orcus | 464f44f3c9deda36ae9a4ec9043403f0546e3902c12abde791729d6a5c5a01dc

General

Target

464f44f3c9deda36ae9a4ec9043403f0546e3902c12abde791729d6a5c5a01dc.exe
Size

2.6MB
MD5

9244dfbd957a522232e9f93b7c0c6859
SHA1

bb68c6b213bef977e090208ea8b83078d600d4a5
SHA256

464f44f3c9deda36ae9a4ec9043403f0546e3902c12abde791729d6a5c5a01dc
SHA512

384c2dc44509b3f559bab05b8e8d6259bab83600da71c246b5d330903773f9412def98b963db0643cc3029ecb7cefc6fa7a1996b504bfc1f0190d934638d2db6
SSDEEP

24576:QAHnh+eWsN3skA4RV1Hom2KXSmHdqf0K44JzixdvW80EXLq31gEfUvWDyBFZpxx3:Hh+ZkldoPKiYdqd6/

Score

10^/10

orcus ligeon rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

ligeon

C2

ligeon.ddns.net:1606

Mutex

b98fb09a59c24a81b9d17a55ccf2c036

Attributes

autostart_method
Disable
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2000-4-0x0000000000400000-0x00000000004EA000-memory.dmp	orcus
behavioral1/memory/2000-10-0x0000000000400000-0x00000000004EA000-memory.dmp	orcus
behavioral1/memory/2000-11-0x0000000000400000-0x00000000004EA000-memory.dmp	orcus
behavioral1/memory/1232-42-0x00000000001D0000-0x00000000002BA000-memory.dmp	orcus
behavioral1/memory/1232-48-0x00000000001D0000-0x00000000002BA000-memory.dmp	orcus
behavioral1/memory/1232-49-0x00000000001D0000-0x00000000002BA000-memory.dmp	orcus

Executes dropped EXE 2 IoCs

Processes:

setspn.exesetspn.exe

pid process

2944 setspn.exe
1744 setspn.exe

pid	process
2944	setspn.exe
1744	setspn.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2784-0-0x00000000001A0000-0x000000000044A000-memory.dmp	autoit_exe
C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe	autoit_exe
behavioral1/memory/2944-26-0x0000000000C70000-0x0000000000F1A000-memory.dmp	autoit_exe
behavioral1/memory/1744-39-0x00000000002F0000-0x000000000059A000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

464f44f3c9deda36ae9a4ec9043403f0546e3902c12abde791729d6a5c5a01dc.exesetspn.exesetspn.exe

description	pid	process	target process
PID 2784 set thread context of 2000	2784	464f44f3c9deda36ae9a4ec9043403f0546e3902c12abde791729d6a5c5a01dc.exe	RegSvcs.exe
PID 2944 set thread context of 2952	2944	setspn.exe	RegSvcs.exe
PID 1744 set thread context of 1232	1744	setspn.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3056 schtasks.exe
2548 schtasks.exe
692 schtasks.exe

pid	process
3056	schtasks.exe
2548	schtasks.exe
692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

464f44f3c9deda36ae9a4ec9043403f0546e3902c12abde791729d6a5c5a01dc.exesetspn.exesetspn.exe

pid	process
2784	464f44f3c9deda36ae9a4ec9043403f0546e3902c12abde791729d6a5c5a01dc.exe
2784	464f44f3c9deda36ae9a4ec9043403f0546e3902c12abde791729d6a5c5a01dc.exe
2944	setspn.exe
2944	setspn.exe
1744	setspn.exe
1744	setspn.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2000 RegSvcs.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

2000 RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2000	RegSvcs.exe

pid	process
2000	RegSvcs.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

464f44f3c9deda36ae9a4ec9043403f0546e3902c12abde791729d6a5c5a01dc.exetaskeng.exesetspn.exesetspn.exe

description	pid	process	target process
PID 2784 wrote to memory of 2000	2784	464f44f3c9deda36ae9a4ec9043403f0546e3902c12abde791729d6a5c5a01dc.exe	RegSvcs.exe
PID 2784 wrote to memory of 2000	2784	464f44f3c9deda36ae9a4ec9043403f0546e3902c12abde791729d6a5c5a01dc.exe	RegSvcs.exe
PID 2784 wrote to memory of 2000	2784	464f44f3c9deda36ae9a4ec9043403f0546e3902c12abde791729d6a5c5a01dc.exe	RegSvcs.exe
PID 2784 wrote to memory of 2000	2784	464f44f3c9deda36ae9a4ec9043403f0546e3902c12abde791729d6a5c5a01dc.exe	RegSvcs.exe
PID 2784 wrote to memory of 2000	2784	464f44f3c9deda36ae9a4ec9043403f0546e3902c12abde791729d6a5c5a01dc.exe	RegSvcs.exe
PID 2784 wrote to memory of 2000	2784	464f44f3c9deda36ae9a4ec9043403f0546e3902c12abde791729d6a5c5a01dc.exe	RegSvcs.exe
PID 2784 wrote to memory of 2000	2784	464f44f3c9deda36ae9a4ec9043403f0546e3902c12abde791729d6a5c5a01dc.exe	RegSvcs.exe
PID 2784 wrote to memory of 2000	2784	464f44f3c9deda36ae9a4ec9043403f0546e3902c12abde791729d6a5c5a01dc.exe	RegSvcs.exe
PID 2784 wrote to memory of 2000	2784	464f44f3c9deda36ae9a4ec9043403f0546e3902c12abde791729d6a5c5a01dc.exe	RegSvcs.exe
PID 2784 wrote to memory of 3056	2784	464f44f3c9deda36ae9a4ec9043403f0546e3902c12abde791729d6a5c5a01dc.exe	schtasks.exe
PID 2784 wrote to memory of 3056	2784	464f44f3c9deda36ae9a4ec9043403f0546e3902c12abde791729d6a5c5a01dc.exe	schtasks.exe
PID 2784 wrote to memory of 3056	2784	464f44f3c9deda36ae9a4ec9043403f0546e3902c12abde791729d6a5c5a01dc.exe	schtasks.exe
PID 2784 wrote to memory of 3056	2784	464f44f3c9deda36ae9a4ec9043403f0546e3902c12abde791729d6a5c5a01dc.exe	schtasks.exe
PID 2772 wrote to memory of 2944	2772	taskeng.exe	setspn.exe
PID 2772 wrote to memory of 2944	2772	taskeng.exe	setspn.exe
PID 2772 wrote to memory of 2944	2772	taskeng.exe	setspn.exe
PID 2772 wrote to memory of 2944	2772	taskeng.exe	setspn.exe
PID 2944 wrote to memory of 2952	2944	setspn.exe	RegSvcs.exe
PID 2944 wrote to memory of 2952	2944	setspn.exe	RegSvcs.exe
PID 2944 wrote to memory of 2952	2944	setspn.exe	RegSvcs.exe
PID 2944 wrote to memory of 2952	2944	setspn.exe	RegSvcs.exe
PID 2944 wrote to memory of 2952	2944	setspn.exe	RegSvcs.exe
PID 2944 wrote to memory of 2952	2944	setspn.exe	RegSvcs.exe
PID 2944 wrote to memory of 2952	2944	setspn.exe	RegSvcs.exe
PID 2944 wrote to memory of 2952	2944	setspn.exe	RegSvcs.exe
PID 2944 wrote to memory of 2952	2944	setspn.exe	RegSvcs.exe
PID 2944 wrote to memory of 2548	2944	setspn.exe	schtasks.exe
PID 2944 wrote to memory of 2548	2944	setspn.exe	schtasks.exe
PID 2944 wrote to memory of 2548	2944	setspn.exe	schtasks.exe
PID 2944 wrote to memory of 2548	2944	setspn.exe	schtasks.exe
PID 2772 wrote to memory of 1744	2772	taskeng.exe	setspn.exe
PID 2772 wrote to memory of 1744	2772	taskeng.exe	setspn.exe
PID 2772 wrote to memory of 1744	2772	taskeng.exe	setspn.exe
PID 2772 wrote to memory of 1744	2772	taskeng.exe	setspn.exe
PID 1744 wrote to memory of 1232	1744	setspn.exe	RegSvcs.exe
PID 1744 wrote to memory of 1232	1744	setspn.exe	RegSvcs.exe
PID 1744 wrote to memory of 1232	1744	setspn.exe	RegSvcs.exe
PID 1744 wrote to memory of 1232	1744	setspn.exe	RegSvcs.exe
PID 1744 wrote to memory of 1232	1744	setspn.exe	RegSvcs.exe
PID 1744 wrote to memory of 1232	1744	setspn.exe	RegSvcs.exe
PID 1744 wrote to memory of 1232	1744	setspn.exe	RegSvcs.exe
PID 1744 wrote to memory of 1232	1744	setspn.exe	RegSvcs.exe
PID 1744 wrote to memory of 1232	1744	setspn.exe	RegSvcs.exe
PID 1744 wrote to memory of 692	1744	setspn.exe	schtasks.exe
PID 1744 wrote to memory of 692	1744	setspn.exe	schtasks.exe
PID 1744 wrote to memory of 692	1744	setspn.exe	schtasks.exe
PID 1744 wrote to memory of 692	1744	setspn.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\464f44f3c9deda36ae9a4ec9043403f0546e3902c12abde791729d6a5c5a01dc.exe
"C:\Users\Admin\AppData\Local\Temp\464f44f3c9deda36ae9a4ec9043403f0546e3902c12abde791729d6a5c5a01dc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2000

