Resubmissions
26-10-2024 23:19
241026-3a1rfsxrgm 1026-10-2024 23:18
241026-3absbs1fnl 1026-10-2024 23:16
241026-29dkjaymaw 10Analysis
-
max time kernel
23s -
max time network
26s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 23:19
Behavioral task
behavioral1
Sample
test.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
test.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
test.exe
-
Size
3.0MB
-
MD5
7b3150ddd3df859f8f6f36cb041b23f7
-
SHA1
c3934ab76025c17cab3d309a96c1e32df9ad9d65
-
SHA256
675a8aa47c9032b3588c440435744c3a01c04edc4ea204631eee0b53f0405a8f
-
SHA512
a1fe1559965a5eac9a6eef26bbcd559d8a3aa1719f81c35e4106ca0664805cde9566e7bd163fc63a27e356e034b64ef6af5a0f4a299997352bdf4b51e6b6d214
-
SSDEEP
49152:ONJEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmYXdrZz:ONJtODUKTslWp2MpbfGGilIJPypSbxEw
Malware Config
Extracted
orcus
Index1337z-43991.portmap.host:43991
be9b19219c62425cbffd5b98125d81a6
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/116-24-0x00000000014D0000-0x00000000014DA000-memory.dmp disable_win_def -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" Orcus.exe -
Orcus family
-
Orcus main payload 1 IoCs
resource yara_rule behavioral1/files/0x000d000000023b74-52.dat family_orcus -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" test.exe -
Orcurs Rat Executable 2 IoCs
resource yara_rule behavioral1/files/0x000d000000023b74-52.dat orcus behavioral1/memory/3596-61-0x0000000000970000-0x0000000000C6C000-memory.dmp orcus -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation test.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Orcus.exe -
Executes dropped EXE 1 IoCs
pid Process 3596 Orcus.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" Orcus.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" test.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" Orcus.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 2 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" Orcus.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Orcus\Orcus.exe test.exe File opened for modification C:\Program Files\Orcus\Orcus.exe test.exe File created C:\Program Files\Orcus\Orcus.exe.config test.exe File opened for modification C:\Program Files\Orcus\Orcus.exe Orcus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1424 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1424 PING.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 936 powershell.exe 936 powershell.exe 1360 powershell.exe 1360 powershell.exe 1360 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 936 powershell.exe Token: SeDebugPrivilege 1360 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3596 Orcus.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3596 Orcus.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 116 wrote to memory of 3504 116 test.exe 86 PID 116 wrote to memory of 3504 116 test.exe 86 PID 3504 wrote to memory of 3868 3504 csc.exe 89 PID 3504 wrote to memory of 3868 3504 csc.exe 89 PID 116 wrote to memory of 936 116 test.exe 95 PID 116 wrote to memory of 936 116 test.exe 95 PID 116 wrote to memory of 3596 116 test.exe 98 PID 116 wrote to memory of 3596 116 test.exe 98 PID 3596 wrote to memory of 1360 3596 Orcus.exe 99 PID 3596 wrote to memory of 1360 3596 Orcus.exe 99 PID 3596 wrote to memory of 3332 3596 Orcus.exe 103 PID 3596 wrote to memory of 3332 3596 Orcus.exe 103 PID 3332 wrote to memory of 1424 3332 cmd.exe 105 PID 3332 wrote to memory of 1424 3332 cmd.exe 105 PID 3332 wrote to memory of 1520 3332 cmd.exe 106 PID 3332 wrote to memory of 1520 3332 cmd.exe 106 PID 3332 wrote to memory of 1428 3332 cmd.exe 107 PID 3332 wrote to memory of 1428 3332 cmd.exe 107 PID 3332 wrote to memory of 1688 3332 cmd.exe 108 PID 3332 wrote to memory of 1688 3332 cmd.exe 108 PID 3332 wrote to memory of 2932 3332 cmd.exe 109 PID 3332 wrote to memory of 2932 3332 cmd.exe 109 -
System policy modification 1 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" Orcus.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" test.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" test.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:116 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ntljyg0y.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9962.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9961.tmp"3⤵PID:3868
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936
-
-
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3596 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{9f1a84dc-b1e3-450f-8ebb-d4886c02c3ec}.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Windows\system32\PING.EXEping 127.0.0.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1424
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo j "4⤵PID:1520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del "C:\Program Files\Orcus\Orcus.exe""4⤵PID:1428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo j "4⤵PID:1688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del C:\Users\Admin\AppData\Local\Temp\{9f1a84dc-b1e3-450f-8ebb-d4886c02c3ec}.bat"4⤵PID:2932
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD57b3150ddd3df859f8f6f36cb041b23f7
SHA1c3934ab76025c17cab3d309a96c1e32df9ad9d65
SHA256675a8aa47c9032b3588c440435744c3a01c04edc4ea204631eee0b53f0405a8f
SHA512a1fe1559965a5eac9a6eef26bbcd559d8a3aa1719f81c35e4106ca0664805cde9566e7bd163fc63a27e356e034b64ef6af5a0f4a299997352bdf4b51e6b6d214
-
Filesize
349B
MD589817519e9e0b4e703f07e8c55247861
SHA14636de1f6c997a25c3190f73f46a3fd056238d78
SHA256f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13
SHA512b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
1KB
MD5586ddaa1a784c8bc239cf8745ace5785
SHA184aad8dfa89699cde30fa44e5d1492360a5a96ad
SHA2563eb6021f3afc44e53881f29c816df9c24c04bafda59777c5ade6699221ded431
SHA5126f6faf182e76fd9707e4a2691735a0c679cb7bc45143ede2193f200d899367a7992f8afc2f8f4114d26a990b33931ac34bf5bae98ac787ddff0642fdd4fc75e5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
76KB
MD5674bbbf46f5616efcfc999cf3f98a77c
SHA11043f14330dbedde3dc92b39b0eac2cb78b22c1c
SHA2561ae35f5b48a7d22d5ae1ae3b7a7b05c7eef90f7d35ee723a23f169335ed9ffe2
SHA5127aed0a3cbbe2d699a96301204f5bb5462f7a28b25662931ada70b569c7fadead908268ce0d69cc9f517f70a18a99a2006eb0d425291347c99b036f2561bba652
-
Filesize
171B
MD543d5d41ef8a2aef47d3ad6cd45956994
SHA1f3ece0051732fea3cb1cfbce8454b01af9d79a2c
SHA256749460e19ec1933804ebdc176a42f3cef7a7f3a79b20113d737c3ef8388b5a1c
SHA5120afa65722ac154ae1b1fd35d421eac24c9073555693d01de919a60ea8929e2b695188a1ce39d252bca6903497897670da044df6f6c90766cb98e99afe48522a8
-
Filesize
676B
MD5cd7a8d5efc0a23902ed97110a30b8eae
SHA16e800545b8b04a8fccdb4274795e889b4395b134
SHA2569470ef4ccbe93f0df7fd17fe0715440bfa977b1c1e7217a6891e6097c00c31c6
SHA5122db88b6fc2d3fddfb96e462a1b8411e95fdcf96370b57ccf71e611fe6355ec4df3b3238883a700ac6454b3e5604ebda87732217d710fde35deb94df71f76e21a
-
Filesize
208KB
MD5fdef22b893f9ecb75a0c349f3fd72cfa
SHA17fc5e26068da0a0f0d9ff6e00a953f61776a9c39
SHA25640be6b4ce0a614a8b3826fdaeeeda9aae45a8b43c33dad98cffe93d32971670f
SHA512ac0b5ed205c978ee8197ba62cfd4caa016c64ad1047edcebb1a9582a55794486bca61f0aab810d912ab56f6cdbe8cd1b61c9d55d14b7c33b0142dcfbc76eb3a4
-
Filesize
349B
MD5a4f055aded828ca38ecd2cc65a3beaa6
SHA18df487f5da7fae44398f9139ab880a2354e80929
SHA256c2ea20e7fbfa98f3250bd19f9d1d92cbcc6f73e337890a02e786f67011324f6a
SHA5126e7a4980b0bc94ef9591559030ea7deb6f79acc2783f43394561f7ccb04377bb0b683d0274840a1edf19ec9be134cee965f8483e4f8b6dbb1d67f710c86a4a5f