Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
04-09-2024 01:27
General
-
Target
a9aa350b786356d7d78279e338ccc590N.exe
-
Size
7.6MB
-
MD5
a9aa350b786356d7d78279e338ccc590
-
SHA1
248541c0cac6a66ba81dd8573470a15fd6107ddd
-
SHA256
1a740ea5fc256aeac6c2df54d489e502cd2b752c20c09495ff879705f4bf5a0c
-
SHA512
c7c4f3412ec0e027f5230b9912a1c2885c075cfc3cd5836ee21be44a93bf81df9afad7dda12274a29e5607f50a1ddb3290462170098dd53b731a4582d8890ef1
-
SSDEEP
196608:0N/rsm+cw4nWA4e9p9KGOXvFzYJncZfN/rsm+cw9nWA4e9p9KGOXvFzYJncZwh:0N/rsr4nC0PodYJncpN/rsr9nC0PodYt
Malware Config
Extracted
orcus
127.0.0.1:10134
-
autostart_method
Disable
-
enable_keylogger
true
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus main payload 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Orcurs Rat Executable 12 IoCs
-
Suspicious Office macro 4 IoCs
Office document equipped with macros.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 6 IoCs
-
Themida packer 15 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9aa350b786356d7d78279e338ccc590N.exe"C:\Users\Admin\AppData\Local\Temp\a9aa350b786356d7d78279e338ccc590N.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_a9aa350b786356d7d78279e338ccc590N.exe"C:\Users\Admin\AppData\Local\Temp\._cache_a9aa350b786356d7d78279e338ccc590N.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Orcus\Orcus.exe"C:\Program Files (x86)\Orcus\Orcus.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
7.6MB
MD5a9aa350b786356d7d78279e338ccc590
SHA1248541c0cac6a66ba81dd8573470a15fd6107ddd
SHA2561a740ea5fc256aeac6c2df54d489e502cd2b752c20c09495ff879705f4bf5a0c
SHA512c7c4f3412ec0e027f5230b9912a1c2885c075cfc3cd5836ee21be44a93bf81df9afad7dda12274a29e5607f50a1ddb3290462170098dd53b731a4582d8890ef1
-
Filesize
903KB
MD5f25eb9be765070030a1f2e26deb22abe
SHA11cc47835cfe0472b285f891b2e66cc43a14a1ed1
SHA2561e66f6824062400a6c9a8d7de09c7f3a1fa6b07273d8a97adf332b21b88905d7
SHA5125e2229f652207812cc61cb4bd5f96fbee071424c5013dc66a70316cf6526460b927dd6595353b89ff5cf6f3653b996df99d11ae1bdebfc84bbe6755cedded6c1
-
Filesize
22KB
MD5750769e760c4598365adc494a19a73dc
SHA1178d97636035229faa7bff2eb63a6b8e7110998a
SHA256b8e69fd12715236f6e2616b027f3b74688cb10886268b874eaac9e4d4f4cf842
SHA5127ce0d683e18af45f545d15e06357de7c8109059e64d4b0c6f9f53493af8ac7e25f34c5a983ac4fc0c487940e5745b39e2b291be73f37eb9948e1c08a511926ee
-
Filesize
26KB
MD5b043e7119c34a0c5c37e8d3ee8ab2ff3
SHA161093379d310b0fa28ba15c283d807ca762f0e4f
SHA2566edacddcdc4d02a581fae6b4b125391fe26d21620af4f418464233d74727ea69
SHA512e6ff93ed382c049857e306022875f5ecffa4868815879fe900114a9dfcd0429460a42701d056133152e0c62d1e43c015b71a05962a0580e678881444847aba12
-
Filesize
28KB
MD5f18075103fd67619d35300b0101f0a8e
SHA1e3f587237ad070b8afceed7c14ac0fad4e628269
SHA2562ca41bffdcdcecc6c6c999a1a884cf9d90a9176646cf9f18e9df7bac3d6b830e
SHA512da0df564e2e59ad0c5a57273b2ba8c682a0e6f206997fde3e4a6b5ade33949846eb421027e847ba487af6c76e9abf28118cb36d69355629a3787f885af40d0bb
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
25KB
MD59f97489f34ac0e9d61af598165f89798
SHA1bf3c235ac1c368c06761ac9fdaacab2a6497913e
SHA256ecdb4745f3b2783e0caf60a4f397b30a3aaa5cfc4107217c6d3939d8fc812f31
SHA51207a339fd21fdef70de7400685692ac8846646b795ee1b56b48836bfead22c73df019c67f76a4fbf7bfd1f69a431e331325ace006344d3fe3752c51cbdf7469f1
-
Filesize
25KB
MD5e6152fbcc7b25cd0dec5258d31f77a3b
SHA11407015a491cafb6acdfb68587cc97606acd8c3f
SHA25632cd331b85c617be7e0661c1d3e68219b9f54d867a62eeb0c66de382003d1bbc
SHA5127f08ab25f6d262f0769d1cdcbd4f4e577a1716ed455c29788dc861e632b2d6c07107d05999338388d8bbd936d232dc50a7954667bf20025fb5a6d2edb22feb26
-
Filesize
165B
MD5ff09371174f7c701e75f357a187c06e8
SHA157f9a638fd652922d7eb23236c80055a91724503
SHA256e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8
SHA512e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882
-
Filesize
928KB
-
Filesize
72KB
-
Filesize
12.6MB
-
Filesize
64KB
-
Filesize
12.6MB
-
Filesize
12.6MB
-
Filesize
12.6MB
-
Filesize
12.6MB
-
Filesize
12.6MB
-
Filesize
12.6MB
-
Filesize
12.6MB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
64KB
-
Filesize
928KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
12.6MB
-
Filesize
12.6MB
-
Filesize
12.6MB
-
Filesize
8KB
-
Filesize
12.6MB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
12.6MB
-
Filesize
12.6MB
-
Filesize
12.6MB
-
Filesize
368KB
-
Filesize
928KB
-
Filesize
56KB