Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    12-04-2024 20:29

General

  • Target

    3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exe

  • Size

    3.0MB

  • MD5

    1b66599aa9ddba22025c964377d96c81

  • SHA1

    b30de57756593f95ba50dd0b5f730b7140ccb9f3

  • SHA256

    3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf

  • SHA512

    f3d13953d388d3422a8fcbf5fe3fe391ec441d4ff69b58476698dcdabaf83a3681ad5f91c5ac9c80d12a3fe084f7073341c0cef5bccae84906bf28bc5cb4d088

  • SSDEEP

    24576:EWGn+oM55q4cYG8OYi1rr8ZoLRW+ghjpIADhL25AzbAWWCZrMui9v/4bliB6y3/x:Ta1ffeR2Ez+YOL2lid8pKCqMtW

Malware Config

Extracted

Family

orcus

C2

mrgrayhat.duckdns.org:1606

Mutex

b3b6a52907b341e1845d276e770a3415

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

  • Detects executables containing common artifacts observed in infostealers 1 IoCs
  • Detects executables manipulated with Fody 1 IoCs
  • Orcurs Rat Executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exe
    "C:\Users\Admin\AppData\Local\Temp\3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Users\Admin\AppData\Roaming\vhhcxsdhbrf34568v0924b87tr\ ncbxkzvgnrio578435794\3.5.6.7\Q-Dir_Installer_UC.exe
      "C:\Users\Admin\AppData\Roaming\vhhcxsdhbrf34568v0924b87tr\ ncbxkzvgnrio578435794\3.5.6.7\Q-Dir_Installer_UC.exe"
      2⤵
      • Executes dropped EXE
      PID:2816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\vhhcxsdhbrf34568v0924b87tr\ ncbxkzvgnrio578435794\3.5.6.7\Q-Dir_Installer_UC.exe

    Filesize

    984KB

    MD5

    95bbd05263acfcefcdc78457bc59c86d

    SHA1

    0c504d02086041d993ec08d3346531f8b466cd65

    SHA256

    26199e48d49e465f7055b45d3b9e77dfef73427984821b423a1f7c7fcf79905c

    SHA512

    d6f8b4dd8288d873fcb6421536fdd7ff602b1e553e9671b77845ca845f8fb9cdaacd7c3bd544d10c0d109a64e2ea36c7c4e90189c613a435e80f29834607ed15

  • memory/1728-0-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

    Filesize

    9.6MB

  • memory/1728-1-0x0000000000390000-0x0000000000410000-memory.dmp

    Filesize

    512KB

  • memory/1728-2-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

    Filesize

    9.6MB

  • memory/1728-4-0x0000000000390000-0x0000000000410000-memory.dmp

    Filesize

    512KB

  • memory/1728-3-0x0000000000390000-0x0000000000410000-memory.dmp

    Filesize

    512KB

  • memory/1728-10-0x000000001BDC0000-0x000000001BEA8000-memory.dmp

    Filesize

    928KB

  • memory/1728-11-0x0000000000390000-0x0000000000410000-memory.dmp

    Filesize

    512KB

  • memory/1728-13-0x000007FEF6240000-0x000007FEF6BDD000-memory.dmp

    Filesize

    9.6MB

  • memory/1728-14-0x0000000000390000-0x0000000000410000-memory.dmp

    Filesize

    512KB