Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
28-10-2024 08:39
General
-
Target
xda.exe
-
Size
3.0MB
-
MD5
cf6aa82e9cb164a4ddd30a1f77db1eb7
-
SHA1
60790744a396419695221c39aee74672bc67fa66
-
SHA256
e67c3d893e403f8974605d2c77bf66930c880de94dddb02dc13ce7c8d40ad700
-
SHA512
e9465d2469199972ece28fde93be701e15d97bb495ee75545161ebb8712591b04867110d8632fce712295399c89338fdfe2c7c5179f597bffd8e3c679b95ae09
-
SSDEEP
49152:XzTEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmWrZEIN:XzTtODUKTslWp2MpbfGGilIJPypSbxE8
Malware Config
Extracted
orcus
89.23.100.155:1337
d058ef377b7f46bea0e52b669562775b
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
Orcus main payload 2 IoCs
-
UAC bypass 3 TTPs 6 IoCs
-
Orcurs Rat Executable 3 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 2 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
-
Drops file in System32 directory 3 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
System policy modification 1 TTPs 14 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\xda.exe"C:\Users\Admin\AppData\Local\Temp\xda.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zvftmcom.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA152.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA151.tmp"3⤵
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 28003⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 28004⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
-
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5cf6aa82e9cb164a4ddd30a1f77db1eb7
SHA160790744a396419695221c39aee74672bc67fa66
SHA256e67c3d893e403f8974605d2c77bf66930c880de94dddb02dc13ce7c8d40ad700
SHA512e9465d2469199972ece28fde93be701e15d97bb495ee75545161ebb8712591b04867110d8632fce712295399c89338fdfe2c7c5179f597bffd8e3c679b95ae09
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
3.0MB
MD586c168112d2ca3e45d3a2c4a0ed5b261
SHA17f63b4b0564f3d0393b9ade80843fffe94149aa8
SHA256fee1fee22df1dc900f56b91ab08b3360a4c2ade7a6e7a872870b70878e2ab0a5
SHA5128da0a343b57ff59ddf2350a41d6fd583de1838d83beb7e328eba52ed1ffa9b54627cc85040e76303be9526046e269bf71a0a408e67f892da85b08cfb13605e56
-
Filesize
1KB
MD590d4a8436250cf164b8944261a061f1e
SHA14a342ff170cc556dbbbd5ed9cd44cfb9ccda78c0
SHA256427556778fbc674da4e15763faa4d2b966b9a450a23e1bf943ab3422877085c3
SHA51216a8e6d415b9c4f4b8c5d9758103aa25d0b945e1e87af67ab1372454c23815132011b5578b4a798ab55a5981475ad81584a765e1ad51bdae2724e21943762638
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
76KB
MD545a5123f772adc0a77b0cfa86bc54610
SHA157d78aa0ef59de65006703fd1e70ffb98899d829
SHA256c6156a926fe994cb78efae0e50ac1c2dc34391e204265c4150dffe136da2eb82
SHA5126af23ee4c228433391b2010267de253b6eedf8465366c3f661907ecd6f1342e8a6e6d19b3305d5a9247381290faa76f182f11259eb5217fda1fb85fec1dd62b4
-
Filesize
9KB
MD57a195b6c9de2d5cab015f649da6931a1
SHA189f7372dd92a90a8e13b74ee512b464412e4cf9b
SHA25630183935449a625c2a61f6342dc3b9907028194173f2e3d594eaa3126ee316bc
SHA5123c2aeef85b51e7f955072fba042bcedf8dd0b66ad813def58c0134355665ba56a713d58005a322561c62be5777d0adea2803da214459f362f22fe2a0dba5a1c7
-
Filesize
21KB
MD5f6285edd247fa58161be33f8cf662d31
SHA1e2b49bca43cd0bd6cc1eee582ba58f0ed6de1470
SHA256bc16993d1a774793044ca37eb2ce84ecbdb5c578e3c710ed82879e07dcef2fec
SHA5126f3e6073a1dafc679da1caa4a4c9cb7cc2da79c3f81034d7b7b7b1d855fd5421cbb517a7d3f9520f49d4d3b7f9577f4f8f92486994c8b78fabff5033b390a788
-
Filesize
349B
MD589817519e9e0b4e703f07e8c55247861
SHA14636de1f6c997a25c3190f73f46a3fd056238d78
SHA256f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13
SHA512b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3
-
Filesize
676B
MD5099d99a9592ec3153ed2ee86a353c8a1
SHA12c864c21278fa5fdffbc7e92b8b5085dd645642d
SHA2564ad709abaa21b9493c9cdd113388c8177f73f4461f8aefa9e623650ed58807c9
SHA512adc5185389792e5fd2dac30b4e0931e32f881ffa3d194d8cf4dac576c7909317fcd4d1e782e673cb11aac074aee2f5a201b3c1b83fa765d2fe2be7a1e7d37ec5
-
Filesize
208KB
MD564a7007e6b2de196967b2b496dc5faea
SHA1cfd0c00bef23f883a554ee11a38ec6fbbc85fd4a
SHA256d8d239a786035ab6179aa67e3954f5952cf8b3dc36de5e1eab7f08fae5f18c42
SHA51282a36dbdf2fb0a086e4bf244c6554559050557acb213c110625b57ff948572f6a49778b097b5dda5d4833b2aa478d6e7cc1934c284923b3053f9a48391d06b1b
-
Filesize
349B
MD5cf40f9fcc9058799974d6d937419073e
SHA125ae6bc3fa0b6b666ac1365b8359d32f69b589fc
SHA25692b4781bbc2d32687ded7012e3b04147b0aad04e582995ca7240e39ffbaa7275
SHA512109bd76471e922fe1af02d45e1cbf5519a1d773e228c0d00e138af6a448a77d1da430a43dc56da042099c44f386a9c51058705a2e5bd7e78a4248c4061139113
-
Filesize
136KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
48KB
-
Filesize
8KB
-
Filesize
248KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
88KB
-
Filesize
56KB
-
Filesize
528KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
192KB
-
Filesize
464KB
-
Filesize
3.0MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
128KB
-
Filesize
56KB
-
Filesize
9.6MB
-
Filesize
592KB
-
Filesize
568KB
-
Filesize
712KB
-
Filesize
736KB
-
Filesize
176KB
-
Filesize
96KB
-
Filesize
88KB
-
Filesize
168KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
128KB
-
Filesize
152KB
-
Filesize
256KB
-
Filesize
624KB
-
Filesize
32KB
-
Filesize
176KB
-
Filesize
40KB
-
Filesize
144KB
-
Filesize
160KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
128KB
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
160KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
80KB
-
Filesize
96KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
112KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
48KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
112KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
168KB
-
Filesize
160KB
-
Filesize
120KB
-
Filesize
152KB
-
Filesize
4.8MB
-
Filesize
56KB
-
Filesize
368KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
1.0MB