Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
20-07-2024 01:22
General
-
Target
03bd0ad29d1b3efb2c876d5f4dbf800dd61df2e1b850c5f08c18cd14d39a97bb.exe
-
Size
907KB
-
MD5
2276a582ae9828473bd9d75de4bb5ee7
-
SHA1
bda02bec26b3e29044dd0a26ad9abab9a46b4bd3
-
SHA256
03bd0ad29d1b3efb2c876d5f4dbf800dd61df2e1b850c5f08c18cd14d39a97bb
-
SHA512
802b88660e4c75b69bbdb71dcae39cb4eef9440e1631ff2112317e08bcea2535e69401535cbef6413ff3500e72c622be19792ac08f44bca7f10376adff98b726
-
SSDEEP
24576:QNL34MROxnFpkptJSarrcI0AilFEvxHP1ooI:QWMiETSarrcI0AilFEvxHP
Score
10/10
Malware Config
Extracted
Family
orcus
C2
indi.dynamic-dns.net:10131
Mutex
f0fe7471fd9d446590c2f17aa5f38be0
Attributes
-
autostart_method
Disable
-
enable_keylogger
true
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcurs Rat Executable 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\03bd0ad29d1b3efb2c876d5f4dbf800dd61df2e1b850c5f08c18cd14d39a97bb.exe"C:\Users\Admin\AppData\Local\Temp\03bd0ad29d1b3efb2c876d5f4dbf800dd61df2e1b850c5f08c18cd14d39a97bb.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
928KB
-
Filesize
56KB
-
Filesize
368KB
-
Filesize
6.9MB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
96KB
-
Filesize
64KB
-
Filesize
6.9MB