orcus | a0f4041aee9c0195618c9a4ce20f4e68b4902fba611888287df70ae6134b57e9

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0f4041aee9c0195618c9a4ce20f4e68b4902fba611888287df70ae6134b57e9.exe
Size

914KB
MD5

b9f085290297f38b044db9972812c826
SHA1

496f122b6be87a63b68368ad4cbcad814c342672
SHA256

a0f4041aee9c0195618c9a4ce20f4e68b4902fba611888287df70ae6134b57e9
SHA512

f818d1cc3627e32bf30ee1a2ee6800ba858eaa08a3b5a37e9e7ac4fde545c0c1d71ff062ac9da4392ec53053521f4c336a36e6bb2e925d89e0211197f591cf01
SSDEEP

24576:IDg4MROxnFR3VTnhrZlI0AilFEvxHiD0:IDDMij/rZlI0AilFEvxHi

Score

10^/10

orcus persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

127.0.0.1:10134

Mutex

e86fb9de8bd84a349c8c22746e22a3a3

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\DataStorage\DataStddforage.exe
reconnect_delay
10000
registry_keyname
DatfghdfaStorages
taskscheduler_taskname
DataStdfhorage
watchdog_path
AppData\DataStoragdse.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000a000000016d24-26.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000016d24-26.dat	orcus
behavioral1/memory/1320-30-0x00000000001E0000-0x00000000002CA000-memory.dmp	orcus

Executes dropped EXE 4 IoCs

pid	Process
1320	DataStddforage.exe
580	DataStddforage.exe
1736	DataStoragdse.exe
956	DataStoragdse.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\DatfghdfaStorages = "\"C:\\Program Files\\DataStorage\\DataStddforage.exe\""	DataStddforage.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\DataStorage\DataStddforage.exe	a0f4041aee9c0195618c9a4ce20f4e68b4902fba611888287df70ae6134b57e9.exe
File opened for modification	C:\Program Files\DataStorage\DataStddforage.exe	a0f4041aee9c0195618c9a4ce20f4e68b4902fba611888287df70ae6134b57e9.exe
File created	C:\Program Files\DataStorage\DataStddforage.exe.config	a0f4041aee9c0195618c9a4ce20f4e68b4902fba611888287df70ae6134b57e9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
956	DataStoragdse.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
1320	DataStddforage.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe
1320	DataStddforage.exe
956	DataStoragdse.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1320	DataStddforage.exe
Token: SeDebugPrivilege	1736	DataStoragdse.exe
Token: SeDebugPrivilege	956	DataStoragdse.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2344	2336	a0f4041aee9c0195618c9a4ce20f4e68b4902fba611888287df70ae6134b57e9.exe	30
PID 2336 wrote to memory of 2344	2336	a0f4041aee9c0195618c9a4ce20f4e68b4902fba611888287df70ae6134b57e9.exe	30
PID 2336 wrote to memory of 2344	2336	a0f4041aee9c0195618c9a4ce20f4e68b4902fba611888287df70ae6134b57e9.exe	30
PID 2344 wrote to memory of 1116	2344	csc.exe	32
PID 2344 wrote to memory of 1116	2344	csc.exe	32
PID 2344 wrote to memory of 1116	2344	csc.exe	32
PID 2336 wrote to memory of 1320	2336	a0f4041aee9c0195618c9a4ce20f4e68b4902fba611888287df70ae6134b57e9.exe	33
PID 2336 wrote to memory of 1320	2336	a0f4041aee9c0195618c9a4ce20f4e68b4902fba611888287df70ae6134b57e9.exe	33
PID 2336 wrote to memory of 1320	2336	a0f4041aee9c0195618c9a4ce20f4e68b4902fba611888287df70ae6134b57e9.exe	33
PID 2012 wrote to memory of 580	2012	taskeng.exe	35
PID 2012 wrote to memory of 580	2012	taskeng.exe	35
PID 2012 wrote to memory of 580	2012	taskeng.exe	35
PID 1320 wrote to memory of 1736	1320	DataStddforage.exe	36
PID 1320 wrote to memory of 1736	1320	DataStddforage.exe	36
PID 1320 wrote to memory of 1736	1320	DataStddforage.exe	36
PID 1320 wrote to memory of 1736	1320	DataStddforage.exe	36
PID 1736 wrote to memory of 956	1736	DataStoragdse.exe	37
PID 1736 wrote to memory of 956	1736	DataStoragdse.exe	37
PID 1736 wrote to memory of 956	1736	DataStoragdse.exe	37
PID 1736 wrote to memory of 956	1736	DataStoragdse.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a0f4041aee9c0195618c9a4ce20f4e68b4902fba611888287df70ae6134b57e9.exe
"C:\Users\Admin\AppData\Local\Temp\a0f4041aee9c0195618c9a4ce20f4e68b4902fba611888287df70ae6134b57e9.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k0s_64jq.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5449.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5448.tmp"
    3⤵
    PID:1116
- C:\Program Files\DataStorage\DataStddforage.exe
  "C:\Program Files\DataStorage\DataStddforage.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Users\Admin\AppData\Roaming\DataStoragdse.exe
    "C:\Users\Admin\AppData\Roaming\DataStoragdse.exe" /launchSelfAndExit "C:\Program Files\DataStorage\DataStddforage.exe" 1320
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Users\Admin\AppData\Roaming\DataStoragdse.exe
      "C:\Users\Admin\AppData\Roaming\DataStoragdse.exe" /watchProcess "C:\Program Files\DataStorage\DataStddforage.exe" 1320
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:956

