Analysis
-
max time kernel
40s -
max time network
42s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
28-10-2024 08:30
General
-
Target
xd.exe
-
Size
3.0MB
-
MD5
b8006a0ea8243be30ddbc2009aa05d93
-
SHA1
81df425e729edd90c7b7e50b995803da783557ef
-
SHA256
6895bec83e891c87783c0fd0a99f338205c8426d5cd0f2e298b22979e3e497f2
-
SHA512
4535e0547d479b58663dcc71dc49e7658438e79145cf0eb7d8748864209aa33fb35bf41d506ad527fc25132448c9800ca1cc8eff7568f5af4878da667ad462a4
-
SSDEEP
49152:6zTEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmNMrZEu:6zTtODUKTslWp2MpbfGGilIJPypSbxE8
Malware Config
Extracted
orcus
89.23.100.155:1337
1ff7891fa0904651aeca5ed123954333
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
Orcus main payload 2 IoCs
-
UAC bypass 3 TTPs 6 IoCs
-
Orcurs Rat Executable 3 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 2 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: LoadsDriver 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
-
System policy modification 1 TTPs 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\xd.exe"C:\Users\Admin\AppData\Local\Temp\xd.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y5hqku6x.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC14D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC14C.tmp"3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5b8006a0ea8243be30ddbc2009aa05d93
SHA181df425e729edd90c7b7e50b995803da783557ef
SHA2566895bec83e891c87783c0fd0a99f338205c8426d5cd0f2e298b22979e3e497f2
SHA5124535e0547d479b58663dcc71dc49e7658438e79145cf0eb7d8748864209aa33fb35bf41d506ad527fc25132448c9800ca1cc8eff7568f5af4878da667ad462a4
-
Filesize
349B
MD589817519e9e0b4e703f07e8c55247861
SHA14636de1f6c997a25c3190f73f46a3fd056238d78
SHA256f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13
SHA512b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
3.0MB
MD50aa6a14b26944d7f9ff50bfcc3e9e0c9
SHA1de21f62e9ea5618fa793ce3593c6c57e26bdedad
SHA256b92a6bfcff5ad36cb34871413e4b046bd5d4d2c573ab86b6aaade7f4e23e380a
SHA512f7c202588f071cbef074b36d7cc3a0aeda7c27af02e20268ba5750803a0ba5c990ce7f50b9f9d32b047110c1ab9e5d9fb65e2f1992c3d8f92b0ea84ddd96103b
-
Filesize
1KB
MD5e8df2d46bba185975a58c38525aca177
SHA15ebe4afde4604039eb5b7690b178be37188c8b01
SHA256f0f8ef5fe817ba6c1202608ac17a9b926c68301191510930118f981cbf334dc4
SHA512d7a8a6d918b627426ffb86b80ac4846142ce874328436d1d18253d2f8858391bd93160bb694ad9507ccc58f667b74602b1e561d54e92b206c3017c63f282f4ea
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
76KB
MD5678dcccea09c97296d86d5f8feb5337c
SHA185cb4f54c71c19ae6fde67cd6d92bc2b7635b668
SHA256202b18142ec7c292c081ac096560d772e187cabf60d93eebfce4e99db4dc90a3
SHA51285074b3cb9e67c2c3f132f064d09916093fcce4431e3d864d9d691ec24eb9ac7469e266abe80ecbafdfe3ee4fc8ac3d2a86c53c36c94680c5d8302ad86ca3db9
-
Filesize
676B
MD5d86bd19ea12ae646b6d056ed8ba23c11
SHA1373ab55060ab4f137aacb6aa7b5f0dbe15f7c24f
SHA25656c0b10c0c7462e21ebc0aa6f4c3dbfd59b1c91b86affc4fca701d2d914859b4
SHA51274f3ae62b0ecce97b9b8f290e668633f6820113e5ecf50fefeacb925746808ed2bdef9e6669c52a44307f0bafc3100391d2e1f3b78052562e7efd8a0caeceb7a
-
Filesize
208KB
MD51eb7e32194b55faeb4159e53183057fe
SHA195b7f7e01f8452682b4670f525b324c0f2fc1770
SHA25695e457e46c3d9cc914040ddf3fc80c2f666ce6e1d0679b3b7c0d161394214375
SHA512254c43fc0ea72f102a8e23533467c8113eaddc7b9083fb5ea4cacc6e39ea74a6728d793ac01897ad2104180dce320c7134fadf7a05b59d70fe2975e545546606
-
Filesize
349B
MD53d268e4be3d599f19924777c0ca5805f
SHA1d89bc10251d77817a290152f92fe346f08697104
SHA2566638a896065793d64d265e5cee597b6e58bed3d15b50fbf50bff25673268536e
SHA5127c3c385375152d78832d8e6670b6318077816a8f633211f91838a433a4f7aa6cfa9ec270b1212c3a43d9f152d8dfed02d15f8be1c2c950a56596663dcdd68cc5
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
136KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
624KB
-
Filesize
56KB
-
Filesize
528KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
192KB
-
Filesize
464KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
3.0MB
-
Filesize
9.6MB
-
Filesize
128KB
-
Filesize
56KB
-
Filesize
592KB
-
Filesize
176KB
-
Filesize
9.6MB
-
Filesize
96KB
-
Filesize
88KB
-
Filesize
168KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
128KB
-
Filesize
9.6MB
-
Filesize
152KB
-
Filesize
256KB
-
Filesize
248KB
-
Filesize
176KB
-
Filesize
32KB
-
Filesize
4.8MB
-
Filesize
144KB
-
Filesize
160KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
120KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
120KB
-
Filesize
160KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
80KB
-
Filesize
96KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
112KB
-
Filesize
136KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
112KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
168KB
-
Filesize
160KB
-
Filesize
120KB
-
Filesize
56KB
-
Filesize
368KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB