Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-10-2024 01:08
General
-
Target
f6165d4307d292ab5f69689aad2b3eea87d9b6189ff67c674067861f70976141.exe
-
Size
917KB
-
MD5
418ca841dfb9904c3c5c07b0b4a8cc22
-
SHA1
485b466fa3e7d45a693fe0cae66a4fa806d43d70
-
SHA256
f6165d4307d292ab5f69689aad2b3eea87d9b6189ff67c674067861f70976141
-
SHA512
0a8e96cd384b71f16a4c9d6f9069ad4f89271ca66c42cc54247cd0c66a0cbdeff097893b555d4d39ae81a09c50fa7384dedf09d5438655f70d0eccd38ef488c8
-
SSDEEP
24576:FmHR4MROxnF53ozrrcI0AilFEvxHPTIooo:MuMi7ozrrcI0AilFEvxHPT
Malware Config
Extracted
orcus
45.200.148.205:10134
ac5a4ebd7b5f431aa47967ded2179f16
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%programfiles%\sysreqfiles\winhost.exe
-
reconnect_delay
10000
-
registry_keyname
winhost
-
taskscheduler_taskname
winhost.
-
watchdog_path
AppData\winhosterf.exe
Signatures
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus main payload 2 IoCs
-
Orcurs Rat Executable 3 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f6165d4307d292ab5f69689aad2b3eea87d9b6189ff67c674067861f70976141.exe"C:\Users\Admin\AppData\Local\Temp\f6165d4307d292ab5f69689aad2b3eea87d9b6189ff67c674067861f70976141.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\sysreqfiles\winhost.exe"C:\Program Files (x86)\sysreqfiles\winhost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\winhosterf.exe"C:\Users\Admin\AppData\Roaming\winhosterf.exe" /launchSelfAndExit "C:\Program Files (x86)\sysreqfiles\winhost.exe" 4012 /protectFile3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\winhosterf.exe"C:\Users\Admin\AppData\Roaming\winhosterf.exe" /watchProcess "C:\Program Files (x86)\sysreqfiles\winhost.exe" 4012 "/protectFile"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Program Files (x86)\sysreqfiles\winhost.exe"C:\Program Files (x86)\sysreqfiles\winhost.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
917KB
MD5418ca841dfb9904c3c5c07b0b4a8cc22
SHA1485b466fa3e7d45a693fe0cae66a4fa806d43d70
SHA256f6165d4307d292ab5f69689aad2b3eea87d9b6189ff67c674067861f70976141
SHA5120a8e96cd384b71f16a4c9d6f9069ad4f89271ca66c42cc54247cd0c66a0cbdeff097893b555d4d39ae81a09c50fa7384dedf09d5438655f70d0eccd38ef488c8
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
910KB
MD57c0e71d0e5bb714f6e37301b88ed2e38
SHA184bcf457016b7bb25b27608d86fc435a612f8631
SHA2566d68371f2fa24f9d52cacd77c6dc68a208a2d0c03fd840525ab6fae0338b079d
SHA5125dc1bb1ed9d58c76727d16c703fe18673b11370c353002cd1b94464050497ceaf667be393d063ebe2a6021862904f13e3749925c1ce6448bb02761d51b0c0746
-
Filesize
9KB
MD5913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
Filesize
120KB
-
Filesize
48KB
-
Filesize
2.0MB
-
Filesize
120KB
-
Filesize
368KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
568KB
-
Filesize
952KB
-
Filesize
712KB
-
Filesize
56KB
-
Filesize
4.1MB
-
Filesize
288KB
-
Filesize
2.1MB
-
Filesize
23.5MB
-
Filesize
10.6MB
-
Filesize
736KB
-
Filesize
1.5MB
-
Filesize
396KB
-
Filesize
528KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
192KB
-
Filesize
48KB
-
Filesize
464KB
-
Filesize
128KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
592KB
-
Filesize
2.0MB
-
Filesize
96KB
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
168KB
-
Filesize
48KB
-
Filesize
128KB
-
Filesize
152KB
-
Filesize
256KB
-
Filesize
248KB
-
Filesize
176KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
144KB
-
Filesize
160KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
2.0MB
-
Filesize
56KB
-
Filesize
944KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
160KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
80KB
-
Filesize
96KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
136KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
112KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
168KB
-
Filesize
160KB
-
Filesize
120KB
-
Filesize
152KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
96KB
-
Filesize
80KB
-
Filesize
48KB
-
Filesize
128KB
-
Filesize
104KB
-
Filesize
56KB
-
Filesize
40KB