orcus | b161c18a7a4b8d72ef498608c9738e57acbe3ffa633154dbe3e3d7bd56e67408

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

917KB
MD5

52650eecab548e66af5a61020cc4559c
SHA1

b6d081535cdc8cbbbfed1128b1bcf361065148b6
SHA256

b161c18a7a4b8d72ef498608c9738e57acbe3ffa633154dbe3e3d7bd56e67408
SHA512

25cbed29ff0d197e83177fb4ba68ed18e4248d49fa266d51959ff4facd342a4efd0854d90559543cb7902ca0cec7dfd298dbf6626846a01e6a3504dfa835900e
SSDEEP

24576:8+5T4MROxnFi3frGrZlI0AilFEvxHiFekO:V50MiofSrZlI0AilFEvxHis

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

tools-packed.gl.at.ply.gg:26970

Mutex

484b9aa2eada4b5f98624563470c68b8

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000018bec-36.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000018bec-36.dat	orcus
behavioral1/memory/2584-40-0x0000000000FF0000-0x00000000010DC000-memory.dmp	orcus

Executes dropped EXE 4 IoCs

pid	Process
2584	Orcus.exe
2768	Orcus.exe
1628	OrcusWatchdog.exe
1292	OrcusWatchdog.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe.config	1.exe
File created	C:\Program Files\Orcus\Orcus.exe	1.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OrcusWatchdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OrcusWatchdog.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1292	OrcusWatchdog.exe
1292	OrcusWatchdog.exe
1292	OrcusWatchdog.exe
2584	Orcus.exe
2584	Orcus.exe
2584	Orcus.exe
2584	Orcus.exe
1292	OrcusWatchdog.exe
2584	Orcus.exe
1292	OrcusWatchdog.exe
1292	OrcusWatchdog.exe
2584	Orcus.exe
2584	Orcus.exe
1292	OrcusWatchdog.exe
2584	Orcus.exe
1292	OrcusWatchdog.exe
1292	OrcusWatchdog.exe
2584	Orcus.exe
1292	OrcusWatchdog.exe
2584	Orcus.exe
2584	Orcus.exe
1292	OrcusWatchdog.exe
2584	Orcus.exe
1292	OrcusWatchdog.exe
2584	Orcus.exe
1292	OrcusWatchdog.exe
2584	Orcus.exe
1292	OrcusWatchdog.exe
1292	OrcusWatchdog.exe
2584	Orcus.exe
1292	OrcusWatchdog.exe
2584	Orcus.exe
1292	OrcusWatchdog.exe
2584	Orcus.exe
2584	Orcus.exe
1292	OrcusWatchdog.exe
2584	Orcus.exe
1292	OrcusWatchdog.exe
1292	OrcusWatchdog.exe
2584	Orcus.exe
2584	Orcus.exe
1292	OrcusWatchdog.exe
1292	OrcusWatchdog.exe
2584	Orcus.exe
1292	OrcusWatchdog.exe
2584	Orcus.exe
1292	OrcusWatchdog.exe
2584	Orcus.exe
1292	OrcusWatchdog.exe
2584	Orcus.exe
1292	OrcusWatchdog.exe
2584	Orcus.exe
2584	Orcus.exe
1292	OrcusWatchdog.exe
2584	Orcus.exe
1292	OrcusWatchdog.exe
1292	OrcusWatchdog.exe
2584	Orcus.exe
1292	OrcusWatchdog.exe
2584	Orcus.exe
1292	OrcusWatchdog.exe
2584	Orcus.exe
1292	OrcusWatchdog.exe
2584	Orcus.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	Orcus.exe
Token: SeDebugPrivilege	1628	OrcusWatchdog.exe
Token: SeDebugPrivilege	1292	OrcusWatchdog.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2584	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2584	Orcus.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 1564	2312	1.exe	31
PID 2312 wrote to memory of 1564	2312	1.exe	31
PID 2312 wrote to memory of 1564	2312	1.exe	31
PID 1564 wrote to memory of 1132	1564	csc.exe	33
PID 1564 wrote to memory of 1132	1564	csc.exe	33
PID 1564 wrote to memory of 1132	1564	csc.exe	33
PID 2312 wrote to memory of 2584	2312	1.exe	35
PID 2312 wrote to memory of 2584	2312	1.exe	35
PID 2312 wrote to memory of 2584	2312	1.exe	35
PID 1612 wrote to memory of 2768	1612	taskeng.exe	37
PID 1612 wrote to memory of 2768	1612	taskeng.exe	37
PID 1612 wrote to memory of 2768	1612	taskeng.exe	37
PID 2584 wrote to memory of 1628	2584	Orcus.exe	38
PID 2584 wrote to memory of 1628	2584	Orcus.exe	38
PID 2584 wrote to memory of 1628	2584	Orcus.exe	38
PID 2584 wrote to memory of 1628	2584	Orcus.exe	38
PID 1628 wrote to memory of 1292	1628	OrcusWatchdog.exe	39
PID 1628 wrote to memory of 1292	1628	OrcusWatchdog.exe	39
PID 1628 wrote to memory of 1292	1628	OrcusWatchdog.exe	39
PID 1628 wrote to memory of 1292	1628	OrcusWatchdog.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8a6wzgx7.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5E.tmp"
    3⤵
    PID:1132
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
    "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 2584
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
      "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 2584
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1292