C:\Windows\system32\taskeng.exe
taskeng.exe {E7CCE188-7208-4F0F-9B49-68ADDA14567F} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Program Files\DataStorage\DataStddforage.exe
  "C:\Program Files\DataStorage\DataStddforage.exe"
  2⤵
  - Executes dropped EXE
  PID:580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DataStorage\DataStddforage.exe

Filesize
914KB

MD5
b9f085290297f38b044db9972812c826

SHA1
496f122b6be87a63b68368ad4cbcad814c342672

SHA256
a0f4041aee9c0195618c9a4ce20f4e68b4902fba611888287df70ae6134b57e9

SHA512
f818d1cc3627e32bf30ee1a2ee6800ba858eaa08a3b5a37e9e7ac4fde545c0c1d71ff062ac9da4392ec53053521f4c336a36e6bb2e925d89e0211197f591cf01

Download Submit
C:\Program Files\DataStorage\DataStddforage.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5449.tmp

Filesize
1KB

MD5
b3459ceb804b8792f5c079885dd5351b

SHA1
905f174879028bd93bbf12d0f90169643329f989

SHA256
5cf24ed390e5cf735b2a6d200f09ed14259cfe2e12362399ece29252a45c3e15

SHA512
4da04ac771d32f166359affd39adc2dab062127c11af739676e8c476a010e537f88143ac364235478d7abb4a6ac1da738bb510dcb33c45937e7f1ed13854bfdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\k0s_64jq.dll

Filesize
76KB

MD5
f74f71bb6fa139acc10da7b32354aaa4

SHA1
fcf9afd94278b25bfbfa5777db60f17fe973f5c4

SHA256
16ac7c0253453493e32c285295a3535dfdd417e0f0f9bf76ca8c866234efab2c

SHA512
133015923ac1776014a274dc81455590627ec5efea3fc4bfe4c44c46ece9889946509b3e1847e9d5e24cb76e3e6999d208ca39f22a155615d4256ae3d850f0bd

Download Submit
C:\Users\Admin\AppData\Roaming\DataStoragdse.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5448.tmp

Filesize
676B

MD5
b7f948103c2031f10626f66d62a6145c

SHA1
8811b8cd6be1a20489778ffa828f0bfb22d8ee07

SHA256
d3b9b3667871b4a6cb9356b661656ae04ef771152a32e58a664b4d4aeaee9ce5

SHA512
affd2df3e01d29e20ca9174bef0d3047eeb4e22622d0f2cc6a110802e88a508ea45b1a45cbdfc4759d4dff1a378233155c4c435bb610def6cf466d16ebf34d11

