orcus | 08ceb7c414a1389d1c84acebf18e05aca59e2b3c732dd117685d77bda2be3a10

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08ceb7c414a1389d1c84acebf18e05aca59e2b3c732dd117685d77bda2be3a10.exe
Size

3.0MB
MD5

7fc313209a40c3da1f080de07765b01d
SHA1

fdb724f810d7653773756990b5eb96b49c825308
SHA256

08ceb7c414a1389d1c84acebf18e05aca59e2b3c732dd117685d77bda2be3a10
SHA512

6c7f6ab5526c411869a37de025e0bd9a614d2da72167b2a2094165fe866c23c4e19780ee3cf916727c840029e67fa38958d5cd79fc8c31e8ae75faf0802b07ee
SSDEEP

49152:O3X27p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpEu/nRFfjI7L0qbe:OWHTPJg8z1mKnypSbRxo9JCm

Score

10^/10

orcus новый тег rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

Новый тег

31.44.184.52:40772

Mutex

sudo_onww42bjn4if50uperiikc2ib2cmw0qb

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%appdata%\wordpresslinuxeternal\windowsdb.exe
reconnect_delay
10000
registry_keyname
Sudik
taskscheduler_taskname
sudik
watchdog_path
AppData\aga.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000a00000002341b-13.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/memory/4620-1-0x0000000000D20000-0x000000000101E000-memory.dmp	orcus
behavioral2/files/0x000a00000002341b-13.dat	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	08ceb7c414a1389d1c84acebf18e05aca59e2b3c732dd117685d77bda2be3a10.exe

Executes dropped EXE 7 IoCs

pid	Process
3828	windowsdb.exe
3480	windowsdb.exe
4892	windowsdb.exe
4528	windowsdb.exe
1556	windowsdb.exe
1816	windowsdb.exe
1820	windowsdb.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3828 set thread context of 3740	3828	windowsdb.exe	87
PID 3480 set thread context of 4796	3480	windowsdb.exe	89
PID 4892 set thread context of 4996	4892	windowsdb.exe	91
PID 4528 set thread context of 1932	4528	windowsdb.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4620	08ceb7c414a1389d1c84acebf18e05aca59e2b3c732dd117685d77bda2be3a10.exe
3828	windowsdb.exe
3828	windowsdb.exe
3480	windowsdb.exe
3480	windowsdb.exe
4892	windowsdb.exe
4892	windowsdb.exe
4528	windowsdb.exe
4528	windowsdb.exe
3740	installutil.exe
3740	installutil.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4620	08ceb7c414a1389d1c84acebf18e05aca59e2b3c732dd117685d77bda2be3a10.exe
Token: SeDebugPrivilege	3828	windowsdb.exe
Token: SeDebugPrivilege	3480	windowsdb.exe
Token: SeDebugPrivilege	4892	windowsdb.exe
Token: SeDebugPrivilege	4528	windowsdb.exe
Token: SeDebugPrivilege	3740	installutil.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 3828	4620	08ceb7c414a1389d1c84acebf18e05aca59e2b3c732dd117685d77bda2be3a10.exe	85
PID 4620 wrote to memory of 3828	4620	08ceb7c414a1389d1c84acebf18e05aca59e2b3c732dd117685d77bda2be3a10.exe	85
PID 4620 wrote to memory of 3828	4620	08ceb7c414a1389d1c84acebf18e05aca59e2b3c732dd117685d77bda2be3a10.exe	85
PID 3828 wrote to memory of 3740	3828	windowsdb.exe	87
PID 3828 wrote to memory of 3740	3828	windowsdb.exe	87
PID 3828 wrote to memory of 3740	3828	windowsdb.exe	87
PID 3828 wrote to memory of 3740	3828	windowsdb.exe	87
PID 3828 wrote to memory of 3740	3828	windowsdb.exe	87
PID 3828 wrote to memory of 3740	3828	windowsdb.exe	87
PID 3828 wrote to memory of 3740	3828	windowsdb.exe	87
PID 3828 wrote to memory of 3740	3828	windowsdb.exe	87
PID 3480 wrote to memory of 4796	3480	windowsdb.exe	89
PID 3480 wrote to memory of 4796	3480	windowsdb.exe	89
PID 3480 wrote to memory of 4796	3480	windowsdb.exe	89
PID 3480 wrote to memory of 4796	3480	windowsdb.exe	89
PID 3480 wrote to memory of 4796	3480	windowsdb.exe	89
PID 3480 wrote to memory of 4796	3480	windowsdb.exe	89
PID 3480 wrote to memory of 4796	3480	windowsdb.exe	89
PID 3480 wrote to memory of 4796	3480	windowsdb.exe	89
PID 4892 wrote to memory of 4996	4892	windowsdb.exe	91
PID 4892 wrote to memory of 4996	4892	windowsdb.exe	91
PID 4892 wrote to memory of 4996	4892	windowsdb.exe	91
PID 4892 wrote to memory of 4996	4892	windowsdb.exe	91
PID 4892 wrote to memory of 4996	4892	windowsdb.exe	91
PID 4892 wrote to memory of 4996	4892	windowsdb.exe	91
PID 4892 wrote to memory of 4996	4892	windowsdb.exe	91
PID 4892 wrote to memory of 4996	4892	windowsdb.exe	91
PID 4528 wrote to memory of 1932	4528	windowsdb.exe	93
PID 4528 wrote to memory of 1932	4528	windowsdb.exe	93
PID 4528 wrote to memory of 1932	4528	windowsdb.exe	93
PID 4528 wrote to memory of 1932	4528	windowsdb.exe	93
PID 4528 wrote to memory of 1932	4528	windowsdb.exe	93
PID 4528 wrote to memory of 1932	4528	windowsdb.exe	93
PID 4528 wrote to memory of 1932	4528	windowsdb.exe	93
PID 4528 wrote to memory of 1932	4528	windowsdb.exe	93

