orcus | 3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1

General

Target

3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.exe
Size

923KB
MD5

90aad458c97b7381972efdfb0b02c57e
SHA1

069220f73ef14d30816612450549ccd1faaca135
SHA256

3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1
SHA512

d6858685120dffac208cb8b7b90be0a3ade20984a9a4fb372ab4515f0f9fd57f52aabc630d272200294e35143bda3cfbb8b722c03852ea170493943c72ac1714
SSDEEP

12288:WipkuIqoE8Byn6497dG1lFlWcYT70pxnnaaoawGRVcTqSA+9rZNrI0AilFEvxHvd:6mV4MROxnFPLqrZlI0AilFEvxHiZ7u

Score

10^/10

orcus persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

92.240.245.161:8010

Mutex

c208a879463248e19a922162bedb3564

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

Processes:

resource	yara_rule
C:\Program Files\Orcus\Orcus.exe	family_orcus

Orcurs Rat Executable 2 IoCs

Processes:

resource	yara_rule
C:\Program Files\Orcus\Orcus.exe	orcus
behavioral2/memory/5188-45-0x0000000000A10000-0x0000000000AFC000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.exe

Executes dropped EXE 1 IoCs

Processes:

Orcus.exe

pid process

5188 Orcus.exe

pid	process
5188	Orcus.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Orcus.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\""	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\Desktop.ini	3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.exe
File created	C:\Windows\assembly\Desktop.ini	3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.exe

Drops file in Program Files directory 3 IoCs

Processes:

3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.exe

description	ioc	process
File created	C:\Program Files\Orcus\Orcus.exe.config	3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.exe
File created	C:\Program Files\Orcus\Orcus.exe	3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.exe

Drops file in Windows directory 3 IoCs

Processes:

3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.exe
File created	C:\Windows\assembly\Desktop.ini	3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46	3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 0f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb0b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a0065006300740029000000090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703086200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d81d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67087e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d901030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4620000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c9030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4668000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d86200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703080b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a00650063007400290000000f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb20000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 190000000100000010000000e843ac3b52ec8c297fa948c9b1fb28190f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb0b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a0065006300740029000000090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703086200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d81d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67087e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d901030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46040000000100000010000000a7f2e41606411150306b9ce3b49cb0c920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 5c000000010000000400000000080000040000000100000010000000a7f2e41606411150306b9ce3b49cb0c9030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4668000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d86200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703080b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a00650063007400290000000f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Orcus.exe

pid process

5188 Orcus.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Orcus.exe

pid process

5188 Orcus.exe

pid	process
5188	Orcus.exe

pid	process
5188	Orcus.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.execsc.exe

description	pid	process	target process
PID 2972 wrote to memory of 5724	2972	3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.exe	csc.exe
PID 2972 wrote to memory of 5724	2972	3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.exe	csc.exe
PID 5724 wrote to memory of 4664	5724	csc.exe	cvtres.exe
PID 5724 wrote to memory of 4664	5724	csc.exe	cvtres.exe
PID 2972 wrote to memory of 5188	2972	3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.exe	Orcus.exe
PID 2972 wrote to memory of 5188	2972	3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.exe	Orcus.exe

C:\Users\Admin\AppData\Local\Temp\3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.exe
"C:\Users\Admin\AppData\Local\Temp\3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n9kmi5-x.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:5724

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES31CF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC31CE.tmp"
3⤵
PID:4664

C:\Program Files\Orcus\Orcus.exe
"C:\Program Files\Orcus\Orcus.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
923KB

MD5
90aad458c97b7381972efdfb0b02c57e

SHA1
069220f73ef14d30816612450549ccd1faaca135

SHA256
3b1e335dac241e714b475cfeb2b5568c39dbd3fd660c8e2baded23e84246e8a1

SHA512
d6858685120dffac208cb8b7b90be0a3ade20984a9a4fb372ab4515f0f9fd57f52aabc630d272200294e35143bda3cfbb8b722c03852ea170493943c72ac1714

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES31CF.tmp

Filesize
1KB

MD5
82362d1492389ae11ff5efb492e63c88

SHA1
cab7cf20cb21de34f6cd160510b6fd753e1ad879

SHA256
cac8df9548a505c77aa9e9faf7e7ac8437d3d155d7507e7bebfc61b6ad32d686

SHA512
182e122ba57f4ff4b76e668bf19ea224c894e9e864bb4f8eafb033e7117b571c3093b20d45534eccced86a8724861a6c03e9207d74643b5a0ece38f8fc2091d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\n9kmi5-x.dll