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k0s_64jq.0.cs

Filesize
208KB

MD5
c555d9796194c1d9a1310a05a2264e08

SHA1
82641fc4938680519c3b2e925e05e1001cbd71d7

SHA256
ccbb8fd27ab2f27fbbd871793886ff52ff1fbd9117c98b8d190c1a96b67e498a

SHA512
0b85ca22878998c7697c589739905b218f9b264a32c8f99a9f9dd73d0687a5de46cc7e851697ee16424baf94d301e411648aa2d061ac149a6d2e06b085e07090

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k0s_64jq.cmdline

Filesize
349B

MD5
eb2c13416faf840a3bb7219324e8fae7

SHA1
93ee96a205559c0744c98aa13cec0af43c9ccbdc

SHA256
48d9151bb750a0c0e806719b54154caec1880879f88026873ac17b7230360fe5

SHA512
8b96c2a71fe854c48bb174221339689ca7d0d632a90b8bbc111627d9a654245e111ef2d47b5d446757dd8dd3e35b9c7786261dfac0445d61f9434d0e82a3e378

Download Submit
memory/580-53-0x000007FEEF950000-0x000007FEF033C000-memory.dmp

Filesize
9.9MB

Download
memory/580-40-0x000007FEEF950000-0x000007FEF033C000-memory.dmp

Filesize
9.9MB

Download
memory/956-57-0x0000000074ED0000-0x00000000755BE000-memory.dmp

Filesize
6.9MB

Download
memory/956-52-0x0000000074ED0000-0x00000000755BE000-memory.dmp

Filesize
6.9MB

Download
memory/1320-31-0x000007FEEF950000-0x000007FEF033C000-memory.dmp

Filesize
9.9MB

Download
memory/1320-32-0x000000001B1A0000-0x000000001B220000-memory.dmp

Filesize
512KB

Download
memory/1320-56-0x000000001B1A0000-0x000000001B220000-memory.dmp

Filesize
512KB

Download
memory/1320-55-0x000000001B1A0000-0x000000001B220000-memory.dmp

Filesize
512KB

Download
memory/1320-54-0x000007FEEF950000-0x000007FEF033C000-memory.dmp

Filesize
9.9MB

Download
memory/1320-30-0x00000000001E0000-0x00000000002CA000-memory.dmp

Filesize
936KB

Download
memory/1320-41-0x000000001B1A0000-0x000000001B220000-memory.dmp

Filesize
512KB

Download
memory/1320-37-0x000000001ACA0000-0x000000001ACB0000-memory.dmp

Filesize
64KB

Download
memory/1320-33-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/1320-34-0x000000001A750000-0x000000001A79E000-memory.dmp

Filesize
312KB

Download
memory/1320-35-0x000000001A860000-0x000000001A878000-memory.dmp

Filesize
96KB

Download
memory/1736-49-0x0000000074ED0000-0x00000000755BE000-memory.dmp

Filesize
6.9MB

Download
memory/1736-48-0x00000000011B0000-0x00000000011B8000-memory.dmp

Filesize
32KB

Download
memory/1736-51-0x0000000074ED0000-0x00000000755BE000-memory.dmp

Filesize
6.9MB

Download
memory/2336-0-0x000000001AE80000-0x000000001AEDC000-memory.dmp

Filesize
368KB

Download
memory/2336-4-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp

Filesize
9.6MB

Download
memory/2336-21-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

Filesize
32KB

Download
memory/2336-3-0x0000000000A60000-0x0000000000AE0000-memory.dmp

Filesize
512KB

Download
memory/2336-2-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp

Filesize
9.6MB

Download
memory/2336-28-0x000007FEF6530000-0x000007FEF6ECD000-memory.dmp

Filesize
9.6MB

Download
memory/2336-18-0x0000000000FC0000-0x0000000000FD6000-memory.dmp

Filesize
88KB

Download
memory/2336-20-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/2336-1-0x0000000000420000-0x000000000042E000-memory.dmp

Filesize
56KB

Download
memory/2344-10-0x0000000002110000-0x0000000002190000-memory.dmp

Filesize
512KB

Download