Malware Analysis Report

2024-10-24 17:07

Sample ID 240412-b26y1abe95
Target c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d
SHA256 c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d
Tags
orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d

Threat Level: Known bad

The file c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d was found to be: Known bad.

Malicious Activity Summary

orcus rat spyware stealer

Orcurs Rat Executable

Orcus

Orcus family

Orcurs Rat Executable

Executes dropped EXE

Checks computer location settings

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-12 01:39

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-12 01:39

Reported

2024-04-12 01:42

Platform

win7-20240221-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exe N/A
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Orcus\Orcus.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2876 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exe C:\Program Files\Orcus\Orcus.exe
PID 2876 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exe C:\Program Files\Orcus\Orcus.exe
PID 2876 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exe C:\Program Files\Orcus\Orcus.exe
PID 2920 wrote to memory of 2380 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 2920 wrote to memory of 2380 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 2920 wrote to memory of 2380 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 2380 wrote to memory of 2472 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2380 wrote to memory of 2472 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2380 wrote to memory of 2472 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2380 wrote to memory of 2472 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2920 wrote to memory of 2556 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 2920 wrote to memory of 2556 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 2920 wrote to memory of 2556 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 2556 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2556 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2556 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2556 wrote to memory of 1624 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2920 wrote to memory of 2640 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 2920 wrote to memory of 2640 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 2920 wrote to memory of 2640 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 2640 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2640 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2640 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2640 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2920 wrote to memory of 1748 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 2920 wrote to memory of 1748 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 2920 wrote to memory of 1748 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 1748 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 1748 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 1748 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 1748 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2920 wrote to memory of 924 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 2920 wrote to memory of 924 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 2920 wrote to memory of 924 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 844 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 924 wrote to memory of 844 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 924 wrote to memory of 844 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 924 wrote to memory of 844 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2920 wrote to memory of 2236 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 2920 wrote to memory of 2236 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 2920 wrote to memory of 2236 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 2236 wrote to memory of 2060 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2236 wrote to memory of 2060 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2236 wrote to memory of 2060 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2236 wrote to memory of 2060 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2920 wrote to memory of 768 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 2920 wrote to memory of 768 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 2920 wrote to memory of 768 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 768 wrote to memory of 1436 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 768 wrote to memory of 1436 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 768 wrote to memory of 1436 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 768 wrote to memory of 1436 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2920 wrote to memory of 1752 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 2920 wrote to memory of 1752 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 2920 wrote to memory of 1752 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 1752 wrote to memory of 1140 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 1752 wrote to memory of 1140 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 1752 wrote to memory of 1140 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 1752 wrote to memory of 1140 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2920 wrote to memory of 2092 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 2920 wrote to memory of 2092 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 2920 wrote to memory of 2092 N/A C:\Program Files\Orcus\Orcus.exe C:\Windows\system32\rundll32.exe
PID 2092 wrote to memory of 1612 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2092 wrote to memory of 1612 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exe

"C:\Users\Admin\AppData\Local\Temp\c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck"

Network

Country Destination Domain Proto
N/A 192.168.15.12:4782 tcp
US 8.8.8.8:53 loocarpoint.duckdns.org udp
BR 179.98.117.214:4782 loocarpoint.duckdns.org tcp
N/A 192.168.15.12:4782 tcp
BR 179.98.117.214:4782 loocarpoint.duckdns.org tcp
N/A 192.168.15.12:4782 tcp
BR 179.98.117.214:4782 loocarpoint.duckdns.org tcp
N/A 192.168.15.12:4782 tcp
US 8.8.8.8:53 loocarpoint.duckdns.org udp
BR 179.98.117.214:4782 loocarpoint.duckdns.org tcp
N/A 192.168.15.12:4782 tcp
BR 179.98.117.214:4782 loocarpoint.duckdns.org tcp
N/A 192.168.15.12:4782 tcp
BR 179.98.117.214:4782 loocarpoint.duckdns.org tcp

Files

memory/2876-0-0x0000000000380000-0x000000000067A000-memory.dmp

memory/2876-1-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

memory/2876-2-0x000000001B490000-0x000000001B510000-memory.dmp

memory/2876-3-0x0000000000770000-0x00000000007CC000-memory.dmp

memory/2876-4-0x00000000002B0000-0x00000000002BE000-memory.dmp

memory/2876-5-0x0000000000370000-0x0000000000382000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 fb9c101e7ee4206d46e76123f639194c
SHA1 5e83980f211ed8882cdbda90b374689d582e6cda
SHA256 c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d
SHA512 60c3f32a31ed8d83aa1d915ed0ee0accffe8a6e3e88accc5037334f499e0ce02313a20dba9236261ab1fbe56c6c5836cdab51545c0d7668b941af27f6031ca74

