orcus | 7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c

Analysis

max time kernel
147s
max time network
132s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c.exe
Size

15.0MB
MD5

c9a729181d000d53b390da89f4d68d0c
SHA1

b1ba9b1e69634202f596c31bd69d975f3ddf5298
SHA256

7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c
SHA512

04bb394e0695220a3436493fad6ad6cc531a63d0533c073216e919502dea8b7475575fb84fe1bf28954f62357ea6d1f1c1cf4e7f5e1b4eedafaa5365a60cd46a
SSDEEP

24576:1Zf4MROxnFaarrcI0AilFEvxHPG+qoot:1WMi5rrcI0AilFEvxHP

Score

10^/10

orcus cc rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

192.168.1.5:10134

Mutex

a9b4352a71bc43b0b7d8d88b859bf9a8

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\system\Orcus.exe
reconnect_delay
10000
registry_keyname
registy
taskscheduler_taskname
wsappx
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016572-1014.dat	family_orcus

Orcurs Rat Executable 4 IoCs

resource	yara_rule
behavioral1/memory/2156-1-0x00000000008F0000-0x00000000009E2000-memory.dmp	orcus
behavioral1/files/0x0008000000016572-1014.dat	orcus
behavioral1/memory/2156-1017-0x0000000005A00000-0x0000000005AF2000-memory.dmp	orcus
behavioral1/memory/2156-1019-0x0000000005A00000-0x0000000005AF2000-memory.dmp	orcus

Executes dropped EXE 4 IoCs

pid	Process
2668	WindowsInput.exe
2652	WindowsInput.exe
2656	Orcus.exe
3004	Orcus.exe

Loads dropped DLL 8 IoCs

pid	Process
2156	7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c.exe
2156	7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c.exe
2156	7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c.exe
2156	7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c.exe
2156	7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c.exe
2156	7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c.exe
2156	7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c.exe
2156	7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe	7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\system\Orcus.exe	7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c.exe
File created	C:\Program Files (x86)\system\Orcus.exe.config	7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c.exe
File created	C:\Program Files (x86)\system\Orcus.exe	7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	Orcus.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2656	Orcus.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2668	2156	7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c.exe	28
PID 2156 wrote to memory of 2668	2156	7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c.exe	28
PID 2156 wrote to memory of 2668	2156	7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c.exe	28
PID 2156 wrote to memory of 2668	2156	7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c.exe	28
PID 2156 wrote to memory of 2656	2156	7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c.exe	30
PID 2156 wrote to memory of 2656	2156	7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c.exe	30
PID 2156 wrote to memory of 2656	2156	7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c.exe	30
PID 2156 wrote to memory of 2656	2156	7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c.exe	30
PID 1588 wrote to memory of 3004	1588	taskeng.exe	32
PID 1588 wrote to memory of 3004	1588	taskeng.exe	32
PID 1588 wrote to memory of 3004	1588	taskeng.exe	32
PID 1588 wrote to memory of 3004	1588	taskeng.exe	32

C:\Users\Admin\AppData\Local\Temp\7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c.exe
"C:\Users\Admin\AppData\Local\Temp\7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2668
- C:\Program Files (x86)\system\Orcus.exe
  "C:\Program Files (x86)\system\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2656

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\system32\taskeng.exe
taskeng.exe {DFF34905-F2FD-4DCE-AE56-B299FB5B44CB} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Program Files (x86)\system\Orcus.exe
  "C:\Program Files (x86)\system\Orcus.exe"
  2⤵
  - Executes dropped EXE
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\Program Files (x86)\system\Orcus.exe

Filesize
15.0MB

MD5
c9a729181d000d53b390da89f4d68d0c

SHA1
b1ba9b1e69634202f596c31bd69d975f3ddf5298

SHA256
7a7daa96cfb24335bd6dc0e929743bc84b5d1789e044ffbe3ebb01b08ccf2d4c

SHA512
04bb394e0695220a3436493fad6ad6cc531a63d0533c073216e919502dea8b7475575fb84fe1bf28954f62357ea6d1f1c1cf4e7f5e1b4eedafaa5365a60cd46a

Download Submit
\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
memory/2156-1184-0x0000000004F50000-0x0000000004F5A000-memory.dmp

Filesize
40KB

Download
memory/2156-1278-0x0000000004F50000-0x0000000004F5E000-memory.dmp

Filesize
56KB

Download
memory/2156-5-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/2156-6-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/2156-7-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2156-4-0x0000000074D00000-0x00000000753EE000-memory.dmp

Filesize
6.9MB

Download
memory/2156-2-0x0000000000370000-0x000000000037E000-memory.dmp

Filesize
56KB

Download
memory/2156-1323-0x0000000004F50000-0x0000000004F5C000-memory.dmp

Filesize
48KB

Download
memory/2156-1322-0x0000000005190000-0x00000000051B6000-memory.dmp

Filesize
152KB

Download
memory/2156-1321-0x0000000004F60000-0x0000000004F7E000-memory.dmp

Filesize
120KB

Download
memory/2156-1315-0x0000000005190000-0x00000000051B8000-memory.dmp

Filesize
160KB

Download
memory/2156-27-0x0000000005900000-0x000000000598E000-memory.dmp

Filesize
568KB

Download
memory/2156-33-0x0000000005AE0000-0x0000000005BCE000-memory.dmp

Filesize
952KB

Download
memory/2156-39-0x0000000005900000-0x00000000059B2000-memory.dmp

Filesize
712KB

Download
memory/2156-45-0x0000000040000000-0x0000000040034000-memory.dmp

Filesize
208KB

Download
memory/2156-50-0x0000000040000000-0x00000000400E6000-memory.dmp

Filesize
920KB

Download
memory/2156-55-0x0000000040000000-0x0000000040066000-memory.dmp

Filesize
408KB

Download
memory/2156-60-0x0000000040000000-0x0000000040061000-memory.dmp

Filesize
388KB

Download
memory/2156-65-0x0000000040000000-0x000000004017D000-memory.dmp

Filesize
1.5MB

Download
memory/2156-70-0x0000000040000000-0x00000000400AC000-memory.dmp

Filesize
688KB

Download
memory/2156-1187-0x0000000004F50000-0x0000000004F58000-memory.dmp

Filesize
32KB

Download
memory/2156-80-0x0000000005200000-0x0000000005264000-memory.dmp

Filesize
400KB

Download
memory/2156-85-0x0000000040000000-0x0000000040021000-memory.dmp

Filesize
132KB

Download
memory/2156-184-0x0000000005190000-0x00000000051E6000-memory.dmp

Filesize
344KB

Download
memory/2156-971-0x0000000004840000-0x000000000484A000-memory.dmp

Filesize
40KB

Download
memory/2156-1-0x00000000008F0000-0x00000000009E2000-memory.dmp

Filesize
968KB

Download
memory/2156-1017-0x0000000005A00000-0x0000000005AF2000-memory.dmp

Filesize
968KB

Download
memory/2156-1019-0x0000000005A00000-0x0000000005AF2000-memory.dmp

Filesize
968KB

Download
memory/2156-1063-0x0000000005190000-0x00000000051B6000-memory.dmp

Filesize
152KB

Download
memory/2156-1064-0x0000000004F60000-0x0000000004F78000-memory.dmp

Filesize
96KB

Download
memory/2156-1071-0x0000000040000000-0x000000004003B000-memory.dmp

Filesize
236KB

Download
memory/2156-1075-0x0000000005190000-0x00000000051A6000-memory.dmp

Filesize
88KB

Download
memory/2156-1076-0x0000000005190000-0x00000000051BA000-memory.dmp

Filesize
168KB

Download
memory/2156-1077-0x0000000004F50000-0x0000000004F58000-memory.dmp

Filesize
32KB

Download
memory/2156-1078-0x0000000005190000-0x00000000051B6000-memory.dmp

Filesize
152KB

Download
memory/2156-1079-0x0000000004F60000-0x0000000004F7C000-memory.dmp

Filesize
112KB

Download
memory/2156-1080-0x0000000005A10000-0x0000000005B1A000-memory.dmp

Filesize
1.0MB

Download
memory/2156-1081-0x0000000004F50000-0x0000000004F5C000-memory.dmp

Filesize
48KB

Download
