Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-04-2024 20:29

General

  • Target

    3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exe

  • Size

    3.0MB

  • MD5

    1b66599aa9ddba22025c964377d96c81

  • SHA1

    b30de57756593f95ba50dd0b5f730b7140ccb9f3

  • SHA256

    3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf

  • SHA512

    f3d13953d388d3422a8fcbf5fe3fe391ec441d4ff69b58476698dcdabaf83a3681ad5f91c5ac9c80d12a3fe084f7073341c0cef5bccae84906bf28bc5cb4d088

  • SSDEEP

    24576:EWGn+oM55q4cYG8OYi1rr8ZoLRW+ghjpIADhL25AzbAWWCZrMui9v/4bliB6y3/x:Ta1ffeR2Ez+YOL2lid8pKCqMtW

Malware Config

Extracted

Family

orcus

C2

mrgrayhat.duckdns.org:1606

Mutex

b3b6a52907b341e1845d276e770a3415

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

  • Detects executables containing common artifacts observed in infostealers 1 IoCs
  • Detects executables manipulated with Fody 1 IoCs
  • Orcurs Rat Executable 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exe
    "C:\Users\Admin\AppData\Local\Temp\3e3330bceb1c4b3839f74c66f6996e5a0d0c729f6a8e2e89bddc38b8604580cf.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4408
    • C:\Users\Admin\AppData\Roaming\vhhcxsdhbrf34568v0924b87tr\ ncbxkzvgnrio578435794\3.5.6.7\Q-Dir_Installer_UC.exe
      "C:\Users\Admin\AppData\Roaming\vhhcxsdhbrf34568v0924b87tr\ ncbxkzvgnrio578435794\3.5.6.7\Q-Dir_Installer_UC.exe"
      2⤵
      • Executes dropped EXE
      PID:1108

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\vhhcxsdhbrf34568v0924b87tr\ ncbxkzvgnrio578435794\3.5.6.7\Q-Dir_Installer_UC.exe

    Filesize

    984KB

    MD5

    95bbd05263acfcefcdc78457bc59c86d

    SHA1

    0c504d02086041d993ec08d3346531f8b466cd65

    SHA256

    26199e48d49e465f7055b45d3b9e77dfef73427984821b423a1f7c7fcf79905c

    SHA512

    d6f8b4dd8288d873fcb6421536fdd7ff602b1e553e9671b77845ca845f8fb9cdaacd7c3bd544d10c0d109a64e2ea36c7c4e90189c613a435e80f29834607ed15

  • memory/4408-8-0x0000000001160000-0x0000000001170000-memory.dmp

    Filesize

    64KB

  • memory/4408-5-0x0000000001160000-0x0000000001170000-memory.dmp

    Filesize

    64KB

  • memory/4408-9-0x000000001C630000-0x000000001C702000-memory.dmp

    Filesize

    840KB

  • memory/4408-3-0x000000001BA80000-0x000000001BF4E000-memory.dmp

    Filesize

    4.8MB

  • memory/4408-0-0x0000000001280000-0x00000000012E2000-memory.dmp

    Filesize

    392KB

  • memory/4408-6-0x0000000001160000-0x0000000001170000-memory.dmp

    Filesize

    64KB

  • memory/4408-7-0x0000000001160000-0x0000000001170000-memory.dmp

    Filesize

    64KB

  • memory/4408-20-0x000000001C710000-0x000000001C7F8000-memory.dmp

    Filesize

    928KB

  • memory/4408-4-0x0000000001160000-0x0000000001170000-memory.dmp

    Filesize

    64KB

  • memory/4408-2-0x00007FFED1D00000-0x00007FFED26A1000-memory.dmp

    Filesize

    9.6MB

  • memory/4408-1-0x00007FFED1D00000-0x00007FFED26A1000-memory.dmp

    Filesize

    9.6MB

  • memory/4408-22-0x00007FFED1D00000-0x00007FFED26A1000-memory.dmp

    Filesize

    9.6MB

  • memory/4408-23-0x0000000001160000-0x0000000001170000-memory.dmp

    Filesize

    64KB

  • memory/4408-24-0x0000000001160000-0x0000000001170000-memory.dmp

    Filesize

    64KB

  • memory/4408-25-0x0000000001160000-0x0000000001170000-memory.dmp

    Filesize

    64KB

  • memory/4408-26-0x0000000001160000-0x0000000001170000-memory.dmp

    Filesize

    64KB

  • memory/4408-27-0x0000000001160000-0x0000000001170000-memory.dmp

    Filesize

    64KB