C:\Windows\system32\taskeng.exe
taskeng.exe {3542F82D-ACE8-48B6-9457-2571ED356F61} S-1-5-21-2257386474-3982792636-3902186748-1000:CTBHAMHL\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
917KB

MD5
52650eecab548e66af5a61020cc4559c

SHA1
b6d081535cdc8cbbbfed1128b1bcf361065148b6

SHA256
b161c18a7a4b8d72ef498608c9738e57acbe3ffa633154dbe3e3d7bd56e67408

SHA512
25cbed29ff0d197e83177fb4ba68ed18e4248d49fa266d51959ff4facd342a4efd0854d90559543cb7902ca0cec7dfd298dbf6626846a01e6a3504dfa835900e

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a6wzgx7.dll

Filesize
76KB

MD5
82a41c095f16fefd6567d7bea42a82ea

SHA1
32fff244e5bd1ee0ac51111e8128cb9cee333cf7

SHA256
62677b704f466e1a4717d55b409396f19756e7bf3958be077afb32feecda3792

SHA512
b4b894717e88d42cd282e8ef603449fadca813ea6cb81d543d40143756c138ff8f6b302061cbb416dbbb9490b48878192b3d4f9fbf90640c1da0410a2790fb48

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5F.tmp

Filesize
1KB

MD5
d07181d92c4a3502cfa3b21c2db40435

SHA1
60eca1bc8fbec33a1909a0d546a0d31a1364085c

SHA256
24bddf41b048f4c331ae1b1c6ccc2396f17eeeadd0dcdd6e448d609dbe5bc573

SHA512
f8d04abdf839723aa0232367088a18a07e0747817997d1cbb7341e92f66415cd451576ab4df9ee431cc72ee40b20bb88ebcd56950768cc91ee3373c2805b9ce4

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\err_484b9aa2eada4b5f98624563470c68b8.dat

Filesize
1KB

MD5
fc26893ebeb20eedfda14e8f497b8d5d

SHA1
882280d59bba4becc24a61df8a2318065410900c

SHA256
f2127a2b361e0f631b4570a77788540f1362c0661933717ea408fb422ca452df

SHA512
28396af99fe88955c734a020a0614076cf5f5e48bf504c26cd5b4db14fa6e125bbfa961c474bd72fef71dda8ad9ff225f676f986fd91ad5ef43e6967ca5e416d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8a6wzgx7.0.cs

Filesize
208KB

MD5
c555d9796194c1d9a1310a05a2264e08

SHA1
82641fc4938680519c3b2e925e05e1001cbd71d7

SHA256
ccbb8fd27ab2f27fbbd871793886ff52ff1fbd9117c98b8d190c1a96b67e498a

SHA512
0b85ca22878998c7697c589739905b218f9b264a32c8f99a9f9dd73d0687a5de46cc7e851697ee16424baf94d301e411648aa2d061ac149a6d2e06b085e07090

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8a6wzgx7.cmdline

Filesize
349B

MD5
21d47e229553756e51d64024b7b35946

SHA1
6728f22e4152542141022a3c80d6c7be32354e6f

SHA256
bbca72805f6c6aff121e10447142ba8ee7b08200fcd85e9b0fa81435c2f58045

SHA512
15833faf9189ae010a9c1529df9e1bb5e5e49d61dc8f7cecc3b29089f6ff7e254d3612598efe181d6d1b0f0deefe01d105890b2a2c998756813eb02532292cfb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5E.tmp

Filesize
676B

MD5
9bb2ef918facb14cebb45f2dbe947ebd

SHA1
0d3eb14115228ec1c4404cddae4db44fa3ef14dc

SHA256
2cd71a943b94f256a9c4406f19c78910d04fb5112f5a042e849ee4df9c56db39

SHA512
08c387980076d13cdd4e8990abdd1a65fccadf934414f2c9ec105732af2560298bd77d63ec2f119b26af70a8a1045525f1382f9e8edcaef517e1a290b457ea43

Download Submit
memory/1564-12-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/1564-17-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/1628-55-0x0000000001220000-0x0000000001228000-memory.dmp

Filesize
32KB

Download
memory/2312-29-0x000007FEF561E000-0x000007FEF561F000-memory.dmp

Filesize
4KB

Download
memory/2312-1-0x0000000002280000-0x00000000022DC000-memory.dmp

Filesize
368KB

Download
memory/2312-22-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2312-23-0x000000001AEB0000-0x000000001AEB8000-memory.dmp

Filesize
32KB

Download
memory/2312-24-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2312-26-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2312-27-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2312-28-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2312-19-0x00000000022E0000-0x00000000022F6000-memory.dmp

Filesize
88KB

Download
memory/2312-21-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2312-4-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2312-39-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2312-0-0x000007FEF561E000-0x000007FEF561F000-memory.dmp

Filesize
4KB

Download
memory/2312-2-0x00000000002A0000-0x00000000002AE000-memory.dmp

Filesize
56KB

Download
memory/2312-3-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2584-44-0x000000001AC40000-0x000000001AC58000-memory.dmp

Filesize
96KB

Download
memory/2584-45-0x000000001A860000-0x000000001A870000-memory.dmp

Filesize
64KB

Download
memory/2584-43-0x0000000000B20000-0x0000000000B6E000-memory.dmp

Filesize
312KB

Download
memory/2584-40-0x0000000000FF0000-0x00000000010DC000-memory.dmp

Filesize
944KB

Download