orcus | 822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd

General

Target

822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.exe
Size

2.6MB
MD5

ba401af5444b2dd13624f2d4ea246547
SHA1

666e75aec29af497b10a21068c4fa1391a46550d
SHA256

822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd
SHA512

620dc920d8d57ec6824d79613890f6e9e100a2ea77d2949ea074bb597bd6020a123ab63f9749bd2b74021d1ed23dbdcc7675132eb5d923f12c927c4d57af65d8
SSDEEP

24576:SAHnh+eWsN3skA4RV1Hom2KXSmHdK3VqbE6przwKpwvEuM/SD0wugdDEl6NrL/Nx:Vh+ZkldoPKiYdKr9v

Score

10^/10

orcus ligeon rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

ligeon

C2

ligeon.ddns.net:1606

Mutex

b98fb09a59c24a81b9d17a55ccf2c036

Attributes

autostart_method
Disable
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2300-3-0x0000000000400000-0x00000000004EA000-memory.dmp	orcus
behavioral1/memory/2300-9-0x0000000000400000-0x00000000004EA000-memory.dmp	orcus
behavioral1/memory/2300-10-0x0000000000400000-0x00000000004EA000-memory.dmp	orcus

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2572 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

setspn.exesetspn.exe

pid process

2700 setspn.exe
764 setspn.exe

pid	process
2572	cmd.exe

pid	process
2700	setspn.exe
764	setspn.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2460-0-0x00000000010C0000-0x000000000136A000-memory.dmp	autoit_exe
C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe	autoit_exe
behavioral1/memory/2700-25-0x00000000008F0000-0x0000000000B9A000-memory.dmp	autoit_exe
behavioral1/memory/764-39-0x0000000000CF0000-0x0000000000F9A000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.exesetspn.exesetspn.exe

description	pid	process	target process
PID 2460 set thread context of 2300	2460	822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.exe	RegSvcs.exe
PID 2700 set thread context of 1992	2700	setspn.exe	RegSvcs.exe
PID 764 set thread context of 356	764	setspn.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2524 schtasks.exe
1280 schtasks.exe
908 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2512 PING.EXE

pid	process
2524	schtasks.exe
1280	schtasks.exe
908	schtasks.exe

pid	process
2512	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.exesetspn.exesetspn.exe

pid	process
2460	822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.exe
2460	822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.exe
2700	setspn.exe
2700	setspn.exe
764	setspn.exe
764	setspn.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2300 RegSvcs.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

2300 RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2300	RegSvcs.exe

pid	process
2300	RegSvcs.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.execmd.exetaskeng.exesetspn.exesetspn.exe

description	pid	process	target process
PID 2460 wrote to memory of 2300	2460	822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.exe	RegSvcs.exe
PID 2460 wrote to memory of 2300	2460	822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.exe	RegSvcs.exe
PID 2460 wrote to memory of 2300	2460	822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.exe	RegSvcs.exe
PID 2460 wrote to memory of 2300	2460	822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.exe	RegSvcs.exe
PID 2460 wrote to memory of 2300	2460	822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.exe	RegSvcs.exe
PID 2460 wrote to memory of 2300	2460	822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.exe	RegSvcs.exe
PID 2460 wrote to memory of 2300	2460	822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.exe	RegSvcs.exe
PID 2460 wrote to memory of 2300	2460	822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.exe	RegSvcs.exe
PID 2460 wrote to memory of 2300	2460	822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.exe	RegSvcs.exe
PID 2460 wrote to memory of 2524	2460	822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.exe	schtasks.exe
PID 2460 wrote to memory of 2524	2460	822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.exe	schtasks.exe
PID 2460 wrote to memory of 2524	2460	822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.exe	schtasks.exe
PID 2460 wrote to memory of 2524	2460	822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.exe	schtasks.exe
PID 2460 wrote to memory of 2572	2460	822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.exe	cmd.exe
PID 2460 wrote to memory of 2572	2460	822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.exe	cmd.exe
PID 2460 wrote to memory of 2572	2460	822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.exe	cmd.exe
PID 2460 wrote to memory of 2572	2460	822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.exe	cmd.exe
PID 2572 wrote to memory of 2512	2572	cmd.exe	PING.EXE
PID 2572 wrote to memory of 2512	2572	cmd.exe	PING.EXE
PID 2572 wrote to memory of 2512	2572	cmd.exe	PING.EXE
PID 2572 wrote to memory of 2512	2572	cmd.exe	PING.EXE
PID 1604 wrote to memory of 2700	1604	taskeng.exe	setspn.exe
PID 1604 wrote to memory of 2700	1604	taskeng.exe	setspn.exe
PID 1604 wrote to memory of 2700	1604	taskeng.exe	setspn.exe
PID 1604 wrote to memory of 2700	1604	taskeng.exe	setspn.exe
PID 2700 wrote to memory of 1992	2700	setspn.exe	RegSvcs.exe
PID 2700 wrote to memory of 1992	2700	setspn.exe	RegSvcs.exe
PID 2700 wrote to memory of 1992	2700	setspn.exe	RegSvcs.exe
PID 2700 wrote to memory of 1992	2700	setspn.exe	RegSvcs.exe
PID 2700 wrote to memory of 1992	2700	setspn.exe	RegSvcs.exe
PID 2700 wrote to memory of 1992	2700	setspn.exe	RegSvcs.exe
PID 2700 wrote to memory of 1992	2700	setspn.exe	RegSvcs.exe
PID 2700 wrote to memory of 1992	2700	setspn.exe	RegSvcs.exe
PID 2700 wrote to memory of 1992	2700	setspn.exe	RegSvcs.exe
PID 2700 wrote to memory of 1280	2700	setspn.exe	schtasks.exe
PID 2700 wrote to memory of 1280	2700	setspn.exe	schtasks.exe
PID 2700 wrote to memory of 1280	2700	setspn.exe	schtasks.exe
PID 2700 wrote to memory of 1280	2700	setspn.exe	schtasks.exe
PID 1604 wrote to memory of 764	1604	taskeng.exe	setspn.exe
PID 1604 wrote to memory of 764	1604	taskeng.exe	setspn.exe
PID 1604 wrote to memory of 764	1604	taskeng.exe	setspn.exe
PID 1604 wrote to memory of 764	1604	taskeng.exe	setspn.exe
PID 764 wrote to memory of 356	764	setspn.exe	RegSvcs.exe
PID 764 wrote to memory of 356	764	setspn.exe	RegSvcs.exe
PID 764 wrote to memory of 356	764	setspn.exe	RegSvcs.exe
PID 764 wrote to memory of 356	764	setspn.exe	RegSvcs.exe
PID 764 wrote to memory of 356	764	setspn.exe	RegSvcs.exe
PID 764 wrote to memory of 356	764	setspn.exe	RegSvcs.exe
PID 764 wrote to memory of 356	764	setspn.exe	RegSvcs.exe
PID 764 wrote to memory of 356	764	setspn.exe	RegSvcs.exe
PID 764 wrote to memory of 356	764	setspn.exe	RegSvcs.exe
PID 764 wrote to memory of 908	764	setspn.exe	schtasks.exe
PID 764 wrote to memory of 908	764	setspn.exe	schtasks.exe
PID 764 wrote to memory of 908	764	setspn.exe	schtasks.exe
PID 764 wrote to memory of 908	764	setspn.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.exe
"C:\Users\Admin\AppData\Local\Temp\822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2300

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:2524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /k ping 127.0.0.1 -t 0 & del C:\Users\Admin\AppData\Local\Temp\822739e46fa96ecc2ccb38fea9e82ff9d6fcdaba2a525c6a5b8f9ad33b2fcecd.exe & exit
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -t 0
3⤵
- Runs ping.exe
PID:2512

C:\Windows\system32\taskeng.exe
taskeng.exe {55E71391-A4F4-4141-BCF3-D2C8A8DC4692} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1992

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F
3⤵
- Creates scheduled task(s)
PID:1280

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:356

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn sfc /tr "C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe" /sc minute /mo 1 /F
3⤵
- Creates scheduled task(s)
PID:908

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\coredpussvr\setspn.exe
Filesize
2.6MB

MD5
139751723dd58701050e1c4a6d399ba6

SHA1
c97dc7cfe1e60f41a288309316be40b164236937

SHA256
fdbca4da6dd64669863d0d77a9f5a4c6e50e0775d971d9e0ad4aad82f7445e94

SHA512
ed1ab3da6fc9a4f5dd9ba511d0dc3db76769e052c1b9a13b6ab9d408d19a8e1ae39cff6b8609b01d28c91b6732066a5a2586cd384caf43a0b73cd7531e7def6b

Download Submit
memory/356-50-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download
memory/356-49-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download
memory/356-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/764-39-0x0000000000CF0000-0x0000000000F9A000-memory.dmp

Filesize
2.7MB

Download
memory/1992-37-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download
memory/1992-36-0x0000000000520000-0x0000000000560000-memory.dmp

Filesize
256KB

Download
memory/1992-35-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download
memory/2300-18-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/2300-14-0x0000000000380000-0x000000000038E000-memory.dmp

Filesize
56KB

Download
memory/2300-16-0x0000000000DF0000-0x0000000000E4C000-memory.dmp

Filesize
368KB

Download
memory/2300-17-0x00000000004F0000-0x0000000000502000-memory.dmp

Filesize
72KB

Download
memory/2300-2-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2300-19-0x00000000006D0000-0x00000000006E8000-memory.dmp

Filesize
96KB

Download
memory/2300-20-0x00000000008F0000-0x0000000000900000-memory.dmp

Filesize
64KB

Download
memory/2300-21-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download
memory/2300-22-0x0000000000F30000-0x0000000000F70000-memory.dmp

Filesize
256KB

Download
memory/2300-13-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download
memory/2300-3-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2300-15-0x0000000000F30000-0x0000000000F70000-memory.dmp

Filesize
256KB

Download
memory/2300-10-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2300-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2300-9-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2460-0-0x00000000010C0000-0x000000000136A000-memory.dmp

Filesize
2.7MB

Download
memory/2460-1-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2700-25-0x00000000008F0000-0x0000000000B9A000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads