Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

3270183aab...12.exe

windows7-x64

10

3270183aab...12.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/07/2024, 01:06 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3270183aabe7610a9b989c4adcc3a7920edce0bc0ce49081a4ff91aaee00de12.exe

  • Size

    924KB

  • MD5

    0a1765fd60e984ac85e44a871c4b2d02

  • SHA1

    8d364b879d5ea4313a012256c8aa25dc2c763438

  • SHA256

    3270183aabe7610a9b989c4adcc3a7920edce0bc0ce49081a4ff91aaee00de12

  • SHA512

    25337f28219192721c7f7aa7c6c33eb99a5da6ddd873f37bb2dbdfff3391973301b194d99c44747f61ad35b4685409331c4ae068735d81dd131e2872eeccf1dc

  • SSDEEP

    24576:kmHR4MROxnFE3Ni4rrcI0AilFEvxHP4oo8:3uMiuw4rrcI0AilFEvxHP

Score
10/10
orcusratspywarestealer

Malware Config

Extracted

Family

orcus

C2

192.168.1.5:9889

Mutex

99c53a7c9aeb4515856ca28358669aa6

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus main payload 1 IoCs
  • Orcurs Rat Executable 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3270183aabe7610a9b989c4adcc3a7920edce0bc0ce49081a4ff91aaee00de12.exe
    "C:\Users\Admin\AppData\Local\Temp\3270183aabe7610a9b989c4adcc3a7920edce0bc0ce49081a4ff91aaee00de12.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe" --install
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:3160
    • C:\Program Files (x86)\Orcus\Orcus.exe
      "C:\Program Files (x86)\Orcus\Orcus.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
        "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files (x86)\Orcus\Orcus.exe" 1924
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3904
        • C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
          "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files (x86)\Orcus\Orcus.exe" 1924
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5028
  • C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe"
    1⤵
    • Executes dropped EXE
    PID:1640
  • C:\Program Files (x86)\Orcus\Orcus.exe
    "C:\Program Files (x86)\Orcus\Orcus.exe"
    1⤵
    • Executes dropped EXE
    PID:3088

Network

  • flag-us
    DNS
    4.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    4.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    55.36.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    55.36.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
    Response
    81.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.126.166.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.126.166.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.58.20.217.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.58.20.217.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 192.168.1.5:9889
    Orcus.exe
    260 B
     5
  • 192.168.1.5:9889
    Orcus.exe
    260 B
     5
  • 192.168.1.5:9889
    Orcus.exe
    260 B
     5
  • 192.168.1.5:9889
    Orcus.exe
    260 B
     5
  • 192.168.1.5:9889
    Orcus.exe
    260 B
     5
  • 192.168.1.5:9889
    Orcus.exe
    260 B
     5
  • 192.168.1.5:9889
    Orcus.exe
    260 B
     5
  • 192.168.1.5:9889
    Orcus.exe
    260 B
     5
  • 192.168.1.5:9889
    Orcus.exe
    260 B
     5
  • 192.168.1.5:9889
    Orcus.exe
    260 B
     5
  • 192.168.1.5:9889
    Orcus.exe
    208 B
     4
  • 8.8.8.8:53
    4.159.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    4.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    55.36.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    55.36.223.20.in-addr.arpa

  • 8.8.8.8:53
    81.144.22.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    81.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    56.126.166.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    56.126.166.20.in-addr.arpa

  • 8.8.8.8:53
    22.58.20.217.in-addr.arpa
    dns
    71 B
     131 B
     1
    1

    DNS Request

    22.58.20.217.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Orcus\Orcus.exe
    Filesize

    924KB

    MD5

    0a1765fd60e984ac85e44a871c4b2d02

    SHA1

    8d364b879d5ea4313a012256c8aa25dc2c763438

    SHA256

    3270183aabe7610a9b989c4adcc3a7920edce0bc0ce49081a4ff91aaee00de12

    SHA512

    25337f28219192721c7f7aa7c6c33eb99a5da6ddd873f37bb2dbdfff3391973301b194d99c44747f61ad35b4685409331c4ae068735d81dd131e2872eeccf1dc

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OrcusWatchdog.exe.log
    Filesize

    425B

    MD5

    4eaca4566b22b01cd3bc115b9b0b2196

    SHA1

    e743e0792c19f71740416e7b3c061d9f1336bf94

    SHA256

    34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

    SHA512

    bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
    Filesize

    9KB

    MD5

    913967b216326e36a08010fb70f9dba3

    SHA1

    7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

    SHA256

    8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

    SHA512

    c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Orcus\err_99c53a7c9aeb4515856ca28358669aa6.dat
    Filesize

    1KB

    MD5

    ae7054dc91af3b02fabda3b24e274c8e

    SHA1

    7c2040812d5b34450fa85b61fc2ef3392c072648

    SHA256

    cc0c64e005aa757a799365b5c9a328d2f3fb59b390867b798f0fa7b7b6f37a20

    SHA512

    81ff613d466c7e95b1f279b5584e05c3f142ad70f56e0f4ab242c286a9a705f561bc5e3952154d3e45d310f44bb7515b98a0c58f408cae2d2a91bd20954f9578

    Download Submit

  • C:\Windows\SysWOW64\WindowsInput.exe
    Filesize

    21KB

    MD5

    e6fcf516d8ed8d0d4427f86e08d0d435

    SHA1

    c7691731583ab7890086635cb7f3e4c22ca5e409

    SHA256

    8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

    SHA512

    c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

    Download Submit

  • C:\Windows\SysWOW64\WindowsInput.exe.config
    Filesize

    357B

    MD5

    a2b76cea3a59fa9af5ea21ff68139c98

    SHA1

    35d76475e6a54c168f536e30206578babff58274

    SHA256

    f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

    SHA512

    b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

    Download Submit

  • memory/1640-86-0x00007FF9020A0000-0x00007FF902B61000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1640-41-0x00007FF9020A0000-0x00007FF902B61000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1640-42-0x000000001A7A0000-0x000000001A8AA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1924-67-0x0000000006A40000-0x0000000006A4A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1924-61-0x0000000005EF0000-0x0000000005F3E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1924-58-0x0000000004D30000-0x0000000004D42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1924-62-0x0000000005F60000-0x0000000005F78000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1924-63-0x0000000005FE0000-0x0000000005FF8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1924-65-0x0000000006AD0000-0x0000000006C92000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1924-66-0x0000000006910000-0x0000000006920000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3008-10-0x00000000059E0000-0x0000000005A46000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3008-5-0x0000000005330000-0x00000000058D4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3008-15-0x0000000005C70000-0x0000000005D7A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3008-1-0x0000000000360000-0x000000000044E000-memory.dmp

    Filesize

    952KB

    Download

  • memory/3008-2-0x0000000004C60000-0x0000000004C6E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3008-3-0x0000000004C70000-0x0000000004CCC000-memory.dmp

    Filesize

    368KB

    Download

  • memory/3008-4-0x0000000074A30000-0x00000000751E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3008-17-0x0000000006000000-0x0000000006022000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3008-6-0x0000000004E20000-0x0000000004EB2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3008-14-0x0000000005AF0000-0x0000000005B3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3008-13-0x0000000005AB0000-0x0000000005AEC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3008-12-0x0000000005A50000-0x0000000005A62000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3008-57-0x0000000074A30000-0x00000000751E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3008-11-0x0000000006070000-0x0000000006688000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3008-0-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3008-9-0x0000000005240000-0x0000000005248000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3008-8-0x0000000004E10000-0x0000000004E18000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3008-7-0x0000000004E00000-0x0000000004E12000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3160-39-0x00007FF9020A0000-0x00007FF902B61000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3160-38-0x00007FF9020A0000-0x00007FF902B61000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3160-34-0x0000000002BE0000-0x0000000002C1C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3160-33-0x0000000002B80000-0x0000000002B92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3160-32-0x00007FF9020A3000-0x00007FF9020A5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3160-31-0x00000000009E0000-0x00000000009EC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3904-81-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

    Filesize

    32KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.