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:3056

C:\Windows\system32\taskeng.exe
taskeng.exe {380F0E45-BEC5-4265-8CBA-4526EE2B600A} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:2952

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F
3⤵
- Creates scheduled task(s)
PID:2548

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1232

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F
3⤵
- Creates scheduled task(s)
PID:692

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
Filesize
2.6MB

MD5
a01abcbd6e727cd2342511b734ad317c

SHA1
a3fa729a17581e9d5769937f5f481069f167cd8a

SHA256
e78f0e5613a68f40478a1210a5fe9231acaf02eea04cc61f746a9ce7e60cb9fe

SHA512
9997009fc234ee561aa5e10581379c4bd8a2e5323ddc62117f1290e2ec7cf7725737c425cf52ea49986dd6633d6a974e0ff619afd221c0bc50662ff67efc685d

Download Submit
memory/1232-52-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/1232-51-0x0000000004DD0000-0x0000000004E10000-memory.dmp

Filesize
256KB

Download
memory/1232-50-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/1232-49-0x00000000001D0000-0x00000000002BA000-memory.dmp

Filesize
936KB

Download
memory/1232-48-0x00000000001D0000-0x00000000002BA000-memory.dmp

Filesize
936KB

Download
memory/1232-42-0x00000000001D0000-0x00000000002BA000-memory.dmp

Filesize
936KB

Download
memory/1744-39-0x00000000002F0000-0x000000000059A000-memory.dmp

Filesize
2.7MB

Download
memory/2000-21-0x0000000002060000-0x0000000002070000-memory.dmp

Filesize
64KB

Download
memory/2000-22-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2000-17-0x0000000000710000-0x000000000076C000-memory.dmp

Filesize
368KB

Download
memory/2000-18-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/2000-20-0x00000000005D0000-0x00000000005E8000-memory.dmp

Filesize
96KB

Download
memory/2000-19-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/2000-16-0x00000000003A0000-0x00000000003AE000-memory.dmp

Filesize
56KB

Download
memory/2000-11-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2000-23-0x00000000049F0000-0x0000000004A30000-memory.dmp

Filesize
256KB

Download
memory/2000-15-0x00000000049F0000-0x0000000004A30000-memory.dmp

Filesize
256KB

Download
memory/2000-2-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2000-4-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2000-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2000-10-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2000-14-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-0-0x00000000001A0000-0x000000000044A000-memory.dmp

Filesize
2.7MB

Download
memory/2784-1-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2944-26-0x0000000000C70000-0x0000000000F1A000-memory.dmp

Filesize
2.7MB

Download
memory/2952-37-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2952-36-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2952-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads