orcus | 37a22a8adb289aa01b0a682fdea97105ac4df1bf6744fef205f5024405c1db55 | Triage

Sharing

General

Target

xdwd.exe
Size

3.0MB
Sample

241026-24y92szgjh
MD5

40887369c101155d2cb098a476c144a3
SHA1

7e5b376f1ed70c3fbfd34441a0c784b033191628
SHA256

37a22a8adb289aa01b0a682fdea97105ac4df1bf6744fef205f5024405c1db55
SHA512

a2870dcdc06f0523bd909760740b23392c5285f15b8bfc6738cc8ace46ff571f2db42cf4d3555fcdcd4902b07fd34bd3ed5cfc2802e7eec5ac82e07b258626df
SSDEEP

49152:tefEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmAX8rZz:teftODUKTslWp2MpbfGGilIJPypSbxEY

Score

10^/10

orcus defense_evasion evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

orcus

C2

193.161.193.99:43991

Mutex

4f1df520a99845e0841d321a8597e7ed

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Targets

- Target
  
  xdwd.exe
- Size
  
  3.0MB
- MD5
  
  40887369c101155d2cb098a476c144a3
- SHA1
  
  7e5b376f1ed70c3fbfd34441a0c784b033191628
- SHA256
  
  37a22a8adb289aa01b0a682fdea97105ac4df1bf6744fef205f5024405c1db55
- SHA512
  
  a2870dcdc06f0523bd909760740b23392c5285f15b8bfc6738cc8ace46ff571f2db42cf4d3555fcdcd4902b07fd34bd3ed5cfc2802e7eec5ac82e07b258626df
- SSDEEP
  
  49152:tefEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmAX8rZz:teftODUKTslWp2MpbfGGilIJPypSbxEY
Score

10^/10

defense_evasion evasion execution persistence privilege_escalation trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- UAC bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops desktop.ini file(s)
- Hijack Execution Flow: Executable Installer File Permissions Weakness
  Possible Turn off User Account Control's privilege elevation for standard users.
  defense_evasion persistence privilege_escalation
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Create or Modify System Process

Windows Service

Hijack Execution Flow

Executable Installer File Permissions Weakness

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Create or Modify System Process

Windows Service

Hijack Execution Flow

Executable Installer File Permissions Weakness

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Hijack Execution Flow

Executable Installer File Permissions Weakness

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

defense_evasionevasionexecutionpersistenceprivilege_escalationtrojan

behavioral2

defense_evasionevasionpersistenceprivilege_escalationtrojan