Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2024, 20:56
Behavioral task
behavioral1
Sample
123123.exe
Resource
win7-20240704-en
General
-
Target
123123.exe
-
Size
903KB
-
MD5
be600c84c2975ab640487f7d896080d8
-
SHA1
6eb2dbaace9f52f08000908c82b02827ca401838
-
SHA256
f053cf0164ed9a1c81f220ae3d1002acb7d4fb0154ee9e08588a6d24f84a24f1
-
SHA512
9b5c0aaa3dbd61f8d2aaecb2b44de0d1bb47e72f42bd63d3f46b7c95feeed2271ed5ee497e27da5ca09dbd4429a08230c8a5f4bd1fef9b71024dd33e5f95fadb
-
SSDEEP
12288:g8shHAVBuQBBed37dG1lFlWcYT70pxnnaaoawMRVcTqSA+9rZNrI0AilFEvxHvB0:R3s4MROxnF9LqrZlI0AilFEvxHi+o
Malware Config
Extracted
orcus
23.84.85.170:8888
6c8f63d94afe4a09b223a2e8da9b77f3
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcus main payload 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023489-35.dat family_orcus -
Orcurs Rat Executable 2 IoCs
resource yara_rule behavioral2/files/0x0008000000023489-35.dat orcus behavioral2/memory/548-44-0x0000000000320000-0x0000000000408000-memory.dmp orcus -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation 123123.exe -
Executes dropped EXE 1 IoCs
pid Process 548 Orcus.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini 123123.exe File opened for modification C:\Windows\assembly\Desktop.ini 123123.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Orcus\Orcus.exe 123123.exe File opened for modification C:\Program Files\Orcus\Orcus.exe 123123.exe File created C:\Program Files\Orcus\Orcus.exe.config 123123.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly 123123.exe File created C:\Windows\assembly\Desktop.ini 123123.exe File opened for modification C:\Windows\assembly\Desktop.ini 123123.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 548 Orcus.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 548 Orcus.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 548 Orcus.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2564 wrote to memory of 2680 2564 123123.exe 82 PID 2564 wrote to memory of 2680 2564 123123.exe 82 PID 2680 wrote to memory of 4104 2680 csc.exe 84 PID 2680 wrote to memory of 4104 2680 csc.exe 84 PID 2564 wrote to memory of 548 2564 123123.exe 90 PID 2564 wrote to memory of 548 2564 123123.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\123123.exe"C:\Users\Admin\AppData\Local\Temp\123123.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eqxxu3qg.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E16.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9E15.tmp"3⤵PID:4104
-
-
-
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
903KB
MD5be600c84c2975ab640487f7d896080d8
SHA16eb2dbaace9f52f08000908c82b02827ca401838
SHA256f053cf0164ed9a1c81f220ae3d1002acb7d4fb0154ee9e08588a6d24f84a24f1
SHA5129b5c0aaa3dbd61f8d2aaecb2b44de0d1bb47e72f42bd63d3f46b7c95feeed2271ed5ee497e27da5ca09dbd4429a08230c8a5f4bd1fef9b71024dd33e5f95fadb
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
1KB
MD54c657a7a06b4bffc6a6413a6d3dc4f4f
SHA113624e7c40c6598e8beaa890df2fa148085ada3e
SHA2562a9f0387d012b77fef63a448da4767a7a14f19f7afe04bc224ba39adba03340c
SHA5122e56110491e3c34157041b251c3e75a21e815bf09650defaf654829e5708da2f0488229fb960176b3d606d7cbbef6fc6df368bfc9d7e82d86fe715741db4a8ec
-
Filesize
76KB
MD5ec65f68692ab4bb21c9daf9a361c684d
SHA16b5c7d508bd37d611d1236266e5a40f8ba07523c
SHA25634e73bcc365294885ff7349b1e06ce1b748783e7322bf10aa6ecc89d84902f35
SHA5121788dd42eeb55ed5262be93c5da4469f00d050ae1b91a5c7c00e3fd6117d5116c9671a74c7705c366e88667c10076785b929d86f77ffe54aa5210b65585ca9eb
-
Filesize
676B
MD51d716f1f32e70424bdd4acdd0be1f54d
SHA1728599383c6d63500e33a4ca9d0a75d713499433
SHA256af03cb4e08efceb0ccc82ffa25025a3971d111582711405f77b8c36206e305f1
SHA512b3ee82ef15ae5dc52341f3272c84a11858a7e336e9aed5e5f1aa6c59954c0bc2c7623e5dce806091e20970585b1c9d2d3260f7d6db33567e19f4ce6e1823b485
-
Filesize
208KB
MD5d99a6ea726b01452f6c7054e6bda8e02
SHA1eba2d350a4d967c7a1fef49b1022ee369f3ef799
SHA2564cd39766f9c3d6330a0ea8ddb085f13bd2031446e45fe14e087e1b21ba9e9cae
SHA512706a6507ffddcbea925566c73a0784cdbc044730c634e131d0d3fb045a0a4e995941c8505a096d3a4ddea6220c51f20d7d01ff1b1c18a64ed5b2ba2cd24f28bf
-
Filesize
349B
MD559f308a97ac807e974bbc14577f7b4a4
SHA1318e3392aeffe1b69f7e6102f5edcfbe117a72b5
SHA2564d5ccbd3d3df7d607221ef2c50da2820af66013ebb7aeea8543c607114454f61
SHA51216be9ece5e8edf37b12670f2c48d73cb43af79a5891bfebf78fa149497ff34b1626210886aa70307e02073fc0300f25ac70ac54a9b0517a31111776dd8270e53