Overview

overview

10

Static

static

3

Extreme In...v3.exe

windows10-2004-x64

10

Extreme In...v3.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1187s
  • max time network
    1201s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22-04-2024 16:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Extreme Injector v3.exe

  • Size

    1.9MB

  • MD5

    8a85b1dbf679febd30fe2f55a811de58

  • SHA1

    d06b7f96415b1ff21adff49ecd84b7b06f01fe6e

  • SHA256

    cfe2e6d9739a3251ed06594563f1d66e9dd018b3c74a96ca3734cca7880fb105

  • SHA512

    9b9ba49b1bc4ef056ade2146ad915eeba819485d49dd2825b4f914b68ec572304c8138f1c202508f40a0e8db8c6443270da333e323d631b27897edf915fefabf

  • SSDEEP

    49152:d4FdetMVCK1LVXXQezP3+Wgm18VeWo/Wz3XEVM:udkCCK3XXQO18VeWJLE

Score
10/10
orcuspersistenceratspywarestealer

Malware Config

Extracted

Family

orcus

C2

s7vety-47274.portmap.host:47274

Mutex

2dfc3c3857c0466484c2056fcb13e0c9

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %temp%\Windows Updater\updateclient.exe

  • reconnect_delay

    10000

  • registry_keyname

    WindowsUpdater

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus main payload 1 IoCs
  • Orcurs Rat Executable 2 IoCs
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
    "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3348
    • C:\Users\Admin\AppData\Local\Temp\Update.exe
      "C:\Users\Admin\AppData\Local\Temp\Update.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:960
      • C:\Windows\SysWOW64\WindowsInput.exe
        "C:\Windows\SysWOW64\WindowsInput.exe" --install
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:4280
      • C:\Users\Admin\AppData\Local\Temp\Windows Updater\updateclient.exe
        "C:\Users\Admin\AppData\Local\Temp\Windows Updater\updateclient.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:920
    • C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3_or.exe
      "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3_or.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1180
  • C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe"
    1⤵
    • Executes dropped EXE
    PID:2000
  • C:\Users\Admin\AppData\Local\Temp\Windows Updater\updateclient.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Updater\updateclient.exe"
    1⤵
    • Executes dropped EXE
    PID:4228
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x00000000000004B8 0x00000000000004C0
    1⤵
      PID:3436
    • C:\Users\Admin\AppData\Local\Temp\Windows Updater\updateclient.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Updater\updateclient.exe"
      1⤵
      • Executes dropped EXE
      PID:4848
    • C:\Users\Admin\AppData\Local\Temp\Windows Updater\updateclient.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Updater\updateclient.exe"
      1⤵
      • Executes dropped EXE
      PID:1084
    • C:\Users\Admin\AppData\Local\Temp\Windows Updater\updateclient.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Updater\updateclient.exe"
      1⤵
      • Executes dropped EXE
      PID:3692

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\updateclient.exe.log
      Filesize

      1KB

      MD5

      9666dac81545c9074f4da5ceac101f52

      SHA1

      ea515e0b8895f3d75a949851a360f8082637017b

      SHA256

      1dc357977659fdb0474ba61f6e34053669875581f8ef70fa397a31d1b2a81e3c

      SHA512

      6e4a99b1b27b61973ae79fdfd4dd9831aabb6d64177a1e9081977b5bf8fdf7e9d0c071dd5e229484c3db6f66271f91247d48f086dc6bd43566553ccdc9ac5670

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3_or.exe
      Filesize

      1.9MB

      MD5

      ec801a7d4b72a288ec6c207bb9ff0131

      SHA1

      32eec2ae1f9e201516fa7fcdc16c4928f7997561

      SHA256

      b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

      SHA512

      a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Update.exe
      Filesize

      918KB

      MD5

      8c6658a8808482bfab2b8ac9840f9e51

      SHA1

      c941721888b49c97c456af1b195a4018e4edeb0c

      SHA256

      95abbef690302956860c174bfa7ee8764f5d4379a2e13a6fd7c945ab2fd113a0

      SHA512

      4fe5a5cbf4baa919320ce2736cdac33e273719272ce76233466e98d334e94a33c8402b8656f35d4d099e3495370953fda1f943cfe07774551420eff004d3172d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Windows\lib_2dfc3c3857c0466484c2056fcb13e0c9\CSCore.dll
      Filesize

      516KB

      MD5

      dde3ec6e17bc518b10c99efbd09ab72e

      SHA1

      a2306e60b74b8a01a0dbc1199a7fffca288f2033

      SHA256

      60a5077b443273238e6629ce5fc3ff7ee3592ea2e377b8fc28bfe6e76bda64b8

      SHA512

      09a528c18291980ca7c5ddca67625035bbb21b9d95ab0854670d28c59c4e7adc6d13a356fa1d2c9ad75d16b334ae9818e06ddb10408a3e776e4ef0d7b295f877

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Windows\lib_2dfc3c3857c0466484c2056fcb13e0c9\ICSharpCode.SharpZipLib.dll
      Filesize

      196KB

      MD5

      c8164876b6f66616d68387443621510c

      SHA1

      7a9df9c25d49690b6a3c451607d311a866b131f4

      SHA256

      40b3d590f95191f3e33e5d00e534fa40f823d9b1bb2a9afe05f139c4e0a3af8d

      SHA512

      44a6accc70c312a16d0e533d3287e380997c5e5d610dbeaa14b2dbb5567f2c41253b895c9817ecd96c85d286795bbe6ab35fd2352fddd9d191669a2fb0774bc4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Windows\lib_2dfc3c3857c0466484c2056fcb13e0c9\x64\opus.dll
      Filesize

