Analysis
-
max time kernel
350s -
max time network
876s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
20-07-2024 16:57
Behavioral task
behavioral1
Sample
java.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
java.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
java.exe
Resource
win10v2004-20240709-en
General
-
Target
java.exe
-
Size
912KB
-
MD5
ded3e760ff8be2ba3644390356a06ecc
-
SHA1
bf35f9633107ec72a57157f24c4f080ed9203dd6
-
SHA256
8fe37b9605617ca26443064f74eaaf156f43c7ef80deaecdc71eb5688f4cc255
-
SHA512
11b7d51395a6dd952a231f093b79df87a1de7e62be6d9a8aadf73dc4dd20c8557b636bafd50672cdb06607bfcffe713685f51f218b7679e07177a42ff931bc62
-
SSDEEP
12288:c0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCjRzUefAUQGYppMku77dG1lFlWu:gOK4MROxnFHVorrcI0AilFEvxHjWQg
Malware Config
Extracted
orcus
0.tcp.eu.ngrok.io:10019
a6fa2ae42e784c859e6a44e0e55cd75b
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcurs Rat Executable 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2324-1-0x0000000000630000-0x000000000071A000-memory.dmp orcus -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
java.exedescription pid Process Token: SeDebugPrivilege 2324 java.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
java.execmd.exedescription pid Process procid_target PID 2324 wrote to memory of 4408 2324 java.exe 74 PID 2324 wrote to memory of 4408 2324 java.exe 74 PID 4408 wrote to memory of 2636 4408 cmd.exe 76 PID 4408 wrote to memory of 2636 4408 cmd.exe 76 PID 4408 wrote to memory of 5092 4408 cmd.exe 77 PID 4408 wrote to memory of 5092 4408 cmd.exe 77 PID 4408 wrote to memory of 4072 4408 cmd.exe 78 PID 4408 wrote to memory of 4072 4408 cmd.exe 78 PID 4408 wrote to memory of 4544 4408 cmd.exe 79 PID 4408 wrote to memory of 4544 4408 cmd.exe 79 PID 4408 wrote to memory of 680 4408 cmd.exe 80 PID 4408 wrote to memory of 680 4408 cmd.exe 80 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\java.exe"C:\Users\Admin\AppData\Local\Temp\java.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{3e641002-4574-4618-b667-db31f565263b}.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\system32\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:2636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo j "3⤵PID:5092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\java.exe""3⤵PID:4072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo j "3⤵PID:4544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del C:\Users\Admin\AppData\Local\Temp\{3e641002-4574-4618-b667-db31f565263b}.bat"3⤵PID:680
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
181B
MD5ec9164cacc5f339e5a42efc5585211ed
SHA1c4c3c82471caa40cf18374c28223fb642635e583
SHA256991fd9e45782f8fd989dd750845216da7bdd3c13868af30dfc0bd2a531696c4a
SHA5125adcb2d338fe949dd0f8f05743b387e210137655cb41c62305653a00e27aea8f34bd477306690e401397b5c9bb9b4e6b48d9ce49ed26df8d17582264a0876a9d