Resubmissions
26-10-2024 23:19
241026-3a1rfsxrgm 1026-10-2024 23:18
241026-3absbs1fnl 1026-10-2024 23:16
241026-29dkjaymaw 10Analysis
-
max time kernel
35s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26-10-2024 23:16
General
-
Target
test.exe
-
Size
3.0MB
-
MD5
7b3150ddd3df859f8f6f36cb041b23f7
-
SHA1
c3934ab76025c17cab3d309a96c1e32df9ad9d65
-
SHA256
675a8aa47c9032b3588c440435744c3a01c04edc4ea204631eee0b53f0405a8f
-
SHA512
a1fe1559965a5eac9a6eef26bbcd559d8a3aa1719f81c35e4106ca0664805cde9566e7bd163fc63a27e356e034b64ef6af5a0f4a299997352bdf4b51e6b6d214
-
SSDEEP
49152:ONJEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmYXdrZz:ONJtODUKTslWp2MpbfGGilIJPypSbxEw
Malware Config
Extracted
orcus
Index1337z-43991.portmap.host:43991
be9b19219c62425cbffd5b98125d81a6
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
Orcus main payload 1 IoCs
-
UAC bypass 3 TTPs 6 IoCs
-
Orcurs Rat Executable 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 2 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
-
System policy modification 1 TTPs 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fdorqgj3.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB54.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAB44.tmp"3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD57b3150ddd3df859f8f6f36cb041b23f7
SHA1c3934ab76025c17cab3d309a96c1e32df9ad9d65
SHA256675a8aa47c9032b3588c440435744c3a01c04edc4ea204631eee0b53f0405a8f
SHA512a1fe1559965a5eac9a6eef26bbcd559d8a3aa1719f81c35e4106ca0664805cde9566e7bd163fc63a27e356e034b64ef6af5a0f4a299997352bdf4b51e6b6d214
-
Filesize
349B
MD589817519e9e0b4e703f07e8c55247861
SHA14636de1f6c997a25c3190f73f46a3fd056238d78
SHA256f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13
SHA512b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
1KB
MD52f98a96851eade64cc1e29d1a9cfc3e7
SHA119e3e51109fc26b3fed4bbfe679c8425004ce553
SHA2562f9c35bad1a7f83877c9a61da724c03427b77c5c2447d9a50f46d7add1725924
SHA5120dd4735db23ee222a0becf0f6ac7d56baba64e739d93497255c10ef9a5b3ea06213f162d478638fc95c3b33e0d2d9f0ca1eb5b0e47471b19b2c499cc07fc4a3a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
76KB
MD581b311dfe901c7b74c066c938e10b4fc
SHA1ad469a13cfc3322322bf420fca56488cd88e96ec
SHA256b333514cbe187d79a301abfb1e9a72a3a8a29e2fc6f394516db34e7de7a41382
SHA51250ddb0a79646167fa69a858eb1fb80b4d07e2b5085761dc82770baee28cd61a638df41de75fba9e1d08392b7cf0bc9b93be32e0a3530268f12c8cd9e714b61ab
-
Filesize
676B
MD5e765db30e1c17f80f99cc7770e38dd5f
SHA142e6d30dfb93425265347b7970304c479947739f
SHA25684666eeed177fdab724428c93e7347bead11ac8be99af24c04d9bdb9524a2a07
SHA5128351f450bdb90193f2c01bb82be8ef1e9e3caad3addfa6321dd8d22821e94161429cf14fe35d4c077a36e469b14c613c2125e5d380df7abb832cb7f4ebfddad7
-
Filesize
208KB
MD59d78b6ef0cf0f7efd4d774ffda46759c
SHA1a04f6bc1a9bf598ef41030d5a9691dfc8270c0a2
SHA256691d94681dd6005b1f78c7e6452d202f06a3527d105a8ce7740b1a57133f204b
SHA512bf951713645762fc8b28b0fd6b9b89f3bf878137a71129070d8171e3b3ef936e10ef3979eb5ebf8cca63f10beff790d1b2d6f3e01c9604e78c4d73b082e14c0b
-
Filesize
349B
MD58570395a563330dec5114e0efbdd2000
SHA11c0f872aef6928ac65f0aea7bd2b6664128fca6d
SHA25645bb56920c22e3c3061cdac80b5db77357891ca5435f6defa073ab1b0c0d3834
SHA5126c915cb866129e3312fa7e72e9448600889d31fa23eecd125f2303bacfac1b7c6c427436d24256184cec029d46af61cdd7449b24fee7eea67c2ee97ed536928f
-
Filesize
64KB
-
Filesize
3.0MB
-
Filesize
96KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
40KB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
368KB
-
Filesize
56KB
-
Filesize
9.6MB
-
Filesize
88KB
-
Filesize
624KB
-
Filesize
4.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB