Analysis
-
max time kernel
37s -
max time network
32s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
26-10-2024 23:14
General
-
Target
xdrt.exe
-
Size
3.0MB
-
MD5
5b6c7b03ad1cf493281271a472dc6b2e
-
SHA1
edd7fc71647f2713c68391fb8b53488621d2c903
-
SHA256
9c5bedeffdd2f742124a0c081694eea2786a7bf4f9c7963a267aca508ea60f09
-
SHA512
3e0fee4c651c5fea933266822f6ff83143f8233a40885640349173e1ab386e06541b92cc522987120adbc5d1c665c9402099f0e5c594cb146d93c00f6e599747
-
SSDEEP
49152:tNJEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmYXwrZz:tNJtODUKTslWp2MpbfGGilIJPypSbxEw
Malware Config
Extracted
orcus
6.tcp.eu.ngrok.io:10004
48cde11ddaf84e58b38e0cc8461c97c5
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
Orcus main payload 1 IoCs
-
UAC bypass 3 TTPs 6 IoCs
-
Orcurs Rat Executable 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 2 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
System policy modification 1 TTPs 14 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\xdrt.exe"C:\Users\Admin\AppData\Local\Temp\xdrt.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Windows security modification
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\esjm44qs.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87EE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC87ED.tmp"3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{f7ced60c-26fb-4cb4-b212-8ddcbc6bd0ff}.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD55b6c7b03ad1cf493281271a472dc6b2e
SHA1edd7fc71647f2713c68391fb8b53488621d2c903
SHA2569c5bedeffdd2f742124a0c081694eea2786a7bf4f9c7963a267aca508ea60f09
SHA5123e0fee4c651c5fea933266822f6ff83143f8233a40885640349173e1ab386e06541b92cc522987120adbc5d1c665c9402099f0e5c594cb146d93c00f6e599747
-
Filesize
349B
MD589817519e9e0b4e703f07e8c55247861
SHA14636de1f6c997a25c3190f73f46a3fd056238d78
SHA256f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13
SHA512b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD5408641808e457ab6e23d62e59b767753
SHA14205cfa0dfdfee6be08e8c0041d951dcec1d3946
SHA2563921178878eb416764a6993c4ed81a1f371040dda95c295af535563f168b4258
SHA512e7f3ffc96c7caad3d73c5cec1e60dc6c7d5ed2ced7d265fbd3a402b6f76fed310a087d2d5f0929ab90413615dad1d54fce52875750057cffe36ff010fc6323fb
-
Filesize
1KB
MD5ad66faf312d2aa3cef655644a536e723
SHA1f6602bac5554d676b8e65bc4eefc63360c38c33f
SHA2565d1bdc97f3ad75819ee9a0b8cc5830d30c1f022626722a7af716b1e4e4918d04
SHA51284f6dadfd9dffbaa635d806e619ee84f65f12b85a63b36905cddc03eb5ea57c7c63fc01cae417235ded887dc019a2f6179c3155c6425cb6fd253a003f2962300
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
76KB
MD5093a0b51fbd8be5148d3b4921ed9b0ee
SHA14fd8bddb6f2f3af913a644e1a6b86c18587cac1f
SHA2567210a3754111362e7eeac8bf315c2e7c102ae0dfaa0fc9a632572ce6555ee803
SHA512674cfa849d56794b46deac8f7df937250534b33e9bbbbc3187146f1914699b1861e2efa719ce49778afc027dda6967de8c573f58a1e08b73c7220a963f8218f2
-
Filesize
171B
MD5708a6ee3ff2d2f17ccad94ecc9ccf8c4
SHA1971cd585fb97655cd3f86cbe80359041ecf0605b
SHA25672bd4715f29087711eec64015d58ea5884e72eaee6ee2b6ab1c720aba0945fef
SHA512e979c67f94886def6523d415623278dc35e29015152968e9851883258031739719b85d2d5db7636d0fe8cf88734805befc4234e9ea1076b224ebbb9b57128c42
-
Filesize
676B
MD530a7563fd453875be28747954bde159a
SHA13048f88f5dee164afcd59228264d1b4350f2f61b
SHA2566066e713a118bbef44fdbb73c4de9978cab458f5f99f0f0840029c6c341c001c
SHA51249e9b9b1a0138de6a18d2af98f446fddb156f71b715606b7b0762fbc0a0ec43a0d8c7a31f10ca87e64a6ee83ad50315472edb0461b9996b9b2224368e5697ad9
-
Filesize
208KB
MD593f0e697beea6b722e68c61f6586f4bb
SHA16f2355f4b2a41d94285a7dbad407f9a72ca83728
SHA25615602ec06ab3dd64fca5dd82253252f55e5d1b40f3a6c0aad0c9a0a6e2903fca
SHA512464f6ae5d9e96b843846e3fd711d665e31274f1fc154bca170f25f3e85ad043fe38eaa638676807b7df3819d394ede3b70195339deb716372e957e7fc76676f8
-
Filesize
349B
MD51633a44994e4fa39d4ae251204f76fb7
SHA128047498e92a661824dfda067e8f39fe5fdd8632
SHA25601910092af997efb22d33124739efa9f049e4e10e65936c99d8523748f4053d4
SHA5120292b8b05ba08333f38a023d8a95b6836326f848b2362d67988d4819c125b100426b35c90cbf45b208a50c12ef5eaf89646384a2ae036b196bac2363a3d1d9db
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
3.0MB
-
Filesize
1.0MB
-
Filesize
312KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
368KB
-
Filesize
56KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
4.8MB
-
Filesize
624KB
-
Filesize
136KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB