orcus | 675a8aa47c9032b3588c440435744c3a01c04edc4ea204631eee0b53f0405a8f

Resubmissions

26-10-2024 23:19

241026-3a1rfsxrgm 10

26-10-2024 23:18

241026-3absbs1fnl 10

26-10-2024 23:16

241026-29dkjaymaw 10

Analysis

max time kernel
25s
max time network
29s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
26-10-2024 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

3.0MB
MD5

7b3150ddd3df859f8f6f36cb041b23f7
SHA1

c3934ab76025c17cab3d309a96c1e32df9ad9d65
SHA256

675a8aa47c9032b3588c440435744c3a01c04edc4ea204631eee0b53f0405a8f
SHA512

a1fe1559965a5eac9a6eef26bbcd559d8a3aa1719f81c35e4106ca0664805cde9566e7bd163fc63a27e356e034b64ef6af5a0f4a299997352bdf4b51e6b6d214
SSDEEP

49152:ONJEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmYXdrZz:ONJtODUKTslWp2MpbfGGilIJPypSbxEw

Score

10^/10

orcus defense_evasion evasion execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

orcus

Index1337z-43991.portmap.host:43991

Mutex

be9b19219c62425cbffd5b98125d81a6

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/348-24-0x000000001C3D0000-0x000000001C3DA000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

test.exeOrcus.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	test.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	test.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	test.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Orcus.exe

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x00290000000450bd-81.dat	family_orcus

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

test.exeOrcus.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	test.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	test.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	test.exe

Orcurs Rat Executable 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x00290000000450bd-81.dat	orcus
behavioral2/memory/2988-84-0x00000000000F0000-0x00000000003EC000-memory.dmp	orcus

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

test.exeOrcus.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	test.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	Orcus.exe

Executes dropped EXE 1 IoCs

Processes:

Orcus.exe

pid	Process
2988	Orcus.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

test.exeOrcus.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	test.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	test.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	Orcus.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1464	powershell.exe
1272	powershell.exe
456	powershell.exe
4128	powershell.exe
2192	powershell.exe
2356	powershell.exe
4936	powershell.exe
2452	powershell.exe
4192	powershell.exe
232	powershell.exe
5072	powershell.exe
4320	powershell.exe
2756	powershell.exe
4752	powershell.exe
4968	powershell.exe
2656	powershell.exe
4516	powershell.exe
5104	powershell.exe
2644	powershell.exe
3188	powershell.exe
4308	powershell.exe
3856	powershell.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 2 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

defense_evasion persistence privilege_escalation

Executable Installer File Permissions Weakness

T1574.005

Processes:

test.exeOrcus.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	test.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	Orcus.exe

Drops file in Program Files directory 2 IoCs

Processes:

test.exe

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	test.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	Process
1888	powershell.exe
1888	powershell.exe
1464	powershell.exe
1272	powershell.exe
4192	powershell.exe
4968	powershell.exe
4192	powershell.exe
4968	powershell.exe
4968	powershell.exe
2656	powershell.exe
2656	powershell.exe
456	powershell.exe
456	powershell.exe
4516	powershell.exe
4516	powershell.exe
232	powershell.exe
232	powershell.exe
456	powershell.exe
1464	powershell.exe
1464	powershell.exe
4128	powershell.exe
4128	powershell.exe
2192	powershell.exe
2192	powershell.exe
1272	powershell.exe
1272	powershell.exe
5104	powershell.exe
5104	powershell.exe
2656	powershell.exe
1764	powershell.exe
1764	powershell.exe
4516	powershell.exe
232	powershell.exe
2192	powershell.exe
5104	powershell.exe
4128	powershell.exe
1764	powershell.exe
2356	powershell.exe
2356	powershell.exe
2756	powershell.exe
2756	powershell.exe
3188	powershell.exe
3188	powershell.exe
2644	powershell.exe
2644	powershell.exe
4936	powershell.exe
4936	powershell.exe
4308	powershell.exe
4308	powershell.exe
4752	powershell.exe
4752	powershell.exe
5072	powershell.exe
5072	powershell.exe
3856	powershell.exe
3856	powershell.exe
2452	powershell.exe
2452	powershell.exe
3188	powershell.exe
4308	powershell.exe
4320	powershell.exe
4320	powershell.exe
2356	powershell.exe
2644	powershell.exe
2756	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeIncreaseQuotaPrivilege	1888	powershell.exe
Token: SeSecurityPrivilege	1888	powershell.exe
Token: SeTakeOwnershipPrivilege	1888	powershell.exe
Token: SeLoadDriverPrivilege	1888	powershell.exe
Token: SeSystemProfilePrivilege	1888	powershell.exe
Token: SeSystemtimePrivilege	1888	powershell.exe
Token: SeProfSingleProcessPrivilege	1888	powershell.exe
Token: SeIncBasePriorityPrivilege	1888	powershell.exe
Token: SeCreatePagefilePrivilege	1888	powershell.exe
Token: SeBackupPrivilege	1888	powershell.exe
Token: SeRestorePrivilege	1888	powershell.exe
Token: SeShutdownPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeSystemEnvironmentPrivilege	1888	powershell.exe
Token: SeRemoteShutdownPrivilege	1888	powershell.exe
Token: SeUndockPrivilege	1888	powershell.exe
Token: SeManageVolumePrivilege	1888	powershell.exe
Token: 33	1888	powershell.exe
Token: 34	1888	powershell.exe
Token: 35	1888	powershell.exe
Token: 36	1888	powershell.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	232	powershell.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeIncreaseQuotaPrivilege	4192	powershell.exe
Token: SeSecurityPrivilege	4192	powershell.exe
Token: SeTakeOwnershipPrivilege	4192	powershell.exe
Token: SeLoadDriverPrivilege	4192	powershell.exe
Token: SeSystemProfilePrivilege	4192	powershell.exe
Token: SeSystemtimePrivilege	4192	powershell.exe
Token: SeProfSingleProcessPrivilege	4192	powershell.exe
Token: SeIncBasePriorityPrivilege	4192	powershell.exe
Token: SeCreatePagefilePrivilege	4192	powershell.exe
Token: SeBackupPrivilege	4192	powershell.exe
Token: SeRestorePrivilege	4192	powershell.exe
Token: SeShutdownPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeSystemEnvironmentPrivilege	4192	powershell.exe
Token: SeRemoteShutdownPrivilege	4192	powershell.exe
Token: SeUndockPrivilege	4192	powershell.exe
Token: SeManageVolumePrivilege	4192	powershell.exe
Token: 33	4192	powershell.exe
Token: 34	4192	powershell.exe
Token: 35	4192	powershell.exe
Token: 36	4192	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeIncreaseQuotaPrivilege	4968	powershell.exe
Token: SeSecurityPrivilege	4968	powershell.exe
Token: SeTakeOwnershipPrivilege	4968	powershell.exe
Token: SeLoadDriverPrivilege	4968	powershell.exe
Token: SeSystemProfilePrivilege	4968	powershell.exe
Token: SeSystemtimePrivilege	4968	powershell.exe
Token: SeProfSingleProcessPrivilege	4968	powershell.exe
Token: SeIncBasePriorityPrivilege	4968	powershell.exe
Token: SeCreatePagefilePrivilege	4968	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Orcus.exe

pid	Process
2988	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Orcus.exe

pid	Process
2988	Orcus.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

test.execsc.exeOrcus.exe

description	pid	Process	procid_target
PID 348 wrote to memory of 2612	348	test.exe	81
PID 348 wrote to memory of 2612	348	test.exe	81
PID 2612 wrote to memory of 4448	2612	csc.exe	83
PID 2612 wrote to memory of 4448	2612	csc.exe	83
PID 348 wrote to memory of 1888	348	test.exe	84
PID 348 wrote to memory of 1888	348	test.exe	84
PID 348 wrote to memory of 1464	348	test.exe	87
PID 348 wrote to memory of 1464	348	test.exe	87
PID 348 wrote to memory of 1272	348	test.exe	89
PID 348 wrote to memory of 1272	348	test.exe	89
PID 348 wrote to memory of 4968	348	test.exe	91
PID 348 wrote to memory of 4968	348	test.exe	91
PID 348 wrote to memory of 4192	348	test.exe	93
PID 348 wrote to memory of 4192	348	test.exe	93
PID 348 wrote to memory of 456	348	test.exe	95
PID 348 wrote to memory of 456	348	test.exe	95
PID 348 wrote to memory of 2656	348	test.exe	97
PID 348 wrote to memory of 2656	348	test.exe	97
PID 348 wrote to memory of 232	348	test.exe	99
PID 348 wrote to memory of 232	348	test.exe	99
PID 348 wrote to memory of 4516	348	test.exe	101
PID 348 wrote to memory of 4516	348	test.exe	101
PID 348 wrote to memory of 4128	348	test.exe	103
PID 348 wrote to memory of 4128	348	test.exe	103
PID 348 wrote to memory of 2192	348	test.exe	105
PID 348 wrote to memory of 2192	348	test.exe	105
PID 348 wrote to memory of 5104	348	test.exe	107
PID 348 wrote to memory of 5104	348	test.exe	107
PID 348 wrote to memory of 2988	348	test.exe	109
PID 348 wrote to memory of 2988	348	test.exe	109
PID 2988 wrote to memory of 1764	2988	Orcus.exe	110
PID 2988 wrote to memory of 1764	2988	Orcus.exe	110
PID 2988 wrote to memory of 2644	2988	Orcus.exe	112
PID 2988 wrote to memory of 2644	2988	Orcus.exe	112
PID 2988 wrote to memory of 3188	2988	Orcus.exe	114
PID 2988 wrote to memory of 3188	2988	Orcus.exe	114
PID 2988 wrote to memory of 2756	2988	Orcus.exe	116
PID 2988 wrote to memory of 2756	2988	Orcus.exe	116
PID 2988 wrote to memory of 2356	2988	Orcus.exe	118
PID 2988 wrote to memory of 2356	2988	Orcus.exe	118
PID 2988 wrote to memory of 4752	2988	Orcus.exe	120
PID 2988 wrote to memory of 4752	2988	Orcus.exe	120
PID 2988 wrote to memory of 4936	2988	Orcus.exe	122
PID 2988 wrote to memory of 4936	2988	Orcus.exe	122
PID 2988 wrote to memory of 4308	2988	Orcus.exe	124
PID 2988 wrote to memory of 4308	2988	Orcus.exe	124
PID 2988 wrote to memory of 5072	2988	Orcus.exe	126
PID 2988 wrote to memory of 5072	2988	Orcus.exe	126
PID 2988 wrote to memory of 3856	2988	Orcus.exe	128
PID 2988 wrote to memory of 3856	2988	Orcus.exe	128
PID 2988 wrote to memory of 2452	2988	Orcus.exe	130
PID 2988 wrote to memory of 2452	2988	Orcus.exe	130
PID 2988 wrote to memory of 4320	2988	Orcus.exe	132
PID 2988 wrote to memory of 4320	2988	Orcus.exe	132

System policy modification 1 TTPs 14 IoCs

evasion

Modify Registry

T1112

Processes:

Orcus.exetest.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	test.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	test.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	test.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	test.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0"	test.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	Orcus.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	test.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	test.exe

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:348
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rjwjal5p.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84E0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC84DF.tmp"
    3⤵
    PID:4448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5104
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
3.0MB

MD5
7b3150ddd3df859f8f6f36cb041b23f7

SHA1
c3934ab76025c17cab3d309a96c1e32df9ad9d65

SHA256
675a8aa47c9032b3588c440435744c3a01c04edc4ea204631eee0b53f0405a8f

SHA512
a1fe1559965a5eac9a6eef26bbcd559d8a3aa1719f81c35e4106ca0664805cde9566e7bd163fc63a27e356e034b64ef6af5a0f4a299997352bdf4b51e6b6d214

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
df55b2040cf60bbaaed4946ec47d9ec3

SHA1
8e85ce63481c7ef33b9414c2e84a3a63677e5cc1

SHA256
fa9cc5dac95adda87c5e09a8daed9701de298b9706a9b4473c459ca1208332c6

SHA512
9f707130fbef0665d929f63cfa6e34331df46a059059d8dfcd144eb02669d85bd5d38f015ff53453338beeed9cff8804cb09d6fe1c2d2cb735f5e94a585929f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e22dd1cda88782a1f52f76e748ef957

SHA1
3231826619a06fa541e2bfb21da445bd7013b5ac

SHA256
73302eedcdcfa0f9639f0d00e50c19f7ff4b7bab9df431cfee38e4b94bd4ecec

SHA512
75039c01812a7c0bef9fc2d0b4b8867c9acf2daf6a8ade8171d8edc7c0a2ff11488554d30397fee424922346394f14eef7518943db769c35e6916bee26f16498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f1bf4207c100442afb6f174495b7e10

SHA1
77ab64a201e4c57bbda4f0c3306bee76e9513b44

SHA256
c7787523a0e006d3ef2401f20248f6cfa69769804d402b75e04fcec463741f4d

SHA512
29bdea5620c07bae69fa2bbd9c198b7309dbd275a1251ee306e2eb28584d0c40f3d112b4c91b281fe722e711ceef0f4cdf0bd72118a54e263f6500bcf9040d94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
83d94e8aa23c7ad2db6f972739506306

SHA1
bd6d73d0417971c0077f772352d2f538a6201024

SHA256
dfa5cbd243b304f47196c492bc2d8b29941a550c2f076ef8bdfca72755e71881

SHA512
4224625e8ef8dadc72f1e1a1edfe2079656b14f2af94ce6128316481d96e9d0b6edf4de13fcdcc182038a2b29eb562b9246f944aecebfcb7c5ee8d7936b6287e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ff595ac9a138bb876c4c78afae3569a

SHA1
1f2f39afee90de7f6137ca04bb7f7dcde1507654

SHA256
7ad13788a0637c51f34839fca07dd28ed01af4dc4aa8d91a29dc4321843d4e7b

SHA512
c40325c9874116be84a955badcec63eafaf55ecc2cbb7d5bd9f6dc3743221223d42198a7e7b554d59ecda4703072dad65fe10c5ddbec034398bd59a5db646759

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
baafc2194a3ab9dbe8c7646fe8cac223

SHA1
3cf418fdb7086e52a940dfeefa57497c58ac8683

SHA256
4f555e9262c51ed2359860cb0382efbd9acb5354663d8f998735d6aca058042a

SHA512
077e93d63250146c4f4faaefb24e196c7921e850440e74cbbafa986d620123a9c8a89f727994f3e0aa85641790b90f35e5213b72ac68e314a1ab5833cec99835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
946bd2bcc2786b2761298f74f9994400

SHA1
86f2be6201550731176af29f241a97ccbcd2f8fb

SHA256
40367120732eb0bef41278b0d9e05279df9a5cdb580a6b73421f48a69115e468

SHA512
f211eada408281a6142969dc219d67054ed92891839eb122ecc5581d5c791b6eb2afaca8fcf0dc750ecc4f2ec4842b7990d17a9762973fe0c7c2fdd5079dfb99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
90d696d6a8ab185c1546b111fa208281

SHA1
b0ce1efde1dad3d65f7a78d1f6467d8a1090d659

SHA256
78497ed2c4ccac6e870afc80224724f45a7356bde55580a5c6ea52ef5079a3f4

SHA512
0a19628ae31ec31f382b3fd430c205a39985730e12c608b66b83ee4826e3f3fc9f4a034e03f38ac5260defdf805b927528ffca1a2ccdd59d9bfe05822923c4ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e2734ce0de9e205ceb614c5653130fcf

SHA1
4f59d9169af9c3694ec5b97b49c5b7a863740afb

SHA256
d685acd39d4760125bc9be3979a14397c042119b01b6ccccb7f15b1e4490852e

SHA512
dd32ec071e3c50fd18902f473e4b6ed5695ff542de22b17a3142d9f00aab4896cb39d78c5da25418c151f211ecd45a8949f00b2d349fbd38a2d24254391bf467

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
043895f0827a24a18c56f7a01e1feab0

SHA1
d6728703d924cdccddd4b73d347250adea23dc4f

SHA256
e1ca357457288ee1c809764c8fb16608cec870b7ae26d3eb3bd570a1f2f66620

SHA512
96ce6e41ca6208f902dd07c99d1e7bb94098496a79e04cbc4d2a76189b70a1f6763cd377cfef087eb6ab806ec9b217d3b75d4c66503e8ae81d31fc416da95ae5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES84E0.tmp

Filesize
1KB

MD5
6f4ab549ab5977893d742384386e7c6c

SHA1
0b9bd3fb708408345a756b0e95f1aacc5bd4cf4b

SHA256
3ce89ea9d566a767eadf961c71fad0f6dcc8d53fe03de6d7082d3efb3d307416

SHA512
6f93dc4471bbc66bdcce773a16b0bbb5af3b1e8d647bdaf64e2e776f78f7cfec7c01bd45cd15bad4c947d31c55f004fdd5bd5647cac46e06d9c9ac317bc094dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_clhnwwvt.fjv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjwjal5p.dll

Filesize
76KB

MD5
ff524dee30b0993a60b6157924a5bc66

SHA1
58b0a388884ab582bcf943225f1206e1294c6e20

SHA256
2dfeab0795b43c4f7f12ffa1b61b414167d0ba89e8f937981296795e53797882

SHA512
cfb3090350002c46376c4b5fcc1b3a64c243f08a541affa17f0c30a27632ff3c2ceeaa3a2d7c8997041847ac2aee21b961e8ca060390e48db45014fa7750fdff

