Malware Analysis Report

2024-10-24 17:07

Sample ID 240412-18rkbsac8s
Target 6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540
SHA256 6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540
Tags
orcus ligeon rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540

Threat Level: Known bad

The file 6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540 was found to be: Known bad.

Malicious Activity Summary

orcus ligeon rat spyware stealer

Orcus

Orcurs Rat Executable

Detects executables manipulated with Fody

Detects executables containing common artifacts observed in infostealers

Checks computer location settings

Deletes itself

Executes dropped EXE

AutoIT Executable

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-12 22:19

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-12 22:19

Reported

2024-04-12 22:22

Platform

win7-20240221-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe"

Signatures

Orcus

rat spyware stealer orcus

Detects executables containing common artifacts observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables manipulated with Fody

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1624 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1624 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1624 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1624 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1624 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1624 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1624 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1624 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1624 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1624 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\SysWOW64\schtasks.exe
PID 1624 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\SysWOW64\schtasks.exe
PID 1624 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\SysWOW64\schtasks.exe
PID 1624 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\SysWOW64\schtasks.exe
PID 1624 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2676 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2676 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2676 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2404 wrote to memory of 2484 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
PID 2404 wrote to memory of 2484 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
PID 2404 wrote to memory of 2484 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
PID 2404 wrote to memory of 2484 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
PID 2484 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2484 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2484 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2484 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2484 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2484 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2484 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2484 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2484 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2484 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe
PID 2484 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe
PID 2484 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe
PID 2484 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe
PID 2404 wrote to memory of 1272 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
PID 2404 wrote to memory of 1272 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
PID 2404 wrote to memory of 1272 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
PID 2404 wrote to memory of 1272 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
PID 1272 wrote to memory of 748 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1272 wrote to memory of 748 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1272 wrote to memory of 748 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1272 wrote to memory of 748 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1272 wrote to memory of 748 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1272 wrote to memory of 748 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1272 wrote to memory of 748 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1272 wrote to memory of 748 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1272 wrote to memory of 748 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1272 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe
PID 1272 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe
PID 1272 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe
PID 1272 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe
PID 2404 wrote to memory of 2128 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
PID 2404 wrote to memory of 2128 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
PID 2404 wrote to memory of 2128 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
PID 2404 wrote to memory of 2128 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
PID 2128 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2128 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2128 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2128 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2128 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe

"C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /k ping 127.0.0.1 -t 0 & del C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe & exit

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -t 0

C:\Windows\system32\taskeng.exe

taskeng.exe {96B5E806-585E-401C-80B7-6426BE7EF058} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 ligeon.ddns.net udp

Files

memory/1624-0-0x0000000000CB0000-0x0000000000F5A000-memory.dmp

memory/1624-1-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2968-2-0x0000000000110000-0x00000000001FA000-memory.dmp

memory/2968-4-0x0000000000110000-0x00000000001FA000-memory.dmp

memory/2968-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2968-10-0x0000000000110000-0x00000000001FA000-memory.dmp

memory/2968-11-0x0000000000110000-0x00000000001FA000-memory.dmp

memory/2968-14-0x00000000745B0000-0x0000000074C9E000-memory.dmp

memory/2968-15-0x0000000004DE0000-0x0000000004E20000-memory.dmp

memory/2968-16-0x0000000000300000-0x000000000030E000-memory.dmp

memory/2968-17-0x0000000000840000-0x000000000089C000-memory.dmp

memory/2968-18-0x0000000000350000-0x0000000000362000-memory.dmp

memory/2968-19-0x00000000006C0000-0x00000000006C8000-memory.dmp

memory/2968-20-0x00000000006D0000-0x00000000006E8000-memory.dmp

memory/2968-21-0x00000000008C0000-0x00000000008D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe

MD5 fa7fe85c6ea94c131e0b7e88c7d0fd01
SHA1 95990b3b8ba92503d19818d005a29e436384975e
SHA256 d08f111fb5df0aa87c60ca7f4336c4fa5fcef5915f7030b0c0d673077f5b3ac7
SHA512 5ab9285394d862ad8446d7db776ac7a536c15060e46fbfe62c5b63f03ef95a347186629cc8fe761929af80be139943af41dfe186717a060ef4b44ce72ec199dd

memory/2484-24-0x0000000000E70000-0x000000000111A000-memory.dmp

memory/2968-28-0x00000000745B0000-0x0000000074C9E000-memory.dmp

memory/2392-27-0x0000000000090000-0x000000000017A000-memory.dmp

memory/2392-34-0x0000000000090000-0x000000000017A000-memory.dmp

memory/2392-35-0x0000000000090000-0x000000000017A000-memory.dmp

memory/2968-36-0x0000000004DE0000-0x0000000004E20000-memory.dmp

memory/2392-37-0x00000000745B0000-0x0000000074C9E000-memory.dmp

memory/2392-38-0x00000000047B0000-0x00000000047F0000-memory.dmp

memory/2392-39-0x00000000745B0000-0x0000000074C9E000-memory.dmp

memory/1272-41-0x0000000000E70000-0x000000000111A000-memory.dmp

memory/748-51-0x00000000745B0000-0x0000000074C9E000-memory.dmp

memory/748-52-0x0000000004BC0000-0x0000000004C00000-memory.dmp

memory/748-53-0x00000000745B0000-0x0000000074C9E000-memory.dmp

memory/2024-57-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/2024-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2024-63-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/2024-64-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/2024-65-0x00000000745B0000-0x0000000074C9E000-memory.dmp

memory/2024-66-0x00000000048D0000-0x0000000004910000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-12 22:19