C:\Users\Admin\AppData\Local\Temp\08ceb7c414a1389d1c84acebf18e05aca59e2b3c732dd117685d77bda2be3a10.exe
"C:\Users\Admin\AppData\Local\Temp\08ceb7c414a1389d1c84acebf18e05aca59e2b3c732dd117685d77bda2be3a10.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Users\Admin\AppData\Roaming\wordpresslinuxeternal\windowsdb.exe
  "C:\Users\Admin\AppData\Roaming\wordpresslinuxeternal\windowsdb.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3740

C:\Users\Admin\AppData\Roaming\wordpresslinuxeternal\windowsdb.exe
C:\Users\Admin\AppData\Roaming\wordpresslinuxeternal\windowsdb.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
  2⤵
  PID:4796

C:\Users\Admin\AppData\Roaming\wordpresslinuxeternal\windowsdb.exe
C:\Users\Admin\AppData\Roaming\wordpresslinuxeternal\windowsdb.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
  2⤵
  PID:4996

C:\Users\Admin\AppData\Roaming\wordpresslinuxeternal\windowsdb.exe
C:\Users\Admin\AppData\Roaming\wordpresslinuxeternal\windowsdb.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
  2⤵
  PID:1932

C:\Users\Admin\AppData\Roaming\wordpresslinuxeternal\windowsdb.exe
C:\Users\Admin\AppData\Roaming\wordpresslinuxeternal\windowsdb.exe
1⤵
- Executes dropped EXE
PID:1556

C:\Users\Admin\AppData\Roaming\wordpresslinuxeternal\windowsdb.exe
C:\Users\Admin\AppData\Roaming\wordpresslinuxeternal\windowsdb.exe
1⤵
- Executes dropped EXE
PID:1816

C:\Users\Admin\AppData\Roaming\wordpresslinuxeternal\windowsdb.exe
C:\Users\Admin\AppData\Roaming\wordpresslinuxeternal\windowsdb.exe
1⤵
- Executes dropped EXE
PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\caspol.exe.log

Filesize
1KB

MD5
0672db2ef13237d5cb85075ff4915942

SHA1
ad8b4d3eb5e40791c47d48b22e273486f25f663f

SHA256
0a933408890369b5a178f9c30aa93d2c94f425650815cf8e8310de4e90a3b519

SHA512
84ad10ba5b695567d33a52f786405a5544aa49d8d23631ba9edf3afa877c5dbd81570d15bcf74bce5d9fb1afad2117d0a4ef913b396c0d923afefe615619c84b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windowsdb.exe.log

Filesize
1KB

MD5
663b8d5469caa4489d463aa9bc18124f

SHA1
e57123a7d969115853ea631a3b33826335025d28

SHA256
7b4fa505452f0b8ac74bb31f5a03b13342836318018fb18d224ae2ff11b1a7e8

SHA512
45e373295125a629fcc0b19609608d969c9106514918bfac5d6b8e340e407434577b825741b8fa6a043c8f3f5c1a030ba8857da5f4e8ef15a551ce3c5fe03b55

Download Submit
C:\Users\Admin\AppData\Roaming\wordpresslinuxeternal\windowsdb.exe

Filesize
3.0MB

MD5
7fc313209a40c3da1f080de07765b01d

SHA1
fdb724f810d7653773756990b5eb96b49c825308

SHA256
08ceb7c414a1389d1c84acebf18e05aca59e2b3c732dd117685d77bda2be3a10

SHA512
6c7f6ab5526c411869a37de025e0bd9a614d2da72167b2a2094165fe866c23c4e19780ee3cf916727c840029e67fa38958d5cd79fc8c31e8ae75faf0802b07ee

Download Submit
C:\Users\Admin\AppData\Roaming\wordpresslinuxeternal\windowsdb.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
memory/3480-30-0x0000000075450000-0x0000000075C00000-memory.dmp

Filesize
7.7MB

Download
memory/3480-28-0x0000000075450000-0x0000000075C00000-memory.dmp

Filesize
7.7MB

Download
memory/3480-37-0x0000000075450000-0x0000000075C00000-memory.dmp

Filesize
7.7MB

Download
memory/3740-50-0x0000000007000000-0x0000000007012000-memory.dmp

Filesize
72KB

Download
memory/3740-57-0x0000000008130000-0x0000000008180000-memory.dmp

Filesize
320KB

Download
memory/3740-56-0x00000000071F0000-0x00000000071FE000-memory.dmp

Filesize
56KB

Download
memory/3740-55-0x0000000007C10000-0x0000000007DD2000-memory.dmp

Filesize
1.8MB

Download
memory/3740-45-0x00000000067D0000-0x00000000067DA000-memory.dmp

Filesize
40KB

Download
memory/3740-44-0x00000000064A0000-0x00000000064B0000-memory.dmp

Filesize
64KB

Download
memory/3740-52-0x00000000070A0000-0x00000000070EC000-memory.dmp

Filesize
304KB

Download
memory/3740-54-0x0000000007230000-0x000000000733A000-memory.dmp

Filesize
1.0MB

Download
memory/3740-46-0x0000000006F60000-0x0000000006FC6000-memory.dmp

Filesize
408KB

Download
memory/3740-43-0x0000000005B10000-0x0000000005B28000-memory.dmp

Filesize
96KB

Download
memory/3740-49-0x00000000075F0000-0x0000000007C08000-memory.dmp

Filesize
6.1MB

Download
memory/3740-51-0x0000000007060000-0x000000000709C000-memory.dmp

Filesize
240KB

Download
memory/3828-33-0x0000000075450000-0x0000000075C00000-memory.dmp

Filesize
7.7MB

Download
memory/3828-29-0x00000000064C0000-0x000000000655C000-memory.dmp

Filesize
624KB

Download
memory/3828-26-0x0000000005B60000-0x0000000005BAE000-memory.dmp

Filesize
312KB

Download
memory/3828-25-0x0000000075450000-0x0000000075C00000-memory.dmp

Filesize
7.7MB

Download
memory/3828-23-0x0000000075450000-0x0000000075C00000-memory.dmp

Filesize
7.7MB

Download
memory/4620-7-0x0000000006250000-0x0000000006262000-memory.dmp

Filesize
72KB

Download
memory/4620-3-0x0000000075450000-0x0000000075C00000-memory.dmp

Filesize
7.7MB

Download
memory/4620-5-0x0000000006360000-0x0000000006904000-memory.dmp

Filesize
5.6MB

Download
memory/4620-2-0x0000000005970000-0x000000000597E000-memory.dmp

Filesize
56KB

Download
memory/4620-0-0x000000007545E000-0x000000007545F000-memory.dmp

Filesize
4KB

Download
memory/4620-1-0x0000000000D20000-0x000000000101E000-memory.dmp

Filesize
3.0MB

Download
memory/4620-4-0x00000000059C0000-0x0000000005A1C000-memory.dmp

Filesize
368KB

Download
memory/4620-24-0x0000000075450000-0x0000000075C00000-memory.dmp

Filesize
7.7MB

Download
memory/4620-6-0x0000000005DB0000-0x0000000005E42000-memory.dmp

Filesize
584KB

Download
memory/4892-38-0x00000000059A0000-0x00000000059B2000-memory.dmp

Filesize
72KB

Download