000-memory.dmp

memory/2836-36-0x000007FEED8E0000-0x000007FEEE2CC000-memory.dmp

memory/2608-38-0x000007FEECEF0000-0x000007FEED8DC000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 7040f9245e226db50377930434b577e1
SHA1 348bd64e4e97416282afa54cdee7cbbc1e426ce8
SHA256 2a7dfe3153ebc434d551532182e0387c552e5293d7712892eb4a8461aee9d9ec
SHA512 168d21b85656059c637afaba4dc8ec6b91065af077c6868c9933c70aebf3549d38f227efed34886f1550f2947e2f36324304e915ddb0e0d2fe60a0ec0fc31c8e

memory/860-46-0x0000000000EF0000-0x0000000000FDE000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 3e04fd7395a78346599158a287111839
SHA1 f54df6a85e09c59b55232918a096d64613caf050
SHA256 793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700
SHA512 f5c3fa6d88932778da994653ee1f2d1bc57f3dfb9dfd9ca8205cae1507015c02e0205ca200c7c4a30c5e2c1b2fb108e096022e028218290495f16508afafd35a

memory/860-47-0x000007FEECEF0000-0x000007FEED8DC000-memory.dmp

memory/860-49-0x000000001A800000-0x000000001A880000-memory.dmp

memory/2400-48-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

memory/860-50-0x0000000000C20000-0x0000000000C32000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\err_afa5401f54984aaa863b79961927d3dd.dat

MD5 7adf37964ed1cd5e56907881bceafe19
SHA1 2360db91e764686232c57d0c4ede2fe1a283dbe7
SHA256 da391c480500fdfe935ae27e5c2325535be6d91c9003f51c5a1a5dd4c03f2aee
SHA512 d1e3a73fd508a76ec3ff4fc49e18e6a0461ed36ddcd54628ed120fcada5380884246be4d22becf7e7af4a56508793f5bb557424524c53c7b1888c36a8d6147b8

memory/860-53-0x000000001A760000-0x000000001A7AE000-memory.dmp

memory/860-54-0x000000001A7D0000-0x000000001A7E8000-memory.dmp

memory/860-55-0x000000001A800000-0x000000001A880000-memory.dmp

memory/860-56-0x000000001A7F0000-0x000000001A800000-memory.dmp

memory/860-57-0x000000001A800000-0x000000001A880000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nurik.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/2108-67-0x0000000074980000-0x000000007506E000-memory.dmp

memory/2108-66-0x0000000001000000-0x0000000001008000-memory.dmp

memory/1604-71-0x0000000074980000-0x000000007506E000-memory.dmp

memory/2108-70-0x0000000074980000-0x000000007506E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-12 01:01

Reported

2024-02-12 01:03

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Program Files\Orcus\Orcus.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe N/A
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2596 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2596 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 4756 wrote to memory of 2112 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4756 wrote to memory of 2112 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2596 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2596 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2596 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe C:\Program Files\Orcus\Orcus.exe
PID 2596 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe C:\Program Files\Orcus\Orcus.exe
PID 3152 wrote to memory of 1084 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\nurik.exe
PID 3152 wrote to memory of 1084 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\nurik.exe
PID 3152 wrote to memory of 1084 N/A C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\nurik.exe
PID 1084 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe C:\Users\Admin\AppData\Local\Temp\nurik.exe
PID 1084 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe C:\Users\Admin\AppData\Local\Temp\nurik.exe
PID 1084 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\nurik.exe C:\Users\Admin\AppData\Local\Temp\nurik.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe

"C:\Users\Admin\AppData\Local\Temp\793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yuzpuuyq.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES515D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC515C.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Users\Admin\AppData\Local\Temp\nurik.exe

"C:\Users\Admin\AppData\Local\Temp\nurik.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 3152

C:\Users\Admin\AppData\Local\Temp\nurik.exe

"C:\Users\Admin\AppData\Local\Temp\nurik.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 3152

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 192.168.237.51:10135 tcp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
N/A 192.168.0.200:10134 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
N/A 192.168.237.51:10135 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 192.168.0.200:10134 tcp
N/A 192.168.237.51:10135 tcp
N/A 192.168.0.200:10134 tcp
N/A 192.168.237.51:10135 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
N/A 192.168.0.200:10134 tcp
N/A 192.168.237.51:10135 tcp
N/A 192.168.0.200:10134 tcp
N/A 192.168.237.51:10135 tcp
N/A 192.168.0.200:10134 tcp

Files

memory/2596-0-0x00007FFF528A0000-0x00007FFF53241000-memory.dmp

memory/2596-1-0x00000000015D0000-0x00000000015E0000-memory.dmp

memory/2596-2-0x000000001BC20000-0x000000001BC7C000-memory.dmp

memory/2596-6-0x00007FFF528A0000-0x00007FFF53241000-memory.dmp

memory/2596-5-0x000000001BE10000-0x000000001BE1E000-memory.dmp

memory/2596-7-0x000000001C2F0000-0x000000001C7BE000-memory.dmp

memory/2596-8-0x000000001C860000-0x000000001C8FC000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\yuzpuuyq.cmdline

MD5 5e2e7b66c50c713d6506a27181af6238
SHA1 4eee889b0143c30bfb44b75898f4fd944eac27e4
SHA256 e60cb92f146edbd7148669de88f3082c66fd77ac87d2b1bc84eb8d3b58169e65
SHA512 d3f16811f56bbde00dc6edd41d4b439b548062c427acab9b79ef54be23cf1ec7e9da2e73654716930182c65e7babaa5889a026c0a254082ce09e84b74f371e13

\??\c:\Users\Admin\AppData\Local\Temp\yuzpuuyq.0.cs

MD5 0c486b7298776b7552e2e6f43a2748b9
SHA1 83a12c2fa3b71a92390c7eaedc5231ff15a34d0a
SHA256 d2d7354311bcd1e1e401e61c9a42735bc963f8d4d1d65f97b747cf6b0f943e9e
SHA512 6826ef811b02989e122a96a06681401d5423109bc9b4c21860f161243eb646d39514cdc0602532a74b3c53aed349fa6df07665f3b9ad72c5c14353f57c6fcfe5

memory/4756-14-0x0000000000A90000-0x0000000000AA0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC515C.tmp

MD5 a3094e7e3dcccca11214421f98dcd975
SHA1 e06d1ded6374bdb31cc08aaf2b0bba0a3f12d545
SHA256 f4c1c8f3e9c27f7154dee691538a8986fd0a64f4853b4ffc8b93d27793004d5f
SHA512 3d92d5cacaf5ad5c4291ade8268bf73ebda542233de55cb1163b20afe63f9c65627c3a227cd9da245d2a177cd8765692a2120e4c69d95f4a578c8bed8c30d3a8

C:\Users\Admin\AppData\Local\Temp\RES515D.tmp

MD5 83fa49935677752c5232984fc5bbc22e
SHA1 fdb0530a117a6e4992309f32213d836dddb1e623
SHA256 bc07ba6cc04c21e41639794bf1cb844065b165520801c43b2fa7fcd5db3bad18
SHA512 0d9195b08a3be994db73e8b2d40ac009661b9b428c2ac8299fd4600b9f9af5cd30d0a57b6c34203399b94555f2e14c00a257e50995b11d0cb1701cb4672832af

C:\Users\Admin\AppData\Local\Temp\yuzpuuyq.dll

MD5 b693ec3618140c7a1b5e00a0b9045a22
SHA1 9911965953b45cc18e1e35d6f93964215c3ee8c8
SHA256 a3b76dcc9772a2aaed4236c5d9f185256228eddfa04f03dde9a42b0a178cc6a9
SHA512 708035b0d28a3cfb826b5cc5f54a6c65f20635e3ce6ad38194dafad050930be737710a8165aac4ea3baf27f6b3d2c3bfeca445398331b6d578f3c91d27e22da0

memory/2596-22-0x000000001CF20000-0x000000001CF36000-memory.dmp

memory/2596-24-0x000000001BB10000-0x000000001BB22000-memory.dmp

memory/2596-25-0x000000001BAF0000-0x000000001BAF8000-memory.dmp

memory/2596-26-0x000000001BC10000-0x000000001BC18000-memory.dmp

memory/2596-27-0x000000001D310000-0x000000001D372000-memory.dmp

memory/2596-28-0x000000001DC70000-0x000000001E22A000-memory.dmp

memory/2596-29-0x000000001E230000-0x000000001E320000-memory.dmp

memory/2596-30-0x000000001D470000-0x000000001D48E000-memory.dmp

memory/2596-31-0x000000001E330000-0x000000001E379000-memory.dmp

memory/2596-32-0x00000000015D0000-0x00000000015E0000-memory.dmp

memory/2596-33-0x000000001E410000-0x000000001E480000-memory.dmp

memory/2596-34-0x00000000015D0000-0x00000000015E0000-memory.dmp

memory/2596-36-0x000000001E6E0000-0x000000001E700000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2788-50-0x00000000000A0000-0x00000000000AC000-memory.dmp

memory/2788-51-0x00007FFF4FAF0000-0x00007FFF505B1000-memory.dmp

memory/2788-53-0x0000000002130000-0x0000000002142000-memory.dmp

memory/2788-52-0x0000000002160000-0x0000000002170000-memory.dmp

memory/2788-54-0x000000001ACC0000-0x000000001ACFC000-memory.dmp

memory/2788-58-0x00007FFF4FAF0000-0x00007FFF505B1000-memory.dmp

memory/4844-60-0x00007FFF4FAF0000-0x00007FFF505B1000-memory.dmp

memory/4844-61-0x000000001A030000-0x000000001A040000-memory.dmp

memory/4844-62-0x000000001A550000-0x000000001A65A000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 3e04fd7395a78346599158a287111839
SHA1 f54df6a85e09c59b55232918a096d64613caf050
SHA256 793b7d5016b30ce138e55ffd2b513ccb19c8201c50c496c376df42603d12f700
SHA512 f5c3fa6d88932778da994653ee1f2d1bc57f3dfb9dfd9ca8205cae1507015c02e0205ca200c7c4a30c5e2c1b2fb108e096022e028218290495f16508afafd35a

memory/3152-78-0x00007FFF4FAF0000-0x00007FFF505B1000-memory.dmp

memory/2596-77-0x00007FFF528A0000-0x00007FFF53241000-memory.dmp

memory/3152-79-0x00000000001E0000-0x00000000002CE000-memory.dmp

memory/3152-80-0x000000001B070000-0x000000001B080000-memory.dmp

memory/3152-81-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Orcus\err_afa5401f54984aaa863b79961927d3dd.dat

MD5 8bba639ced68b5ef8ab51b719361023a
SHA1 5c9706ed59af07a428f832651b3cd9f3a39f628a
SHA256 2df3e7a425fa7e63a168c3d6ee7b9ac3343a3729af4ea1d16543c797b28c9e28
SHA512 ec51ecce5014b2ef39d57138bdf77cbe4edcf334e73ff593f0dac337bb709a4302efab7b7a9f9c68c01c9a879724a2d9ea80137ff227e39dafb3cdb3a92b6327

memory/3152-84-0x000000001B6A0000-0x000000001B6EE000-memory.dmp

memory/3152-85-0x0000000002700000-0x0000000002718000-memory.dmp

memory/3152-86-0x000000001B070000-0x000000001B080000-memory.dmp

memory/3152-87-0x0000000002720000-0x0000000002730000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nurik.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/1084-101-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/1084-102-0x0000000000530000-0x0000000000538000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nurik.exe.log

MD5 4eaca4566b22b01cd3bc115b9b0b2196
SHA1 e743e0792c19f71740416e7b3c061d9f1336bf94
SHA256 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512 bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

memory/1084-106-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/3344-107-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/4844-108-0x00007FFF4FAF0000-0x00007FFF505B1000-memory.dmp

memory/3152-109-0x00007FFF4FAF0000-0x00007FFF505B1000-memory.dmp

memory/3152-110-0x000000001B070000-0x000000001B080000-memory.dmp

memory/3152-111-0x000000001B070000-0x000000001B080000-memory.dmp

memory/3344-112-0x0000000074790000-0x0000000074F40000-memory.dmp