Analysis
-
max time kernel
720s -
max time network
724s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20-07-2024 16:57
Behavioral task
behavioral1
Sample
java.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
java.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
java.exe
Resource
win10v2004-20240709-en
General
-
Target
java.exe
-
Size
912KB
-
MD5
ded3e760ff8be2ba3644390356a06ecc
-
SHA1
bf35f9633107ec72a57157f24c4f080ed9203dd6
-
SHA256
8fe37b9605617ca26443064f74eaaf156f43c7ef80deaecdc71eb5688f4cc255
-
SHA512
11b7d51395a6dd952a231f093b79df87a1de7e62be6d9a8aadf73dc4dd20c8557b636bafd50672cdb06607bfcffe713685f51f218b7679e07177a42ff931bc62
-
SSDEEP
12288:c0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCjRzUefAUQGYppMku77dG1lFlWu:gOK4MROxnFHVorrcI0AilFEvxHjWQg
Malware Config
Extracted
orcus
0.tcp.eu.ngrok.io:10019
a6fa2ae42e784c859e6a44e0e55cd75b
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcurs Rat Executable 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2776-1-0x00000000010D0000-0x00000000011BA000-memory.dmp orcus -
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 2316 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
java.exepid Process 2776 java.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
java.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 java.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier java.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 59 IoCs
Processes:
java.exepid Process 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe 2776 java.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
java.exedescription pid Process Token: SeDebugPrivilege 2776 java.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
java.exepid Process 2776 java.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
java.execmd.exedescription pid Process procid_target PID 2776 wrote to memory of 1120 2776 java.exe 31 PID 2776 wrote to memory of 1120 2776 java.exe 31 PID 2776 wrote to memory of 1120 2776 java.exe 31 PID 1120 wrote to memory of 1100 1120 cmd.exe 33 PID 1120 wrote to memory of 1100 1120 cmd.exe 33 PID 1120 wrote to memory of 1100 1120 cmd.exe 33 PID 1120 wrote to memory of 2632 1120 cmd.exe 34 PID 1120 wrote to memory of 2632 1120 cmd.exe 34 PID 1120 wrote to memory of 2632 1120 cmd.exe 34 PID 1120 wrote to memory of 2316 1120 cmd.exe 35 PID 1120 wrote to memory of 2316 1120 cmd.exe 35 PID 1120 wrote to memory of 2316 1120 cmd.exe 35 PID 1120 wrote to memory of 2112 1120 cmd.exe 36 PID 1120 wrote to memory of 2112 1120 cmd.exe 36 PID 1120 wrote to memory of 2112 1120 cmd.exe 36 PID 1120 wrote to memory of 1588 1120 cmd.exe 37 PID 1120 wrote to memory of 1588 1120 cmd.exe 37 PID 1120 wrote to memory of 1588 1120 cmd.exe 37 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\java.exe"C:\Users\Admin\AppData\Local\Temp\java.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\{e9451254-c195-4a62-af51-b775a4e0a2f0}.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\system32\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:1100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo j "3⤵PID:2632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\java.exe""3⤵
- Deletes itself
PID:2316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo j "3⤵PID:2112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del C:\Users\Admin\AppData\Local\Temp\{e9451254-c195-4a62-af51-b775a4e0a2f0}.bat"3⤵PID:1588
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181B
MD5746c1b8c2c71f34b63509e3032573465
SHA15c6c8fff28b2aee619ef53e049ddb72eb8cd614d
SHA2561a9017eca85330f4ad906ab8b07524a8dd0f9fa10da5aaaebadd1f2e018608ab
SHA512a4deda511ca21f1d4fb305780669a816c06b61ce89222ce5b095d009e9ee3a6d7e8762b5a43759514626b55d189d27fcf227baca4af6c6082c4d98501d6087ab
-
Filesize
662KB
MD5b36cc7f7c7148a783fbed3493bc27954
SHA144b39651949a00cf2a5cbba74c3210b980ae81b4
SHA256c1ce9a872d33fb8757c59b5cd1f26c93b9eeec3e3cf57162c29a0783e6222a38
SHA512c987c689ecc2cc57350c74ee22b66cb543535bc17b790016ec6407c3d02c539a727f5c38e1451a201e8e7ccfcb4d4639780b6e68cd38b7e67b1b28034ad738a2