C:\Program Files\Orcus\Orcus.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2876-13-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

memory/2920-14-0x0000000000E80000-0x000000000117A000-memory.dmp

memory/2920-15-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

memory/2920-16-0x000000001B2E0000-0x000000001B360000-memory.dmp

memory/2920-17-0x0000000000470000-0x0000000000482000-memory.dmp

memory/2920-18-0x0000000000480000-0x0000000000498000-memory.dmp

memory/2920-19-0x00000000004A0000-0x00000000004B0000-memory.dmp

memory/2920-22-0x000000001B2E0000-0x000000001B360000-memory.dmp

C:\Users\Admin\AppData\Roaming\kate_is_famous_holy_fuck

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 11e39cdf6827564b1955cc06c1888b20
SHA1 3b730e1b94249c0163559434213d3725df218c6f
SHA256 adb150517a689809ab4f15417b7563d8e7423683e3533de5ef7d5a5a0f1b045d
SHA512 12d74159fdad470ac8068dfce31982f6030e59af7ff4604239ac814e0936743cd63d10f8b04b03de553944cd2f21e76d76b5e199be882ad25ef6c0dcb660b521

memory/2920-42-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2920-44-0x000000001B2E0000-0x000000001B360000-memory.dmp

memory/2920-45-0x000000001B2E0000-0x000000001B360000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-12 01:39

Reported

2024-04-12 01:42

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Orcus\Orcus.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exe N/A
File opened for modification C:\Program Files\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exe N/A
File created C:\Program Files\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings C:\Program Files\Orcus\Orcus.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exe

"C:\Users\Admin\AppData\Local\Temp\c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d.exe"

C:\Program Files\Orcus\Orcus.exe

"C:\Program Files\Orcus\Orcus.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
N/A 192.168.15.12:4782 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 loocarpoint.duckdns.org udp
BR 179.98.117.214:4782 loocarpoint.duckdns.org tcp
N/A 192.168.15.12:4782 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
BR 179.98.117.214:4782 loocarpoint.duckdns.org tcp
N/A 192.168.15.12:4782 tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
BR 179.98.117.214:4782 loocarpoint.duckdns.org tcp
N/A 192.168.15.12:4782 tcp
US 8.8.8.8:53 loocarpoint.duckdns.org udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
BR 179.98.117.214:4782 loocarpoint.duckdns.org tcp
N/A 192.168.15.12:4782 tcp
BR 179.98.117.214:4782 loocarpoint.duckdns.org tcp
N/A 192.168.15.12:4782 tcp
BR 179.98.117.214:4782 loocarpoint.duckdns.org tcp

Files

memory/5012-0-0x0000016D21710000-0x0000016D21A0A000-memory.dmp

memory/5012-1-0x0000016D3BFE0000-0x0000016D3C03C000-memory.dmp

memory/5012-2-0x0000016D21DA0000-0x0000016D21DAE000-memory.dmp

memory/5012-3-0x00007FFCF2250000-0x00007FFCF2D11000-memory.dmp

memory/5012-4-0x0000016D3BFD0000-0x0000016D3BFE0000-memory.dmp

memory/5012-5-0x0000016D21DF0000-0x0000016D21E02000-memory.dmp

C:\Program Files\Orcus\Orcus.exe

MD5 fb9c101e7ee4206d46e76123f639194c
SHA1 5e83980f211ed8882cdbda90b374689d582e6cda
SHA256 c9e013f2006038b22d258f6d487afab62029c5d0c71a7ce8af85ae4ac00a444d
SHA512 60c3f32a31ed8d83aa1d915ed0ee0accffe8a6e3e88accc5037334f499e0ce02313a20dba9236261ab1fbe56c6c5836cdab51545c0d7668b941af27f6031ca74

C:\Program Files\Orcus\Orcus.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/5012-21-0x00007FFCF2250000-0x00007FFCF2D11000-memory.dmp

memory/1684-20-0x00007FFCF2250000-0x00007FFCF2D11000-memory.dmp

memory/1684-22-0x00000269CA0B0000-0x00000269CA0C0000-memory.dmp

memory/1684-23-0x00000269CA1C0000-0x00000269CA1D2000-memory.dmp

memory/1684-24-0x00000269CA440000-0x00000269CA458000-memory.dmp

memory/1684-25-0x00000269CA460000-0x00000269CA470000-memory.dmp

memory/1684-29-0x00007FFCF2250000-0x00007FFCF2D11000-memory.dmp

memory/1684-30-0x00000269CA0B0000-0x00000269CA0C0000-memory.dmp