orcus | 59bafd4c82ebacac6b134fd031274210f66a12c391d06015484f63a87b54b461

Analysis

max time kernel
54s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lua Loader.exe
Size

1.2MB
MD5

34a466e51a80ad778b3e07aab08e934f
SHA1

189592eda4e8a4f051e1af4c56c8b2384c5c0e2b
SHA256

59bafd4c82ebacac6b134fd031274210f66a12c391d06015484f63a87b54b461
SHA512

699b11e1992ca2a1199fef70bdce13153e5868de4a655efd801de1972844b64bd3b947ecb62ff3148fa76c4eabe2ebbd19bc8b461546234d428ed5d8f04caecc
SSDEEP

24576:O5WHS04YNEMuExDiU6E5R9s8xY/2l/dRJ5dtsPxNGfySIbt+rO:O5Wd4auS+UjfU2T/5XDZIbt+r

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

147.185.221.21

Mutex

f446e131123a4c2c895327a980a93e72

Attributes

administration_rights_required
false
anti_debugger
false
anti_tcp_analyzer
false
antivm
false
autostart_method
1
change_creation_date
false
force_installer_administrator_privileges
false
hide_file
false
install
false
installation_folder
%appdata%\Microsoft\Speech\Lua.exe
installservice
false
keylogger_enabled
false
newcreationdate
08/03/2024 19:46:52
plugins
AgUFyfihswTdIPqEArukcmEdSF06Hw9CAFMAbwBEACAAUAByAG8AdABlAGMAdABpAG8AbgAHAzEALgAwAEEgNgAyADIANQBiADEAZABhADMAMAAyAGMANABhAGYAZgBiAGEAMwAyADQAYwBkAGMAYQA2AGIAZABkADAAYQA2AAEFl6aNkQPXkQKOmwKLvFcpr24sKCsVRABpAHMAYQBiAGwAZQAgAFcAZQBiAGMAYQBtACAATABpAGcAaAB0AHMABwMxAC4AMABBIDIAYQA2AGMAMgBjADIANAA3ADUAOAA2ADQAZgA2AGEAOAA2ADUAZgBlADQAOQAzADQANwAyAGIANQA3AGYANgABBcjswb8CldcC3rcCqMa3DYpVf2wVCkcAYQBtAGUAcgAgAFYAaQBlAHcABwMxAC4AMgBBIDkAZgA0AGEAMAA0ADcAYwA5ADUAYwA2ADQAZABjADUAOQAwADgAZgBjAGEAMAA1AGYAMABkADcAYQA5AGMAOAACAAYG
reconnect_delay
10000
registry_autostart_keyname
Audio HD Driver
registry_hidden_autostart
false
set_admin_flag
false
tasksch_name
Audio HD Driver
tasksch_request_highest_privileges
false
try_other_autostart_onfail
false

aes.plain

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Lua Loader.exe

Executes dropped EXE 1 IoCs

pid	Process
2032	Lua.exe

Loads dropped DLL 1 IoCs

pid	Process
2032	Lua.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lua Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lua.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2032	Lua.exe
2032	Lua.exe
2032	Lua.exe
2032	Lua.exe
2032	Lua.exe
2032	Lua.exe
2032	Lua.exe
2032	Lua.exe
2032	Lua.exe
2032	Lua.exe
2032	Lua.exe
2032	Lua.exe
2032	Lua.exe
2032	Lua.exe
2032	Lua.exe
2032	Lua.exe
2032	Lua.exe
2032	Lua.exe
2032	Lua.exe
2032	Lua.exe
2032	Lua.exe
2032	Lua.exe
2032	Lua.exe
2032	Lua.exe
2032	Lua.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	Lua.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2032	Lua.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2032	Lua.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 2032	3612	Lua Loader.exe	87
PID 3612 wrote to memory of 2032	3612	Lua Loader.exe	87
PID 3612 wrote to memory of 2032	3612	Lua Loader.exe	87
PID 2032 wrote to memory of 3352	2032	Lua.exe	101
PID 2032 wrote to memory of 3352	2032	Lua.exe	101
PID 2032 wrote to memory of 3352	2032	Lua.exe	101
PID 3352 wrote to memory of 3540	3352	csc.exe	103
PID 3352 wrote to memory of 3540	3352	csc.exe	103
PID 3352 wrote to memory of 3540	3352	csc.exe	103
PID 2032 wrote to memory of 4780	2032	Lua.exe	105
PID 2032 wrote to memory of 4780	2032	Lua.exe	105
PID 2032 wrote to memory of 4780	2032	Lua.exe	105
PID 4780 wrote to memory of 5048	4780	csc.exe	107
PID 4780 wrote to memory of 5048	4780	csc.exe	107
PID 4780 wrote to memory of 5048	4780	csc.exe	107

C:\Users\Admin\AppData\Local\Temp\Lua Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Lua Loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Lua.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Lua.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\im2hl0cn\im2hl0cn.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3352
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8.tmp" "c:\Users\Admin\AppData\Local\Temp\im2hl0cn\CSCA7.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3540
- - C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1qjdgdpf\1qjdgdpf.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4ED8.tmp" "c:\Users\Admin\AppData\Local\Temp\1qjdgdpf\CSC4ED7.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1qjdgdpf\1qjdgdpf.dll

Filesize
3KB

MD5
9176445b5eb7668137f6bacda9525280

SHA1
c43c97ce137b061d34120ff08ee35bd1f4c7a6db

SHA256
0a3d42947787ddef6f4af9bca3403131e3ca7976aa99c8f3aeb87743400aa376

SHA512
ceff17731890ce31471c80246530dbd3fccf41de8bdffaed417f23d1fa87b260b41c47f671675edab094d8f5ac7af7ea2346bff045e0b9235c79871a6f71ef69

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4ED8.tmp

Filesize
1KB

MD5
4b97135e3ea76c9d000c68dc599fd218

SHA1
bfabc79ac671466ecd8e45982d2b278b4a2491a0

SHA256
1b5516c8aefc3fa002b5f312fd0eefd790ab8a4f1c0ae66ac40e837ff96af20c

SHA512
d6b0bf528a2c1d999405fbc09a61af462175e2948a8d183589a81cbc23a0cda51cfec570b84acccd75f578ebd510dd84ce974a5467cd3cececbd1d71ef8f843f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA8.tmp

Filesize
1KB

MD5
9e7c999ff66b9ec4a27c2846398dbe7a

SHA1
fc0b41f95eada19f2bfe826722ddd31e8ce4a17b

SHA256
4cb2afa7bb41afc2ff979814779a57c23e970780acf7f18aac239b1e517979ad

SHA512
bd3a029927400d3769c605d9bf7784a5b670a62dd0e4d1c39cc44d1976c6578c26f3e08dcf4ff31239dbb52255454389cd555e733dc2994a734005b2cdb0fe0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\im2hl0cn\im2hl0cn.dll

Filesize
3KB

MD5
d1d605681029f10ad619c7aa646eb041

SHA1
ddf17f593a3990cd82d027733922eb59e70a87b7

SHA256
67efb93a1982cada1b7ecabce2832200635cafb69b60b1f870eed136de5aff4a

SHA512
019fe7b7bd3b40834a36b982bc4349f223720132695f78b59392141496e4276fdb5d6b343850445290540fdd589c1ea6150ac7b5bd006c77d14f8786459ebd64

Download Submit
C:\Users\Admin\AppData\Roaming\GamerView\sqlite3.dll

Filesize
626KB

MD5
d8aec01ff14e3e7ad43a4b71e30482e4

SHA1
e3015f56f17d845ec7eef11d41bbbc28cc16d096

SHA256
da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e

SHA512
f5b2f4bda0cc13e1d1c541fb0caea14081ee4daffd497e31a3d4d55d5f9d85a61158b4891a6527efe623b2f32b697ac912320d9be5c0303812ca98dcc8866fcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Lua.exe

Filesize
1.2MB

MD5
34a466e51a80ad778b3e07aab08e934f

SHA1
189592eda4e8a4f051e1af4c56c8b2384c5c0e2b

SHA256
59bafd4c82ebacac6b134fd031274210f66a12c391d06015484f63a87b54b461

SHA512
699b11e1992ca2a1199fef70bdce13153e5868de4a655efd801de1972844b64bd3b947ecb62ff3148fa76c4eabe2ebbd19bc8b461546234d428ed5d8f04caecc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1qjdgdpf\1qjdgdpf.0.cs

Filesize
297B

MD5
d1ec50346481bd11b2d8be43f6358af3

SHA1
2dfd60169ce047aa6c42e61492897e7d027f8712

SHA256
fb936f7a30099d17b28f4c38ee5fd79b46cbf6b3524445ebaea1dece8183bb72

SHA512
c60431823fadc13eebaaf63fb77360b60605e226868d098cf7ba034a16fc61f965455dd0b4ba4f1d557953696cf1a5d4921a9f717aba66f1e8b2b761cf909425

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1qjdgdpf\1qjdgdpf.cmdline

Filesize
279B

MD5
bb46a9793e097694b2e1a4cc1ba97f37

SHA1
0ed368831bfd51cb0ae0b453da7bf46228a221a9

SHA256
cc58d243c0e715e4d780474606496a55a8acc58d04c4784de7bd2d588e16554c

SHA512
5eb0dec38bdeb6a3e9ef628b19d7fd6c3d64b44f5b31f57757e256cd21992a54690b1d8c013e88009812a595d5fac1bb6708d342eadb813d5a1dbd553f915482

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1qjdgdpf\CSC4ED7.tmp

Filesize
652B

MD5
f1f03f2671cc211f0bdd8563be7f2c5c

SHA1
51a52f0c3bd65d89021529ff3c52cd2e6fcbfdb2

SHA256
43193843b31ace6155509af601eb190165f5e53ecf69a86352f65f2b0bd21c86

SHA512
354af71b974c35cd69520fa99701525a622eb12bd40c76e631f3d6d4320fdcb0c5fc462e11ae49f6ad0275566ba49f7655cf9bb3a64d1956db027bf7baaaa8b3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\im2hl0cn\CSCA7.tmp

Filesize
652B

MD5
f2d96e76d91d73c6e40592d9e64d7bd4

SHA1
fc26454554ae38f378a01fbd5dbc2f45eea34557

SHA256
6dbe24df60c3c9719e16a1a027ccc6c3db5a04e3dca03101465092f53933454e

SHA512
577f451399ab50f6e0a9fe5b06a2192fef1ee444e3c56e191c8f842f4b0daa4abc5660ba422e9c4a647934797dfc70fafaf25d088c72a2f8881616c0e29a4fa7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\im2hl0cn\im2hl0cn.0.cs

Filesize
285B

MD5
4d95622f967f043b01d907b419b16f48

SHA1
4ee52dfc3011311a9db8f07341a58bac5a1f3c5a

SHA256
fa701a8903493269fa20d49fbf81d06120f978d18899a9b5b2e5a7e565ec73c8

SHA512
18c1c1ba1ea6fe8e62cf279d58229673c409843c679deaca73790855267b2f4ed1db60a61d7e6bcf82f670f155606f0d7c2883cfd4cc802863b35c0a06646ee7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\im2hl0cn\im2hl0cn.cmdline

Filesize
279B

MD5
7759c8d9c937592d8ed2b0e53e1059c2

SHA1
0fd0fc1c1cf4fb8b0b1f5d0f08f0d7366161b2f6

SHA256
a247732f703f2f860d9c844a9270fe3f17cb7612984b8832f9566c614dd20ec0

SHA512
af48fe2947cf9e96f059018648fb39456c58012f0f47ca0b5a404546275f1f34010243e7af745ded3c9b6e2c8b7b87b531c031557b953b2eda5d859014608ed2

Download Submit
memory/2032-43-0x0000000007680000-0x0000000007692000-memory.dmp

Filesize
72KB

Download
memory/2032-48-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/2032-26-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/2032-27-0x0000000006160000-0x0000000006322000-memory.dmp

Filesize
1.8MB

Download
memory/2032-28-0x0000000005970000-0x0000000005980000-memory.dmp

Filesize
64KB

Download
memory/2032-81-0x0000000006990000-0x0000000006998000-memory.dmp

Filesize
32KB

Download
memory/2032-37-0x0000000006BB0000-0x0000000006BBA000-memory.dmp

Filesize
40KB

Download
memory/2032-40-0x0000000007580000-0x000000000758C000-memory.dmp

Filesize
48KB

Download
memory/2032-41-0x0000000007590000-0x00000000075F6000-memory.dmp

Filesize
408KB

Download
memory/2032-42-0x0000000007C40000-0x0000000008258000-memory.dmp

Filesize
6.1MB

Download
memory/2032-66-0x00000000057B0000-0x00000000057B8000-memory.dmp

Filesize
32KB

Download
memory/2032-44-0x00000000076E0000-0x000000000771C000-memory.dmp

Filesize
240KB

Download
memory/2032-45-0x0000000007720000-0x000000000776C000-memory.dmp

Filesize
304KB

Download
memory/2032-46-0x00000000078B0000-0x00000000079BA000-memory.dmp

Filesize
1.0MB

Download
memory/2032-47-0x0000000008790000-0x0000000008CBC000-memory.dmp

Filesize
5.2MB

Download
memory/2032-24-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/2032-49-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/2032-50-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/2032-52-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/3352-58-0x0000000002E90000-0x0000000002EA0000-memory.dmp

Filesize
64KB

Download
memory/3612-0-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/3612-7-0x0000000005350000-0x0000000005358000-memory.dmp

Filesize
32KB

Download
memory/3612-8-0x0000000005370000-0x0000000005378000-memory.dmp

Filesize
32KB

Download
memory/3612-9-0x0000000005420000-0x00000000054D8000-memory.dmp

Filesize
736KB

Download
memory/3612-6-0x00000000052E0000-0x000000000532C000-memory.dmp

Filesize
304KB

Download
memory/3612-12-0x0000000005500000-0x000000000554E000-memory.dmp

Filesize
312KB

Download
memory/3612-5-0x0000000005380000-0x0000000005412000-memory.dmp

Filesize
584KB

Download
memory/3612-4-0x0000000005550000-0x0000000005AF4000-memory.dmp

Filesize
5.6MB

Download
memory/3612-3-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/3612-2-0x0000000000C80000-0x0000000000C8A000-memory.dmp

Filesize
40KB

Download
memory/3612-25-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/3612-1-0x00000000003C0000-0x00000000004F4000-memory.dmp

Filesize
1.2MB

Download