General
-
Target
test.exe
-
Size
3.0MB
-
Sample
241026-3a1rfsxrgm
-
MD5
7b3150ddd3df859f8f6f36cb041b23f7
-
SHA1
c3934ab76025c17cab3d309a96c1e32df9ad9d65
-
SHA256
675a8aa47c9032b3588c440435744c3a01c04edc4ea204631eee0b53f0405a8f
-
SHA512
a1fe1559965a5eac9a6eef26bbcd559d8a3aa1719f81c35e4106ca0664805cde9566e7bd163fc63a27e356e034b64ef6af5a0f4a299997352bdf4b51e6b6d214
-
SSDEEP
49152:ONJEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmYXdrZz:ONJtODUKTslWp2MpbfGGilIJPypSbxEw
Behavioral task
behavioral1
Sample
test.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
test.exe
Resource
win10ltsc2021-20241023-en
Malware Config
Extracted
orcus
Index1337z-43991.portmap.host:43991
be9b19219c62425cbffd5b98125d81a6
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Targets
-
-
Target
test.exe
-
Size
3.0MB
-
MD5
7b3150ddd3df859f8f6f36cb041b23f7
-
SHA1
c3934ab76025c17cab3d309a96c1e32df9ad9d65
-
SHA256
675a8aa47c9032b3588c440435744c3a01c04edc4ea204631eee0b53f0405a8f
-
SHA512
a1fe1559965a5eac9a6eef26bbcd559d8a3aa1719f81c35e4106ca0664805cde9566e7bd163fc63a27e356e034b64ef6af5a0f4a299997352bdf4b51e6b6d214
-
SSDEEP
49152:ONJEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmYXdrZz:ONJtODUKTslWp2MpbfGGilIJPypSbxEw
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Orcus family
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Hijack Execution Flow: Executable Installer File Permissions Weakness
Possible Turn off User Account Control's privilege elevation for standard users.
-
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4