Overview

overview

10

Static

static

10

75af63185c...d1.exe

windows7-x64

10

75af63185c...d1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-06-2024 01:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1.exe

  • Size

    914KB

  • MD5

    8f4a262076a343c306b3e45a01c0a532

  • SHA1

    ffd57f1068cf5f7acb5f359b5e1a947ab04ab186

  • SHA256

    75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1

  • SHA512

    4fae8619281c39c729ce787536a3013377b74005d299666ec615e125be28c2505721d7a33c802c07a461f3e76180c7eac99c46c608818b439eb90f8dbef3ff8e

  • SSDEEP

    24576:vk84MROxnFR3NRirZlI0AilFEvxHi985o:vkPMijirZlI0AilFEvxHi

Score
10/10
orcusloxratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

lox

C2

8.tcp.ngrok.io:14334

Mutex

97a795082d1b4d009c62ffc5af327057

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus main payload 1 IoCs
  • Orcurs Rat Executable 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1.exe
    "C:\Users\Admin\AppData\Local\Temp\75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:5004
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jjy1t7bo.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2220
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91F0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC91EF.tmp"
        3⤵
          PID:3284
      • C:\Program Files\Orcus\Orcus.exe
        "C:\Program Files\Orcus\Orcus.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1156
        • C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
          "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 1156
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3940
          • C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
            "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 1156
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:748
    • C:\Program Files\Orcus\Orcus.exe
      "C:\Program Files\Orcus\Orcus.exe"
      1⤵
      • Executes dropped EXE
      PID:4828

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Orcus\Orcus.exe
      Filesize

      914KB

      MD5

      8f4a262076a343c306b3e45a01c0a532

      SHA1

      ffd57f1068cf5f7acb5f359b5e1a947ab04ab186

      SHA256

      75af63185c79dbface5db3bebe13b2e457a764b520cf6da9678eb8501c3e61d1

      SHA512

      4fae8619281c39c729ce787536a3013377b74005d299666ec615e125be28c2505721d7a33c802c07a461f3e76180c7eac99c46c608818b439eb90f8dbef3ff8e

      Download Submit

    • C:\Program Files\Orcus\Orcus.exe.config
      Filesize

      357B

      MD5

      a2b76cea3a59fa9af5ea21ff68139c98

      SHA1

      35d76475e6a54c168f536e30206578babff58274

      SHA256

      f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

      SHA512

      b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES91F0.tmp
      Filesize

      1KB

      MD5

      635c23b6e44228f1252c5c209c7e373a

      SHA1

      c43deb6357fa8d072e3466ed3cb5ca35fde3e542

      SHA256

      19bdea42d41f6e29e657786c9649fcb8f11307031f550b2e732bdde6231f8296

      SHA512

      efae6e97ac76f4d33b4ab979ec8c7ccd26e7f83d0ea1ae89495d81457fb0886a0f7755678231c6e2814e7f2af662954c6692bc450411f27a48bd029723d069fe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\jjy1t7bo.dll
      Filesize

      76KB

      MD5

      cab962fcc7d401c90d7c1a80aea8a3b2

      SHA1

      48d20529267c378481e18d6d718096ee58201b65

      SHA256

      f23a56ef3ad3fae49b08f1cf1dba3b9c60f1b081944e93b5db78ae963c512d15

      SHA512

      aa94f2ca12ce6de1b8f3437c2c1ee007fbe97df18dafe5d85f989433e4b7c5b2a546e5591b12185bcb6c12f17d3a0fea896ba392e26367c7c0d8af732cbee9a7

      Download Submit

    • C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
      Filesize

      9KB

      MD5

      913967b216326e36a08010fb70f9dba3

      SHA1

      7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

      SHA256

      8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

      SHA512

      c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\CSC91EF.tmp
      Filesize

      676B

      MD5

      cab9bac283d6acfe0fd8d231e50e0001

      SHA1

      ab07611d8415562871805062d95ffe5eb0e0d496

      SHA256

      fe1dd319af0f787b458c4282eb64b1530043c381b9af0bfcaefa36e67b3fe656

      SHA512

      051c86769c07e9f5702b2698efaca7904201cb58c4663554196daa7641f61fff7bf1a06adc62851ff18ed28997243ba4e008df203164e6bd02a042d5b5e93371

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\jjy1t7bo.0.cs
      Filesize

      208KB

      MD5

      0c3ccb198dd0ab1e88fa1fd80b068acf

      SHA1

      15be26e5bec53c24b05aa3e41745ce6e3865691c

      SHA256

      efaabd717a0b58f1852c25573f179ff9609549a9eb85a634820cf955ab315512

      SHA512

      a8c8a51732c0b2f2939075632478f5aef07f52b81a825539e003c6c812c235cd9c8d1769eed238349622c7bd96c8f6daed0010c049f6489b399275f0a4192955

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\jjy1t7bo.cmdline
      Filesize

      349B

      MD5

      8e4b7f9d5278d954b226981b2b8977d1

      SHA1

      a1fcaee86daef2cee836b3dc60356399d8b94ae0

      SHA256

      1b70273d7a06526bb6f2201255f5e59091f4034dcbbc5330577152672ca89037

      SHA512

      49bd7db324478dabf7a9fba478d98a8f213cc5e36ea8901747fa09e6d654c10a787439e1caaba67a4fb1043d896caf90074b009eb8f65cf7c62bd6b0e8c0eada

      Download Submit

    • memory/1156-44-0x0000000000540000-0x000000000062A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/1156-67-0x00007FF8188E3000-0x00007FF8188E5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1156-49-0x000000001B8C0000-0x000000001B8D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1156-48-0x000000001B7A0000-0x000000001B7B8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1156-46-0x000000001B600000-0x000000001B64E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/1156-45-0x0000000000F20000-0x0000000000F32000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1156-42-0x00007FF8188E3000-0x00007FF8188E5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2220-16-0x00007FF81BE80000-0x00007FF81C821000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2220-21-0x00007FF81BE80000-0x00007FF81C821000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3940-63-0x0000000000DB0000-0x0000000000DB8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/5004-23-0x000000001C950000-0x000000001C966000-memory.dmp

      Filesize

      88KB

      Download

    • memory/5004-43-0x00007FF81BE80000-0x00007FF81C821000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/5004-2-0x000000001BC30000-0x000000001BC8C000-memory.dmp

      Filesize

      368KB

      Download

    • memory/5004-5-0x000000001BE30000-0x000000001BE3E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/5004-26-0x0000000001540000-0x0000000001548000-memory.dmp

      Filesize

      32KB

      Download

    • memory/5004-25-0x000000001BB90000-0x000000001BBA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5004-6-0x00007FF81BE80000-0x00007FF81C821000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/5004-0-0x00007FF81C135000-0x00007FF81C136000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5004-1-0x00007FF81BE80000-0x00007FF81C821000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/5004-7-0x000000001C310000-0x000000001C7DE000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/5004-8-0x000000001C880000-0x000000001C91C000-memory.dmp

      Filesize

      624KB

      Download