memory/2156-1082-0x0000000004F60000-0x0000000004F80000-memory.dmp

Filesize
128KB

Download
memory/2156-1083-0x0000000005190000-0x00000000051B6000-memory.dmp

Filesize
152KB

Download
memory/2156-1084-0x0000000005190000-0x000000000520B000-memory.dmp

Filesize
492KB

Download
memory/2156-1085-0x0000000004F40000-0x0000000004F46000-memory.dmp

Filesize
24KB

Download
memory/2156-1086-0x0000000004F40000-0x0000000004F4C000-memory.dmp

Filesize
48KB

Download
memory/2156-1087-0x0000000005190000-0x000000000525C000-memory.dmp

Filesize
816KB

Download
memory/2156-1088-0x0000000005190000-0x00000000051EB000-memory.dmp

Filesize
364KB

Download
memory/2156-1089-0x0000000004F40000-0x0000000004F90000-memory.dmp

Filesize
320KB

Download
memory/2156-1137-0x0000000004F60000-0x0000000004F7C000-memory.dmp

Filesize
112KB

Download
memory/2156-1170-0x0000000004F60000-0x0000000004F72000-memory.dmp

Filesize
72KB

Download
memory/2156-1171-0x0000000004F60000-0x0000000004F7C000-memory.dmp

Filesize
112KB

Download
memory/2156-1182-0x0000000004F50000-0x0000000004F5A000-memory.dmp

Filesize
40KB

Download
memory/2156-1183-0x0000000004F50000-0x0000000004F5C000-memory.dmp

Filesize
48KB

Download
memory/2156-0-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

Filesize
4KB

Download
memory/2156-1211-0x0000000004F60000-0x0000000004F7C000-memory.dmp

Filesize
112KB

Download
memory/2156-3-0x0000000004240000-0x000000000429C000-memory.dmp

Filesize
368KB

Download
memory/2156-75-0x0000000040000000-0x0000000040039000-memory.dmp

Filesize
228KB

Download
memory/2156-1188-0x0000000004F50000-0x0000000004F58000-memory.dmp

Filesize
32KB

Download
memory/2156-1189-0x0000000004F50000-0x0000000004F5A000-memory.dmp

Filesize
40KB

Download
memory/2156-1190-0x0000000004F50000-0x0000000004F5E000-memory.dmp

Filesize
56KB

Download
memory/2156-1191-0x0000000004F60000-0x0000000004F74000-memory.dmp

Filesize
80KB

Download
memory/2156-1192-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/2156-1193-0x0000000004F50000-0x0000000004F5C000-memory.dmp

Filesize
48KB

Download
memory/2156-1194-0x0000000005900000-0x00000000059D5000-memory.dmp

Filesize
852KB

Download
memory/2156-1195-0x0000000005190000-0x00000000051B8000-memory.dmp

Filesize
160KB

Download
memory/2156-1197-0x0000000005190000-0x00000000051B6000-memory.dmp

Filesize
152KB

Download
memory/2156-1196-0x0000000004F60000-0x0000000004F80000-memory.dmp

Filesize
128KB

Download
memory/2156-1198-0x0000000004F50000-0x0000000004F5A000-memory.dmp

Filesize
40KB

Download
memory/2156-1199-0x0000000004F50000-0x0000000004F5C000-memory.dmp

Filesize
48KB

Download
memory/2156-1200-0x0000000004F50000-0x0000000004F5C000-memory.dmp

Filesize
48KB

Download
memory/2156-1201-0x0000000004F50000-0x0000000004F5C000-memory.dmp

Filesize
48KB

Download
memory/2156-1202-0x0000000004F60000-0x0000000004F74000-memory.dmp

Filesize
80KB

Download
memory/2156-1203-0x0000000004F60000-0x0000000004F78000-memory.dmp

Filesize
96KB

Download
memory/2156-1204-0x0000000004F60000-0x0000000004F78000-memory.dmp

Filesize
96KB

Download
memory/2156-1205-0x0000000004F50000-0x0000000004F5C000-memory.dmp

Filesize
48KB

Download
memory/2156-1206-0x0000000004F50000-0x0000000004F5C000-memory.dmp

Filesize
48KB

Download
memory/2156-1207-0x0000000004F50000-0x0000000004F5C000-memory.dmp

Filesize
48KB

Download
memory/2156-1208-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/2156-1209-0x0000000004F50000-0x0000000004F5E000-memory.dmp

Filesize
56KB

Download
memory/2156-1210-0x0000000005190000-0x00000000051B2000-memory.dmp

Filesize
136KB

Download
memory/2156-1185-0x0000000004F60000-0x0000000004F7E000-memory.dmp

Filesize
120KB

Download
memory/2156-1212-0x0000000005190000-0x00000000051BC000-memory.dmp

Filesize
176KB

Download
memory/2156-1213-0x0000000004F60000-0x0000000004F74000-memory.dmp

Filesize
80KB

Download
memory/2156-1214-0x0000000004F50000-0x0000000004F58000-memory.dmp

Filesize
32KB

Download
memory/2156-1215-0x0000000004F60000-0x0000000004F7A000-memory.dmp

Filesize
104KB

Download
memory/2156-1216-0x0000000004F50000-0x0000000004F5C000-memory.dmp

Filesize
48KB

Download
memory/2156-1217-0x0000000004F50000-0x0000000004F5E000-memory.dmp

Filesize
56KB

Download
memory/2156-1218-0x0000000004F50000-0x0000000004F5A000-memory.dmp

Filesize
40KB

Download
memory/2156-1219-0x0000000005190000-0x00000000051D0000-memory.dmp

Filesize
256KB

Download
memory/2156-1220-0x0000000004F60000-0x0000000004F72000-memory.dmp

Filesize
72KB

Download
memory/2156-1221-0x0000000004F50000-0x0000000004F5E000-memory.dmp

Filesize
56KB

Download
memory/2156-1222-0x0000000005190000-0x00000000051B4000-memory.dmp

Filesize
144KB

Download
memory/2156-1223-0x0000000005190000-0x00000000051B8000-memory.dmp

Filesize
160KB

Download
memory/2156-1231-0x0000000004F60000-0x0000000004F6A000-memory.dmp

Filesize
40KB

Download
memory/2156-1235-0x0000000004F60000-0x0000000004F68000-memory.dmp

Filesize
32KB

Download
memory/2156-1243-0x0000000005190000-0x00000000051AC000-memory.dmp

Filesize
112KB

Download
memory/2156-1255-0x0000000005190000-0x00000000051AC000-memory.dmp

Filesize
112KB

Download
memory/2156-1264-0x0000000004F50000-0x0000000004F58000-memory.dmp

Filesize
32KB

Download
memory/2156-1269-0x0000000004F50000-0x0000000004F58000-memory.dmp

Filesize
32KB

Download
memory/2156-1277-0x0000000004F60000-0x0000000004F68000-memory.dmp

Filesize
32KB

Download
memory/2156-1186-0x0000000004F60000-0x0000000004F7E000-memory.dmp

Filesize
120KB

Download
memory/2156-1286-0x0000000005190000-0x00000000051A2000-memory.dmp

Filesize
72KB

Download
memory/2156-1298-0x0000000004F60000-0x0000000004F6E000-memory.dmp

Filesize
56KB

Download
memory/2156-1302-0x0000000004F60000-0x0000000004F6A000-memory.dmp

Filesize
40KB

Download
memory/2156-1307-0x0000000005190000-0x00000000051BA000-memory.dmp

Filesize
168KB

Download
memory/2156-1314-0x00000000059E0000-0x0000000005AB5000-memory.dmp

Filesize
852KB

Download
memory/2668-21-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2668-18-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2668-17-0x0000000001330000-0x000000000133C000-memory.dmp

Filesize
48KB

Download
memory/2668-15-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

Filesize
4KB

Download