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC84DF.tmp

Filesize
676B

MD5
e8313a2eb550340a0c29b335afd6d2c4

SHA1
185da2ae44126d24176d1d1bce94ee4773cf7ecc

SHA256
aca2d7589d4b83e97edac50dc52d052a7371a35a832dad8b41238483b7298b1e

SHA512
72bb15a82360991baf7752b5d1a63098d95cd635cd05acdcf24f1d65148545de54bce4fa26da4e161a10a3031660de593659995e4ee9fa426e02ed7d29140aca

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rjwjal5p.0.cs

Filesize
208KB

MD5
8e6f7bf1b3028fe197a60533f78496b4

SHA1
3c58cdf38d98f0b7a0631c1823121f71a2d30e52

SHA256
16211e1aaed0855c21c4444bfe48cfa8e4f3590bd409303fa723be588a279a34

SHA512
e872a63a889ffa14ab7d0cce896222d9577f5ef820bb2cf6be610fe71bf425d2d712fc6713d7de4553171a2ea696b2d25395023a05bb2cf87b7f844dbfc7f7ee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rjwjal5p.cmdline

Filesize
349B

MD5
4f539b6eb8474168c3a4efc8bbc37f29

SHA1
2bf69308e03085bb450649b47fbcb2ecb70a0825

SHA256
0042eebea6bfdee506737c037c09f8f404c9a6eb08229a3c14889e42aded977c

SHA512
235cf081130e8f4cd9b7c896019886b15977e6efe14ee153992eebf0e917ffc6fc1d84534de1fea043a518eb316e0034b7a45fd37a76426bcf27985bf4ccc190

Download Submit
memory/348-0-0x00007FF9B50D5000-0x00007FF9B50D6000-memory.dmp

Filesize
4KB

Download
memory/348-24-0x000000001C3D0000-0x000000001C3DA000-memory.dmp

Filesize
40KB

Download
memory/348-26-0x00007FF9B4E20000-0x00007FF9B57C1000-memory.dmp

Filesize
9.6MB

Download
memory/348-23-0x000000001C3F0000-0x000000001C402000-memory.dmp

Filesize
72KB

Download
memory/348-21-0x000000001C410000-0x000000001C426000-memory.dmp

Filesize
88KB

Download
memory/348-25-0x000000001C3C0000-0x000000001C3C8000-memory.dmp

Filesize
32KB

Download
memory/348-6-0x00007FF9B4E20000-0x00007FF9B57C1000-memory.dmp

Filesize
9.6MB

Download
memory/348-5-0x000000001C310000-0x000000001C3AC000-memory.dmp

Filesize
624KB

Download
memory/348-4-0x000000001BDA0000-0x000000001C26E000-memory.dmp

Filesize
4.8MB

Download
memory/348-3-0x0000000000F80000-0x0000000000F8E000-memory.dmp

Filesize
56KB

Download
memory/348-85-0x00007FF9B4E20000-0x00007FF9B57C1000-memory.dmp

Filesize
9.6MB

Download
memory/348-2-0x000000001B4B0000-0x000000001B50C000-memory.dmp

Filesize
368KB

Download
memory/348-1-0x00007FF9B4E20000-0x00007FF9B57C1000-memory.dmp

Filesize
9.6MB

Download
memory/1888-41-0x00007FF9B2540000-0x00007FF9B3002000-memory.dmp

Filesize
10.8MB

Download
memory/1888-45-0x00007FF9B2540000-0x00007FF9B3002000-memory.dmp

Filesize
10.8MB

Download
memory/1888-42-0x00007FF9B2540000-0x00007FF9B3002000-memory.dmp

Filesize
10.8MB

Download
memory/1888-40-0x00000261E9EE0000-0x00000261E9F02000-memory.dmp

Filesize
136KB

Download
memory/1888-30-0x00007FF9B2543000-0x00007FF9B2545000-memory.dmp

Filesize
8KB

Download
memory/2612-19-0x00007FF9B4E20000-0x00007FF9B57C1000-memory.dmp

Filesize
9.6MB

Download
memory/2612-14-0x00007FF9B4E20000-0x00007FF9B57C1000-memory.dmp

Filesize
9.6MB

Download
memory/2988-109-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/2988-108-0x0000000002460000-0x0000000002478000-memory.dmp

Filesize
96KB

Download
memory/2988-94-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

Filesize
72KB

Download
memory/2988-84-0x00000000000F0000-0x00000000003EC000-memory.dmp

Filesize
3.0MB

Download