orcus | a96fb9f82e3e9c69d5e101f23d2f53899c2ac8d8fcb4ae638f1fe0225aee3b6e

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a96fb9f82e3e9c69d5e101f23d2f53899c2ac8d8fcb4ae638f1fe0225aee3b6e.exe
Size

924KB
MD5

df4d4c4eee0bb233905ef88daca5e3e0
SHA1

4c9c17b1c2e1654c7da04a3674f02cc15502b550
SHA256

a96fb9f82e3e9c69d5e101f23d2f53899c2ac8d8fcb4ae638f1fe0225aee3b6e
SHA512

63517b87374cc0e3cf5a20ce2e64e44355bc88cb5a9688127dcd7285b1092b46362495272274513ec33d16ab17d050f1f8ff988ad431c662ed0e315abadddc0d
SSDEEP

24576:Yzra4MROxnFE3KrXpmrZlI0AilFEvxHinj:Yz1MiuQpmrZlI0AilFEvxHi

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

192.168.0.2:3294

Mutex

ef78f6dadb714fbfa27cffbd5e73fe5b

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\NvidiaControler\NvidiaControler.exe
reconnect_delay
10000
registry_keyname
NvidiaControler
taskscheduler_taskname
NvidiaControlers
watchdog_path
AppData\NvidiaControler.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000800000001473f-43.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000001473f-43.dat	orcus
behavioral1/memory/2116-47-0x0000000001080000-0x000000000116E000-memory.dmp	orcus

Executes dropped EXE 6 IoCs

pid	Process
2860	WindowsInput.exe
2520	WindowsInput.exe
2116	NvidiaControler.exe
1632	NvidiaControler.exe
2444	NvidiaControler.exe
2332	NvidiaControler.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe	a96fb9f82e3e9c69d5e101f23d2f53899c2ac8d8fcb4ae638f1fe0225aee3b6e.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	a96fb9f82e3e9c69d5e101f23d2f53899c2ac8d8fcb4ae638f1fe0225aee3b6e.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\NvidiaControler\NvidiaControler.exe.config	a96fb9f82e3e9c69d5e101f23d2f53899c2ac8d8fcb4ae638f1fe0225aee3b6e.exe
File created	C:\Program Files\NvidiaControler\NvidiaControler.exe	a96fb9f82e3e9c69d5e101f23d2f53899c2ac8d8fcb4ae638f1fe0225aee3b6e.exe
File opened for modification	C:\Program Files\NvidiaControler\NvidiaControler.exe	a96fb9f82e3e9c69d5e101f23d2f53899c2ac8d8fcb4ae638f1fe0225aee3b6e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2332	NvidiaControler.exe
2332	NvidiaControler.exe
2116	NvidiaControler.exe
2116	NvidiaControler.exe
2116	NvidiaControler.exe
2332	NvidiaControler.exe
2116	NvidiaControler.exe
2332	NvidiaControler.exe
2116	NvidiaControler.exe
2332	NvidiaControler.exe
2116	NvidiaControler.exe
2332	NvidiaControler.exe
2116	NvidiaControler.exe
2332	NvidiaControler.exe
2116	NvidiaControler.exe
2332	NvidiaControler.exe
2116	NvidiaControler.exe
2332	NvidiaControler.exe
2116	NvidiaControler.exe
2332	NvidiaControler.exe
2116	NvidiaControler.exe
2332	NvidiaControler.exe
2332	NvidiaControler.exe
2116	NvidiaControler.exe
2116	NvidiaControler.exe
2332	NvidiaControler.exe
2116	NvidiaControler.exe
2332	NvidiaControler.exe
2332	NvidiaControler.exe
2116	NvidiaControler.exe
2332	NvidiaControler.exe
2116	NvidiaControler.exe
2332	NvidiaControler.exe
2116	NvidiaControler.exe
2332	NvidiaControler.exe
2116	NvidiaControler.exe
2116	NvidiaControler.exe
2332	NvidiaControler.exe
2116	NvidiaControler.exe
2332	NvidiaControler.exe
2332	NvidiaControler.exe
2116	NvidiaControler.exe
2116	NvidiaControler.exe
2332	NvidiaControler.exe
2332	NvidiaControler.exe
2116	NvidiaControler.exe
2116	NvidiaControler.exe
2332	NvidiaControler.exe
2116	NvidiaControler.exe
2332	NvidiaControler.exe
2332	NvidiaControler.exe
2116	NvidiaControler.exe
2332	NvidiaControler.exe
2116	NvidiaControler.exe
2116	NvidiaControler.exe
2332	NvidiaControler.exe
2332	NvidiaControler.exe
2116	NvidiaControler.exe
2332	NvidiaControler.exe
2116	NvidiaControler.exe
2332	NvidiaControler.exe
2116	NvidiaControler.exe
2116	NvidiaControler.exe
2332	NvidiaControler.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	NvidiaControler.exe
Token: SeDebugPrivilege	2444	NvidiaControler.exe
Token: SeDebugPrivilege	2332	NvidiaControler.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2116	NvidiaControler.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2116	NvidiaControler.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2116	NvidiaControler.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 3020	2848	a96fb9f82e3e9c69d5e101f23d2f53899c2ac8d8fcb4ae638f1fe0225aee3b6e.exe	28
PID 2848 wrote to memory of 3020	2848	a96fb9f82e3e9c69d5e101f23d2f53899c2ac8d8fcb4ae638f1fe0225aee3b6e.exe	28
PID 2848 wrote to memory of 3020	2848	a96fb9f82e3e9c69d5e101f23d2f53899c2ac8d8fcb4ae638f1fe0225aee3b6e.exe	28
PID 3020 wrote to memory of 2356	3020	csc.exe	30
PID 3020 wrote to memory of 2356	3020	csc.exe	30
PID 3020 wrote to memory of 2356	3020	csc.exe	30
PID 2848 wrote to memory of 2860	2848	a96fb9f82e3e9c69d5e101f23d2f53899c2ac8d8fcb4ae638f1fe0225aee3b6e.exe	32
PID 2848 wrote to memory of 2860	2848	a96fb9f82e3e9c69d5e101f23d2f53899c2ac8d8fcb4ae638f1fe0225aee3b6e.exe	32
PID 2848 wrote to memory of 2860	2848	a96fb9f82e3e9c69d5e101f23d2f53899c2ac8d8fcb4ae638f1fe0225aee3b6e.exe	32
PID 2848 wrote to memory of 2116	2848	a96fb9f82e3e9c69d5e101f23d2f53899c2ac8d8fcb4ae638f1fe0225aee3b6e.exe	34
PID 2848 wrote to memory of 2116	2848	a96fb9f82e3e9c69d5e101f23d2f53899c2ac8d8fcb4ae638f1fe0225aee3b6e.exe	34
PID 2848 wrote to memory of 2116	2848	a96fb9f82e3e9c69d5e101f23d2f53899c2ac8d8fcb4ae638f1fe0225aee3b6e.exe	34
PID 2564 wrote to memory of 1632	2564	taskeng.exe	36
PID 2564 wrote to memory of 1632	2564	taskeng.exe	36
PID 2564 wrote to memory of 1632	2564	taskeng.exe	36
PID 2116 wrote to memory of 2444	2116	NvidiaControler.exe	37
PID 2116 wrote to memory of 2444	2116	NvidiaControler.exe	37
PID 2116 wrote to memory of 2444	2116	NvidiaControler.exe	37
PID 2116 wrote to memory of 2444	2116	NvidiaControler.exe	37
PID 2444 wrote to memory of 2332	2444	NvidiaControler.exe	38
PID 2444 wrote to memory of 2332	2444	NvidiaControler.exe	38
PID 2444 wrote to memory of 2332	2444	NvidiaControler.exe	38
PID 2444 wrote to memory of 2332	2444	NvidiaControler.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a96fb9f82e3e9c69d5e101f23d2f53899c2ac8d8fcb4ae638f1fe0225aee3b6e.exe
"C:\Users\Admin\AppData\Local\Temp\a96fb9f82e3e9c69d5e101f23d2f53899c2ac8d8fcb4ae638f1fe0225aee3b6e.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pbkwudxd.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES193C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC193B.tmp"
    3⤵
    PID:2356
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2860
- C:\Program Files\NvidiaControler\NvidiaControler.exe
  "C:\Program Files\NvidiaControler\NvidiaControler.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Roaming\NvidiaControler.exe
    "C:\Users\Admin\AppData\Roaming\NvidiaControler.exe" /launchSelfAndExit "C:\Program Files\NvidiaControler\NvidiaControler.exe" 2116 /protectFile
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Users\Admin\AppData\Roaming\NvidiaControler.exe
      "C:\Users\Admin\AppData\Roaming\NvidiaControler.exe" /watchProcess "C:\Program Files\NvidiaControler\NvidiaControler.exe" 2116 "/protectFile"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2332

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2520

C:\Windows\system32\taskeng.exe
taskeng.exe {F16CCD95-B49C-4D87-82D8-FCA8ADDCBB93} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Program Files\NvidiaControler\NvidiaControler.exe
  "C:\Program Files\NvidiaControler\NvidiaControler.exe"
  2⤵
  - Executes dropped EXE
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\NvidiaControler\NvidiaControler.exe

Filesize
924KB

MD5
df4d4c4eee0bb233905ef88daca5e3e0

SHA1
4c9c17b1c2e1654c7da04a3674f02cc15502b550

SHA256
a96fb9f82e3e9c69d5e101f23d2f53899c2ac8d8fcb4ae638f1fe0225aee3b6e

SHA512
63517b87374cc0e3cf5a20ce2e64e44355bc88cb5a9688127dcd7285b1092b46362495272274513ec33d16ab17d050f1f8ff988ad431c662ed0e315abadddc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES193C.tmp

Filesize
1KB

MD5
19695e662da3e18968c6f69ee639e79f

SHA1
a04dc1756995630e1aef16cc76564c08a7e4b9a6

SHA256
8b15abb51e344f0dd3c5d3ea48f955939dc71591a2d55fb5b039b8c56b272351

SHA512
a86afacebb092a9e4af8e4774391dbc79010318cf08c3cc2965160a0a0e6acec96c1aaf64e747a0977ea3d02db8e11e62d28c15993a268bef380938395975c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pbkwudxd.dll

Filesize
76KB

MD5
8ebb2a590b44758b064dab73436738a5

SHA1
18dbe4d42a9cd462e09d08a77adc30e015011a9e

SHA256
03f1641146b431a66832c563d7c59fbd33dab458d75c60e3eaf087baac830679

SHA512
f920662613ae821e3dd80983c6abf5bb0c1b2be3a09c2ee4c1e23ac376462e7c8557d87bb9fda4abd42ac6b8598f1d13932aab167163877af26a3ea9d2453452

Download Submit
C:\Users\Admin\AppData\Roaming\NvidiaControler.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\err_ef78f6dadb714fbfa27cffbd5e73fe5b.dat

Filesize
1KB

MD5
7c4fc283248152a1a7c982aaa4ca0299

SHA1
8a192900501caa78b9505bc9dec8fd98a9bc6f4d

SHA256
b6b134ba424c1b9fd2a58db9ccc58c2fb5c0daa5b961ed0fe97a0edec0846597

SHA512
134c167883325204dd42ac1d654ff1c0623a4e2b7ddbe85304f2ffc5b64b5ce0d4c1ff4a9a4313c2448f9641036b3aaf1a630b5a71146b4de5fa3d03259ce9cf

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC193B.tmp

Filesize
676B

MD5
fae629b991508481fc922c1a9ba88e38

SHA1
cef9752e892eadbca51e59c04a0e32cf41aecf85

SHA256
37f34cf0ca3fa5d32ab5a91497fa9d4852864c731eb90fc726d883707282ad30

SHA512
8baddf9cf8d0f343033f45c6b5bedf6e04a4150c29d027f55613361b8e0e95d2fb81c451627dc5930b4c1330ad3d5c36b93780394c603d4eed90c0cf6608221a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pbkwudxd.0.cs

Filesize
208KB

MD5
6011503497b1b9250a05debf9690e52c

SHA1
897aea61e9bffc82d7031f1b3da12fb83efc6d82

SHA256
08f42b8d57bb61bc8f9628c8a80953b06ca4149d50108083fca6dc26bdd49434

SHA512
604c33e82e8b5bb5c54389c2899c81e5482a06e69db08268173a5b4574327ee5de656d312011d07e50a2e398a4c9b0cd79029013f76e05e18cf67ce5a916ffd9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pbkwudxd.cmdline

Filesize
349B

MD5
bd0148e0baad528bbfa00f3c2b5eca4e

SHA1
be9727a53632d9c0a48c0c94951f970baa100793

SHA256
6a52b977bb261f03fd3ceff7f849d4f632d653f8923e7553686b377be50236b2

SHA512
f502dbf37648dd20bb08cb1bccd607f00bf933eb8b443959af52fc7e1fe82b064dba3795a96b56d2f09b910021357fed9100fdf1ca390ee1e5c81990878cbd33

Download Submit
memory/2116-54-0x0000000000E10000-0x0000000000E20000-memory.dmp

Filesize
64KB

Download
memory/2116-53-0x0000000000DE0000-0x0000000000DF8000-memory.dmp

Filesize
96KB

Download
memory/2116-52-0x00000000005A0000-0x00000000005EE000-memory.dmp

Filesize
312KB

Download
memory/2116-49-0x00000000003F0000-0x0000000000402000-memory.dmp

Filesize
72KB

Download
memory/2116-47-0x0000000001080000-0x000000000116E000-memory.dmp

Filesize
952KB

Download
memory/2444-64-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

Filesize
32KB

Download
memory/2848-31-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download
memory/2848-21-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/2848-0-0x000007FEF616E000-0x000007FEF616F000-memory.dmp

Filesize
4KB

Download
memory/2848-4-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download
memory/2848-2-0x0000000000280000-0x000000000028E000-memory.dmp

Filesize
56KB

Download
memory/2848-3-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download
memory/2848-23-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

Filesize
32KB

Download
memory/2848-48-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download
memory/2848-22-0x0000000000600000-0x0000000000608000-memory.dmp

Filesize
32KB

Download
memory/2848-1-0x00000000023E0000-0x000000000243C000-memory.dmp

Filesize
368KB

Download
memory/2848-24-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download
memory/2848-19-0x0000000000AF0000-0x0000000000B06000-memory.dmp

Filesize
88KB

Download
memory/2860-34-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/3020-17-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download
memory/3020-13-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download