Malware Analysis Report

2025-01-22 15:03

Sample ID 240220-kd1xhsdg6z
Target ahk.exe
SHA256 cd6f3e3f4236416da3ab4d081e566e0be35eba76ea23dff0e1bc48e7ea306c82
Tags
orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd6f3e3f4236416da3ab4d081e566e0be35eba76ea23dff0e1bc48e7ea306c82

Threat Level: Known bad

The file ahk.exe was found to be: Known bad.

Malicious Activity Summary

orcus rat spyware stealer

Orcurs Rat Executable

Orcus

Orcus main payload

Orcus family

Orcurs Rat Executable

Checks computer location settings

Executes dropped EXE

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-20 08:29

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-20 08:29

Reported

2024-02-20 08:47

Platform

win10v2004-20231215-en

Max time kernel

12s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ahk.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A
File created C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A
File opened for modification C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A
File created C:\Windows\System32\Data\CheckUpdate.exe.config C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\Data\CheckUpdate.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ahk.exe

"C:\Users\Admin\AppData\Local\Temp\ahk.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jygdflun.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES789C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC789B.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Windows\System32\Data\CheckUpdate.exe

"C:\Windows\System32\Data\CheckUpdate.exe"

C:\Windows\System32\Data\CheckUpdate.exe

C:\Windows\System32\Data\CheckUpdate.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 5048 /protectFile

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 centre-shaped.gl.at.ply.gg udp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp

Files

memory/1648-0-0x00007FFF89900000-0x00007FFF8A2A1000-memory.dmp

memory/1648-1-0x0000000001670000-0x0000000001680000-memory.dmp

memory/1648-2-0x000000001BC20000-0x000000001BC7C000-memory.dmp

memory/1648-3-0x00007FFF89900000-0x00007FFF8A2A1000-memory.dmp

memory/1648-6-0x000000001BE10000-0x000000001BE1E000-memory.dmp

memory/1648-7-0x000000001C2F0000-0x000000001C7BE000-memory.dmp

memory/1648-8-0x000000001C860000-0x000000001C8FC000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\jygdflun.cmdline

MD5 db9900421e3a84b9e5f70db927b61736
SHA1 6025ef74132c64c811e77aac57c1a6fce9cf52ab
SHA256 e8281892b196cc2f82c8591c38a7f0a5585bca231086f80d1413dc4a2cdc7d89
SHA512 daca8e235ed9a88e2585d27df3e36b24a4a085612a75632b20bd788ebf17f04dccde6d71e75ea2e1831a4fe27b520feee4919d40251b4a076a68e7ba4030bf58

\??\c:\Users\Admin\AppData\Local\Temp\jygdflun.0.cs

MD5 69530d0428734cf80a6bb99911f175fc
SHA1 3fe568fa91cac6f290e9e025bdce5770edbd9528
SHA256 5234e7bde08e85184db1335e987ee46513f00d847023e197ce11fe88d6450038
SHA512 b11870c97d7255988e7b54be47ae11c869dfc5a3a4c79421ce1828c5198ac17d99f2e9a20eadbcd760c590f16954336829d3a24afe1eca29d78626ebfac1efbd

memory/3004-14-0x0000000002200000-0x0000000002210000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC789B.tmp

MD5 9028bb7a60d8fc9ed8fdc162a58ed639
SHA1 f9d1aaafaa1217b81018558cd99e87c11e4ec97d
SHA256 d1ccedf23dd66a800b8f2606967ed128ded2aec77b673c13a03aa20f32d05d3d
SHA512 347c0a3ee869fd1218e160d780feeee4251d65dedddd4edaed7fa7a4654a1f5995966ffba412b347a31dfa46b94388ba5ad504beff011d9ac794aca007512d5f

C:\Users\Admin\AppData\Local\Temp\RES789C.tmp

MD5 59e624ff60634c0041b6f49f07ce162b
SHA1 48da83a72c6a06bb166f9fc9f4fbecb8973a7b63
SHA256 7bc99c910074d5a8d98fff88593eef6f4e094a25e77f5516fb86f9a7639f95f2
SHA512 d5c78aeef5b088b9c1cd3e6f472049d18bc552819a24ba4ded3ef2ed96444eba9dd4005fb9f7e45a55d1032a2bfcba922898edfc87e013c749940f1195c307f9

C:\Users\Admin\AppData\Local\Temp\jygdflun.dll

MD5 56b14a323b99efdd3570baf1f8cd35c9
SHA1 ae7ff00120aac7a1d5e1fb5ef2d1a29a6e8c2543
SHA256 07390b4cffb38172b8cea85ae1bc8eb3732951e1c4a70ad35c4cecd5043a8ee3
SHA512 1b8e74b801445a2c433b1cd87b92148b81fe0474aa0af0a4a1a350a44707d2d6892ef9cb0fa2faf40c207811d144c5030df0712bba1b9848725ed0fc578fa7d1

memory/1648-22-0x000000001CF20000-0x000000001CF36000-memory.dmp

memory/1648-24-0x0000000001640000-0x0000000001652000-memory.dmp

memory/1648-25-0x0000000001620000-0x0000000001628000-memory.dmp

memory/1648-26-0x000000001CF60000-0x000000001CF80000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/4160-40-0x0000000000B00000-0x0000000000B0C000-memory.dmp

memory/4160-41-0x00007FFF86E20000-0x00007FFF878E1000-memory.dmp

memory/4160-42-0x000000001B790000-0x000000001B7A0000-memory.dmp

memory/4160-43-0x0000000002DB0000-0x0000000002DC2000-memory.dmp

memory/4160-44-0x000000001B6E0000-0x000000001B71C000-memory.dmp

memory/4160-48-0x00007FFF86E20000-0x00007FFF878E1000-memory.dmp

memory/4952-50-0x00007FFF86E20000-0x00007FFF878E1000-memory.dmp

memory/4952-51-0x000000001A2A0000-0x000000001A2B0000-memory.dmp

memory/4952-52-0x000000001A6C0000-0x000000001A7CA000-memory.dmp

C:\Windows\System32\Data\CheckUpdate.exe

MD5 fd8c295d75ffb1367e7f8248336fbdb7
SHA1 52c3aed0df6a5f9751db4436f6a23e718ad164d7
SHA256 cd6f3e3f4236416da3ab4d081e566e0be35eba76ea23dff0e1bc48e7ea306c82
SHA512 c27eddce59609f602a8b0d2fff0fadbc3a9837093351048b7bf3d3a9a3a668eb02e9ec63513866b4d76db088472efe03947f4f71c72539daf1488de38dbc26e0

memory/1648-70-0x00007FFF89900000-0x00007FFF8A2A1000-memory.dmp

memory/5048-71-0x00000000002D0000-0x00000000003BC000-memory.dmp

memory/5048-69-0x00007FFF86E20000-0x00007FFF878E1000-memory.dmp

memory/5048-72-0x00000000024F0000-0x0000000002500000-memory.dmp

memory/5048-73-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

memory/5048-74-0x00000000024A0000-0x00000000024EE000-memory.dmp

memory/5048-76-0x000000001AF70000-0x000000001AF88000-memory.dmp

memory/5048-77-0x000000001AF90000-0x000000001AFA0000-memory.dmp

memory/5048-79-0x000000001C2B0000-0x000000001C472000-memory.dmp

memory/1652-78-0x00007FFF86E20000-0x00007FFF878E1000-memory.dmp

memory/1652-82-0x000000001B570000-0x000000001B580000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33