Filesize
76KB

MD5
565d6ef98f98e8f1c4ce768caaed269b

SHA1
c820e5f9ac198db4a37776619131f50bd7b0437c

SHA256
0ccc2b3cbddc49592fbdbb3751b9fa797b2e26807a199108679da7fe9e9e3a10

SHA512
c90475156c48fe3d1acff6f6d0e9ff90e4a21651d30c7b1dca9ea6dca2f55d19725bb0b8051ed36a02f62eed79a7bd234ce33462555b34860109bc7895f87255

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC31CE.tmp

Filesize
676B

MD5
900785eea6a64508e4dabda7aa558ba9

SHA1
e8c9cdd1ad55718ed8f8fdc64a86ba5fbb7fa268

SHA256
a887a2567e59d71f3d27c302ad04da006db3e0ec5f308ecb1b06849f95ed1e09

SHA512
21933b66ef7b3a697e45de3644e191e5bd4e2fe6e12ed8e5cead38382a9287fe3242a5e4f78fc9357da2bd6cf8b439c2b5fc4558bc77580d0962e7c2572d62b0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n9kmi5-x.0.cs

Filesize
208KB

MD5
433c2bbf9ab11e0ffd1ffc16591b5c5a

SHA1
ca43c872ebfbd0b3299ae56d81cc863d2d2f9bed

SHA256
89655fb5dde0568b42fb92022823c23a312091e9c7fcc23121b3b9e576e31667

SHA512
e311df9cd4df293955fb94ecdd0e01f1de1fb720dcfb1f97d9d64714106d6bc9dca79815b53d52755cfb3029f1890753d577b99b42e04b5a87a0a980b60ddb6d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\n9kmi5-x.cmdline

Filesize
349B

MD5
b503a7d36b65c238c202bcc5251f150e

SHA1
235326145b75fe996733650af38c6c94060448ee

SHA256
9903006a19c2bc2502ff5be220aed9f577d25445c5ebdd25564584e65e757f9a

SHA512
0ee8e5caf43c47b0dec89facb731dd771b34521bf3e1f5b63e37849a96ddd7dc595544f49301741d6a76ade8fb5cd85342b338c8d336eea97b6be62105824838

Download Submit
memory/2972-44-0x00007FFC539C0000-0x00007FFC54361000-memory.dmp

Filesize
9.6MB

Download
memory/2972-11-0x000000001CE70000-0x000000001CF0C000-memory.dmp

Filesize
624KB

Download
memory/2972-10-0x000000001C900000-0x000000001CDCE000-memory.dmp

Filesize
4.8MB

Download
memory/2972-25-0x000000001D420000-0x000000001D436000-memory.dmp

Filesize
88KB

Download
memory/2972-0-0x00007FFC53C75000-0x00007FFC53C76000-memory.dmp

Filesize
4KB

Download
memory/2972-9-0x000000001C420000-0x000000001C42E000-memory.dmp

Filesize
56KB

Download
memory/2972-27-0x000000001BF80000-0x000000001BF92000-memory.dmp

Filesize
72KB

Download
memory/2972-6-0x000000001C380000-0x000000001C3DC000-memory.dmp

Filesize
368KB

Download
memory/2972-1-0x00007FFC539C0000-0x00007FFC54361000-memory.dmp

Filesize
9.6MB

Download
memory/5188-46-0x00000000012F0000-0x0000000001302000-memory.dmp

Filesize
72KB

Download
memory/5188-45-0x0000000000A10000-0x0000000000AFC000-memory.dmp

Filesize
944KB

Download
memory/5188-43-0x00007FFC501F3000-0x00007FFC501F5000-memory.dmp

Filesize
8KB

Download
memory/5188-47-0x0000000002C50000-0x0000000002C9E000-memory.dmp

Filesize
312KB

Download
memory/5188-48-0x0000000001300000-0x0000000001318000-memory.dmp

Filesize
96KB

Download
memory/5188-49-0x00000000012E0000-0x00000000012F0000-memory.dmp

Filesize
64KB

Download
memory/5724-24-0x00007FFC539C0000-0x00007FFC54361000-memory.dmp

Filesize
9.6MB

Download
memory/5724-50-0x00007FFC539C0000-0x00007FFC54361000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads