Analysis
-
max time kernel
73s -
max time network
73s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
28-10-2024 08:32
General
-
Target
xda.exe
-
Size
3.0MB
-
MD5
cf6aa82e9cb164a4ddd30a1f77db1eb7
-
SHA1
60790744a396419695221c39aee74672bc67fa66
-
SHA256
e67c3d893e403f8974605d2c77bf66930c880de94dddb02dc13ce7c8d40ad700
-
SHA512
e9465d2469199972ece28fde93be701e15d97bb495ee75545161ebb8712591b04867110d8632fce712295399c89338fdfe2c7c5179f597bffd8e3c679b95ae09
-
SSDEEP
49152:XzTEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmWrZEIN:XzTtODUKTslWp2MpbfGGilIJPypSbxE8
Malware Config
Extracted
orcus
89.23.100.155:1337
d058ef377b7f46bea0e52b669562775b
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
Orcus main payload 2 IoCs
-
UAC bypass 3 TTPs 6 IoCs
-
Orcurs Rat Executable 3 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 2 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
-
Drops file in System32 directory 3 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
System policy modification 1 TTPs 14 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\xda.exe"C:\Users\Admin\AppData\Local\Temp\xda.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\elrbnedq.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB48C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB48B.tmp"3⤵
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 30843⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 30844⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
-
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5cf6aa82e9cb164a4ddd30a1f77db1eb7
SHA160790744a396419695221c39aee74672bc67fa66
SHA256e67c3d893e403f8974605d2c77bf66930c880de94dddb02dc13ce7c8d40ad700
SHA512e9465d2469199972ece28fde93be701e15d97bb495ee75545161ebb8712591b04867110d8632fce712295399c89338fdfe2c7c5179f597bffd8e3c679b95ae09
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
3.0MB
MD586c168112d2ca3e45d3a2c4a0ed5b261
SHA17f63b4b0564f3d0393b9ade80843fffe94149aa8
SHA256fee1fee22df1dc900f56b91ab08b3360a4c2ade7a6e7a872870b70878e2ab0a5
SHA5128da0a343b57ff59ddf2350a41d6fd583de1838d83beb7e328eba52ed1ffa9b54627cc85040e76303be9526046e269bf71a0a408e67f892da85b08cfb13605e56
-
Filesize
1KB
MD52e619d3faa2748e4eb47aacd273356ba
SHA1e36fc34185813e0f42df0e2161c36911648ed240
SHA256c3ab3a3081811f10143a6d40508fd6657b55c23de35375f11fdfcff434712ed6
SHA512ab3acd6755092b005956d4be44d0975784f9d31a1510fada2abcff4884f728a107b99dad0ac708a5a645f4e268d39f32b6915629629933bbea72b779d5f6acc3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
76KB
MD5667ae299f9c43936f1098193511d310f
SHA1e7ddd01ebfbdc3ed41c4591276fd4d7b0a5fd232
SHA256a28b690216cddac3eb1ab32780b24adeaacc5c38ca896399ec34c6bfe1e1ef2b
SHA512c21d9e42e003575ff4344d5edbe72322a42d2ccc8481fcc40e0ceec67e5375968ee17a2e3a914b0eed13d9a52a52071fb379e8008ffac0c2a5ab5546791aefd9
-
Filesize
9KB
MD57a195b6c9de2d5cab015f649da6931a1
SHA189f7372dd92a90a8e13b74ee512b464412e4cf9b
SHA25630183935449a625c2a61f6342dc3b9907028194173f2e3d594eaa3126ee316bc
SHA5123c2aeef85b51e7f955072fba042bcedf8dd0b66ad813def58c0134355665ba56a713d58005a322561c62be5777d0adea2803da214459f362f22fe2a0dba5a1c7
-
Filesize
21KB
MD5f6285edd247fa58161be33f8cf662d31
SHA1e2b49bca43cd0bd6cc1eee582ba58f0ed6de1470
SHA256bc16993d1a774793044ca37eb2ce84ecbdb5c578e3c710ed82879e07dcef2fec
SHA5126f3e6073a1dafc679da1caa4a4c9cb7cc2da79c3f81034d7b7b7b1d855fd5421cbb517a7d3f9520f49d4d3b7f9577f4f8f92486994c8b78fabff5033b390a788
-
Filesize
349B
MD589817519e9e0b4e703f07e8c55247861
SHA14636de1f6c997a25c3190f73f46a3fd056238d78
SHA256f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13
SHA512b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3
-
Filesize
676B
MD57e7d17593c313eff71b881ab44db91a5
SHA16778eb524ef5e0cf688710b2b632c5186712cd07
SHA2561f2bcfef1431b4f9854026827fb0b0b5de2e1466157fef3b65b41ea63623d482
SHA51229fd96008e2492b75b95d1c3fcfb3c31ed74cfa0331147a911705a381f97103011cf384fd29b9371855bc372d0616de07901431435541d761d67ac957044915c
-
Filesize
208KB
MD5aab99ca02c8fdd1d1ddd7f6160793517
SHA10dadd59fa2a09f241c4a8a1a44dd3e809a59a3ac
SHA256ea000c3fc6382351ee6de24b0ee40515d52809957f14302e9a9c2ae407771e58
SHA51203c18489ec7581b3f2fb7d80823506b575b6ff43b26c54a246bd191f8060fc0e480350495ee2706f4e6835e68dee0378faa0c77249b85e356f7b02527ed21090
-
Filesize
349B
MD5ed291392d233296d8b4bad58a8985792
SHA13b57c825efd3f98110801bb807ed901b25bbf1f4
SHA256a906ca0ec067818ba90cb2d2c44f14998d32b6a5fe9e5791d4a6e3625aa5d955
SHA5129f8e16d6e544c114d3929f26486720908c228eb1d6b40ee1442c08ae3a2f4ba8df2f243ca948d1e010798117ed5680cff5d3190a513ad53b1180d4aa296b817f
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
128KB
-
Filesize
88KB
-
Filesize
9.6MB
-
Filesize
56KB
-
Filesize
368KB
-
Filesize
9.6MB
-
Filesize
4.8MB
-
Filesize
624KB
-
Filesize
152KB
-
Filesize
120KB
-
Filesize
56KB
-
Filesize
528KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
192KB
-
Filesize
464KB
-
Filesize
3.0MB
-
Filesize
128KB
-
Filesize
56KB
-
Filesize
592KB
-
Filesize
176KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
96KB
-
Filesize
88KB
-
Filesize
168KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
128KB
-
Filesize
152KB
-
Filesize
256KB
-
Filesize
248KB
-
Filesize
176KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
144KB
-
Filesize
160KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
160KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
80KB
-
Filesize
96KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
136KB
-
Filesize
112KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
112KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
112KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
168KB
-
Filesize
160KB
-
Filesize
136KB
-
Filesize
1.0MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
8KB