Reported

2024-04-12 22:22

Platform

win10v2004-20240412-en

Max time kernel

154s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe"

Signatures

Orcus

rat spyware stealer orcus

Detects executables containing common artifacts observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables manipulated with Fody

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2828 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2828 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\SysWOW64\schtasks.exe
PID 2828 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\SysWOW64\schtasks.exe
PID 2828 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\SysWOW64\schtasks.exe
PID 2828 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2072 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2072 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3220 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3220 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3220 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3220 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3220 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3220 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe
PID 3220 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe
PID 3220 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe
PID 4564 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4564 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4564 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4564 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4564 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4564 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe
PID 4564 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe
PID 4564 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe

"C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /k ping 127.0.0.1 -t 0 & del C:\Users\Admin\AppData\Local\Temp\6f4fe8932a9950e7ef10385b0dc250375d747a0f79c4ff83f7ea247b4154e540.exe & exit

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -t 0

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 132.250.30.184.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 ligeon.ddns.net udp
US 8.8.8.8:53 ligeon.ddns.net udp
US 8.8.8.8:53 ligeon.ddns.net udp
US 8.8.8.8:53 ligeon.ddns.net udp
US 8.8.8.8:53 ligeon.ddns.net udp
US 8.8.8.8:53 ligeon.ddns.net udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 ligeon.ddns.net udp
US 8.8.8.8:53 ligeon.ddns.net udp
US 8.8.8.8:53 ligeon.ddns.net udp
US 8.8.8.8:53 ligeon.ddns.net udp
US 8.8.8.8:53 ligeon.ddns.net udp
US 8.8.8.8:53 ligeon.ddns.net udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 ligeon.ddns.net udp

Files

memory/2828-0-0x0000000000C30000-0x0000000000EDA000-memory.dmp

memory/3724-2-0x0000000000500000-0x00000000005EA000-memory.dmp

memory/2828-1-0x0000000002610000-0x0000000002611000-memory.dmp

memory/3724-7-0x0000000074510000-0x0000000074CC0000-memory.dmp

memory/3724-8-0x0000000002570000-0x0000000002580000-memory.dmp

memory/3724-9-0x0000000000C70000-0x0000000000C7E000-memory.dmp

memory/3724-10-0x0000000004A50000-0x0000000004AAC000-memory.dmp

memory/3724-11-0x0000000005180000-0x0000000005724000-memory.dmp

memory/3724-12-0x0000000004BD0000-0x0000000004C62000-memory.dmp

memory/3724-15-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

memory/3724-16-0x00000000050B0000-0x00000000050B8000-memory.dmp

memory/3724-17-0x00000000050D0000-0x00000000050E8000-memory.dmp

memory/3724-18-0x0000000005A00000-0x0000000005BC2000-memory.dmp

memory/3724-19-0x0000000005150000-0x0000000005160000-memory.dmp

memory/3724-20-0x0000000005D30000-0x0000000005D3A000-memory.dmp

memory/3724-21-0x0000000074510000-0x0000000074CC0000-memory.dmp

memory/3724-22-0x0000000002570000-0x0000000002580000-memory.dmp

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe

MD5 7fdf2383de62605899eb6eef180d7c90
SHA1 024c572aa6aeb4234aa54445fc325f6d347fca3e
SHA256 2026935bb67c0de3347c28d4f713861f97d6dc9c42d89d47ebe0713d2f04f21e
SHA512 ebb11d0cf82eaa0112c7ad9da2041d8a947f7dac83782d927ad0739e746a6d59e25e2ff4f1154e4fe69bac63ae6873a555324a9e5b3be7ea635feea3e58966bd

memory/3220-24-0x0000000000AC0000-0x0000000000D6A000-memory.dmp

memory/4928-26-0x0000000000400000-0x00000000004EA000-memory.dmp

memory/4928-31-0x0000000074510000-0x0000000074CC0000-memory.dmp

memory/4928-32-0x0000000005480000-0x0000000005490000-memory.dmp

memory/4928-34-0x0000000074510000-0x0000000074CC0000-memory.dmp

memory/4564-36-0x0000000000AC0000-0x0000000000D6A000-memory.dmp

memory/3808-37-0x0000000000900000-0x00000000009EA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

MD5 0672db2ef13237d5cb85075ff4915942
SHA1 ad8b4d3eb5e40791c47d48b22e273486f25f663f
SHA256 0a933408890369b5a178f9c30aa93d2c94f425650815cf8e8310de4e90a3b519
SHA512 84ad10ba5b695567d33a52f786405a5544aa49d8d23631ba9edf3afa877c5dbd81570d15bcf74bce5d9fb1afad2117d0a4ef913b396c0d923afefe615619c84b

memory/3808-43-0x0000000074510000-0x0000000074CC0000-memory.dmp

memory/3808-44-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

memory/3808-45-0x0000000074510000-0x0000000074CC0000-memory.dmp