Analysis
-
max time kernel
643s -
max time network
1162s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-07-2024 16:57
Behavioral task
behavioral1
Sample
java.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
java.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
java.exe
Resource
win10v2004-20240709-en
General
-
Target
java.exe
-
Size
912KB
-
MD5
ded3e760ff8be2ba3644390356a06ecc
-
SHA1
bf35f9633107ec72a57157f24c4f080ed9203dd6
-
SHA256
8fe37b9605617ca26443064f74eaaf156f43c7ef80deaecdc71eb5688f4cc255
-
SHA512
11b7d51395a6dd952a231f093b79df87a1de7e62be6d9a8aadf73dc4dd20c8557b636bafd50672cdb06607bfcffe713685f51f218b7679e07177a42ff931bc62
-
SSDEEP
12288:c0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCjRzUefAUQGYppMku77dG1lFlWu:gOK4MROxnFHVorrcI0AilFEvxHjWQg
Malware Config
Extracted
orcus
0.tcp.eu.ngrok.io:10019
a6fa2ae42e784c859e6a44e0e55cd75b
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcurs Rat Executable 2 IoCs
Processes:
resource yara_rule behavioral4/memory/948-1-0x00000000008B0000-0x000000000099A000-memory.dmp orcus behavioral4/memory/948-79-0x0000000020930000-0x0000000020A1A000-memory.dmp orcus -
Loads dropped DLL 1 IoCs
Processes:
java.exepid Process 948 java.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
java.exepid Process 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe 948 java.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
java.exeAUDIODG.EXEdescription pid Process Token: SeDebugPrivilege 948 java.exe Token: 33 2684 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2684 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
java.execmd.exedescription pid Process procid_target PID 948 wrote to memory of 2464 948 java.exe 81 PID 948 wrote to memory of 2464 948 java.exe 81 PID 948 wrote to memory of 1488 948 java.exe 84 PID 948 wrote to memory of 1488 948 java.exe 84 PID 1488 wrote to memory of 3096 1488 cmd.exe 86 PID 1488 wrote to memory of 3096 1488 cmd.exe 86 PID 1488 wrote to memory of 3908 1488 cmd.exe 87 PID 1488 wrote to memory of 3908 1488 cmd.exe 87 PID 1488 wrote to memory of 3388 1488 cmd.exe 88 PID 1488 wrote to memory of 3388 1488 cmd.exe 88 PID 1488 wrote to memory of 1448 1488 cmd.exe 89 PID 1488 wrote to memory of 1448 1488 cmd.exe 89 PID 1488 wrote to memory of 3896 1488 cmd.exe 90 PID 1488 wrote to memory of 3896 1488 cmd.exe 90 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\java.exe"C:\Users\Admin\AppData\Local\Temp\java.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe"2⤵PID:2464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{0ff10221-8010-4e81-bb63-4c28435d6ef3}.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\system32\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
PID:3096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo j "3⤵PID:3908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\java.exe""3⤵PID:3388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo j "3⤵PID:1448
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del C:\Users\Admin\AppData\Local\Temp\{0ff10221-8010-4e81-bb63-4c28435d6ef3}.bat"3⤵PID:3896
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004B8 0x00000000000004CC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
181B
MD55fc5bc7215a92a5dae4a7e9f74c5589f
SHA1dd7bf153f34d3c8cef47d747515a102299977928
SHA2566a40d878f18c13099a4bfe44806e2031769655fe200c423f39e3c35e81ebbb2b
SHA51251f4933ebc319b6b5342c65c28a333209544b8c352688d39e5f7db045bc98c10b2c934eb4fc208c2252ba503402f5656b9eee14b398fae2e6571a42d0fa60237
-
C:\Users\Admin\AppData\Roaming\Orcus\lib_a6fa2ae42e784c859e6a44e0e55cd75b\ICSharpCode.SharpZipLib.dll
Filesize196KB
MD5c8164876b6f66616d68387443621510c
SHA17a9df9c25d49690b6a3c451607d311a866b131f4
SHA25640b3d590f95191f3e33e5d00e534fa40f823d9b1bb2a9afe05f139c4e0a3af8d
SHA51244a6accc70c312a16d0e533d3287e380997c5e5d610dbeaa14b2dbb5567f2c41253b895c9817ecd96c85d286795bbe6ab35fd2352fddd9d191669a2fb0774bc4
-
Filesize
125KB
MD52b44c70c49b70d797fbb748158b5d9bb
SHA193e00e6527e461c45c7868d14cf05c007e478081
SHA2563762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf
SHA512faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0
-
Filesize
271KB
MD598eb5ba5871acdeaebf3a3b0f64be449
SHA1c965284f60ef789b00b10b3df60ee682b4497de3
SHA256d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c
SHA512a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2
-
Filesize
338KB
MD5934da0e49208d0881c44fe19d5033840
SHA1a19c5a822e82e41752a08d3bd9110db19a8a5016
SHA25602da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7
SHA512de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59
-
Filesize
247KB
MD5ffb4b61cc11bec6d48226027c2c26704
SHA1fa8b9e344accbdc4dffa9b5d821d23f0716da29e
SHA256061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303
SHA51248aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9
-
Filesize
1.3MB
MD5ac6acc235ebef6374bed71b37e322874
SHA1a267baad59cd7352167636836bad4b971fcd6b6b
SHA256047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96
SHA51272ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081
-
Filesize
662KB
MD5b36cc7f7c7148a783fbed3493bc27954
SHA144b39651949a00cf2a5cbba74c3210b980ae81b4
SHA256c1ce9a872d33fb8757c59b5cd1f26c93b9eeec3e3cf57162c29a0783e6222a38
SHA512c987c689ecc2cc57350c74ee22b66cb543535bc17b790016ec6407c3d02c539a727f5c38e1451a201e8e7ccfcb4d4639780b6e68cd38b7e67b1b28034ad738a2
-
C:\Users\Admin\AppData\Roaming\Orcus\stp_a6fa2ae42e784c859e6a44e0e55cd75b\8da0584662c3451eb62fd2d5d4734ee4
Filesize1.5MB
MD5d49bbcf52fe93e9123ca4db9456ea3c5
SHA10dc2169eb1ee61315abe432d465c4028ec58d199
SHA2568b245e0499064d33e7797b88246ad7ade7382f1700b550c8cdf2cf146b2e0b57
SHA5121ec9116369357886522b07ed587be44cf0f4a2899fddd676d3223567fe07fd40f74bfcd84f656c558b188d3c09ad8054aa2461e4b4e236eb0e551a245539249c