      458KB

      MD5

      20956ba917ef3509b721461a884edcc1

      SHA1

      b45628c6f280aff8362bbb02c0960b20a44a5086

      SHA256

      b767008d63a9fce5db80f27467abb8e0a74e7edbcf0d392a6a0506d42d3bf76a

      SHA512

      68db640941698d6649809bfe8795e197a538f7c48d9faea04dfa0d5ef3c2dcc390d829827c6d5604f8e337243f0ad894ef3c37b4c682c775f3c1270b59331f00

      Download Submit

    • C:\Windows\SysWOW64\WindowsInput.exe
      Filesize

      21KB

      MD5

      e6fcf516d8ed8d0d4427f86e08d0d435

      SHA1

      c7691731583ab7890086635cb7f3e4c22ca5e409

      SHA256

      8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

      SHA512

      c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

      Download Submit

    • C:\Windows\SysWOW64\WindowsInput.exe.config
      Filesize

      357B

      MD5

      a2b76cea3a59fa9af5ea21ff68139c98

      SHA1

      35d76475e6a54c168f536e30206578babff58274

      SHA256

      f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

      SHA512

      b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

      Download Submit

    • memory/920-121-0x000000001B440000-0x000000001B456000-memory.dmp

      Filesize

      88KB

      Download

    • memory/920-103-0x000000001C4A0000-0x000000001C662000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/920-139-0x000000001B910000-0x000000001B996000-memory.dmp

      Filesize

      536KB

      Download

    • memory/920-126-0x000000001B610000-0x000000001B644000-memory.dmp

      Filesize

      208KB

      Download

    • memory/920-86-0x00007FFD75040000-0x00007FFD75B02000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/920-116-0x000000001B400000-0x000000001B43E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/920-106-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/920-105-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/920-104-0x00007FFD75040000-0x00007FFD75B02000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/920-136-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/920-98-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/920-91-0x000000001B2A0000-0x000000001B2B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/920-144-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/920-147-0x000000001BF80000-0x000000001C05A000-memory.dmp

      Filesize

      872KB

      Download

    • memory/920-90-0x000000001B280000-0x000000001B298000-memory.dmp

      Filesize

      96KB

      Download

    • memory/920-88-0x000000001B210000-0x000000001B25E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/920-87-0x000000001B2B0000-0x000000001B2C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/960-40-0x00000000025D0000-0x00000000025E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/960-33-0x0000000000350000-0x000000000043C000-memory.dmp

      Filesize

      944KB

      Download

    • memory/960-32-0x00007FFD75040000-0x00007FFD75B02000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/960-35-0x000000001B000000-0x000000001B05C000-memory.dmp

      Filesize

      368KB

      Download

    • memory/960-37-0x0000000000C50000-0x0000000000C5E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/960-39-0x00000000025C0000-0x00000000025D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/960-41-0x0000000000C90000-0x0000000000C98000-memory.dmp

      Filesize

      32KB

      Download

    • memory/960-85-0x00007FFD75040000-0x00007FFD75B02000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1180-111-0x000000001B060000-0x000000001B070000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1180-143-0x0000000000980000-0x0000000000A80000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1180-150-0x0000000000980000-0x0000000000A80000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1180-110-0x000000001B060000-0x000000001B070000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1180-64-0x000000001B060000-0x000000001B070000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1180-93-0x00007FFD75040000-0x00007FFD75B02000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1180-109-0x000000001B060000-0x000000001B070000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1180-97-0x000000001B060000-0x000000001B070000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1180-135-0x0000000000980000-0x0000000000A80000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1180-133-0x0000000000980000-0x0000000000A80000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1180-101-0x000000001B060000-0x000000001B070000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1180-132-0x0000000000980000-0x0000000000A80000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1180-131-0x0000000000980000-0x0000000000A80000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1180-38-0x000000001B060000-0x000000001B070000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1180-36-0x00007FFD75040000-0x00007FFD75B02000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1180-31-0x0000000000050000-0x0000000000236000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/1180-107-0x000000001B060000-0x000000001B070000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1180-113-0x0000000000980000-0x0000000000A80000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1180-94-0x000000001B060000-0x000000001B070000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1180-112-0x000000001B060000-0x000000001B070000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1180-108-0x000000001B060000-0x000000001B070000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2000-67-0x00007FFD75040000-0x00007FFD75B02000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2000-102-0x00007FFD75040000-0x00007FFD75B02000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2000-68-0x000000001AD60000-0x000000001AE6A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3348-5-0x0000000000E40000-0x0000000000E50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3348-29-0x000000001BE10000-0x000000001BF1A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3348-2-0x0000000000E40000-0x0000000000E50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3348-0-0x000000001B400000-0x000000001B4A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/3348-1-0x00007FFD78150000-0x00007FFD78AF1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3348-3-0x00007FFD78150000-0x00007FFD78AF1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3348-34-0x00007FFD78150000-0x00007FFD78AF1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3348-4-0x000000001B570000-0x000000001B5D2000-memory.dmp

      Filesize

      392KB

      Download

    • memory/4228-92-0x00007FFD75040000-0x00007FFD75B02000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4228-100-0x00007FFD75040000-0x00007FFD75B02000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4280-57-0x000000001B6E0000-0x000000001B71C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4280-58-0x00007FFD75040000-0x00007FFD75B02000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4280-65-0x00007FFD75040000-0x00007FFD75B02000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4280-55-0x0000000000A50000-0x0000000000A5C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4280-60-0x000000001B690000-0x000000001B6A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4280-56-0x0000000002C60000-0x0000000002C72000-memory.dmp

      Filesize

      72KB

      Download