Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
28-10-2024 08:49
General
-
Target
Orcus.exe
-
Size
3.0MB
-
MD5
37128f8c34f0e2112cb6c60d2fe8d4c6
-
SHA1
42d4240892b4fcb2b5332fb70210238aa4070f6a
-
SHA256
8667faa80b6d3e4126e5e9e60b6e2f755f5388c5554e7b6fd59bcd5a342326ad
-
SHA512
f0387c7f8d4d74fc378599918cee295abf14e0cc3983a4e1681a7d40ba4b5af519a0bfec7244d2e081588590e421711dc412b3e32cb17c0a6b9db9a0d0656b88
-
SSDEEP
49152:uBpEKO3T5adZKM0sz5otCeEvsDKx+msbfGGW8wlBKJwAypQxbxEo9JnCmmLNrZEu:uBptODUKTslWp2MpbfGGilIJPypSbxEt
Malware Config
Extracted
orcus
Roblox
89.23.100.155:1337
fa9ce586702b4090bcb834980fda0474
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%programfiles%\Windows\MpDefenderCore.exe
-
reconnect_delay
10000
-
registry_keyname
MpDefender
-
taskscheduler_taskname
MpDefender
-
watchdog_path
AppData\xdwdwatchdog.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
Orcus main payload 2 IoCs
-
UAC bypass 3 TTPs 6 IoCs
-
Orcurs Rat Executable 3 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 2 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
-
Drops file in System32 directory 3 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
System policy modification 1 TTPs 14 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Orcus.exe"C:\Users\Admin\AppData\Local\Temp\Orcus.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vpbcti95.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA15.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDA14.tmp"3⤵
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Windows\MpDefenderCore.exe"C:\Program Files\Windows\MpDefenderCore.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\xdwdwatchdog.exe"C:\Users\Admin\AppData\Roaming\xdwdwatchdog.exe" /launchSelfAndExit "C:\Program Files\Windows\MpDefenderCore.exe" 4468 /protectFile3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\xdwdwatchdog.exe"C:\Users\Admin\AppData\Roaming\xdwdwatchdog.exe" /watchProcess "C:\Program Files\Windows\MpDefenderCore.exe" 4468 "/protectFile"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
-
C:\Program Files\Windows\MpDefenderCore.exe"C:\Program Files\Windows\MpDefenderCore.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD537128f8c34f0e2112cb6c60d2fe8d4c6
SHA142d4240892b4fcb2b5332fb70210238aa4070f6a
SHA2568667faa80b6d3e4126e5e9e60b6e2f755f5388c5554e7b6fd59bcd5a342326ad
SHA512f0387c7f8d4d74fc378599918cee295abf14e0cc3983a4e1681a7d40ba4b5af519a0bfec7244d2e081588590e421711dc412b3e32cb17c0a6b9db9a0d0656b88
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
3.0MB
MD5f477cbf08bd39c9ca7e9672e06545a3f
SHA149351258ee224e27ea0e748ee9cc2a0d7df1393c
SHA2562572ccef469dee92808c1a17fcf8e1dbe8ce7da7add84924b2e260a30d2f66ff
SHA51296625a508c92e26f1df4d4f9f5cac9faeddafdf724f58eeb87c1fdcef28b346b44a16da7a945945560965a449045cf945f6e4f500e289ccbb69b8cdeefb1bb19
-
Filesize
1KB
MD5d7d2c92cd98711453451a3fb6e3a702a
SHA1d96d43f8d9f9ed434c3d8103b34cfa6111309adb
SHA2568bb6a867a3d0c34fc4e825f2bd8abc7556a413977e5579cb6dce603c89a06028
SHA5121b8d8eccee4ce7a823730b3645958353b6e8e6cb62e545e24246b33bc61fbc58347f5272c83b4f562cee94a0094f4602e8e81dc692f0eda9af722c52a9ddb199
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
76KB
MD58de5cea1358027044f76d2390586e148
SHA183685748a480032b46571e6fddbe82ece3d1683b
SHA256cb35565d4e11c9fbaf0731b9cd9fd9802faedafeee6310d9b731cd7108d78342
SHA51201aae0777886f93f1fe6b3533240e7ffb4a28bcdbfb1f6043389ccdbc17401649284309161f74ee37aecec093599bbd35b52c8e5eed2bcaf894c115287813808
-
Filesize
9KB
MD57a195b6c9de2d5cab015f649da6931a1
SHA189f7372dd92a90a8e13b74ee512b464412e4cf9b
SHA25630183935449a625c2a61f6342dc3b9907028194173f2e3d594eaa3126ee316bc
SHA5123c2aeef85b51e7f955072fba042bcedf8dd0b66ad813def58c0134355665ba56a713d58005a322561c62be5777d0adea2803da214459f362f22fe2a0dba5a1c7
-
Filesize
21KB
MD5f6285edd247fa58161be33f8cf662d31
SHA1e2b49bca43cd0bd6cc1eee582ba58f0ed6de1470
SHA256bc16993d1a774793044ca37eb2ce84ecbdb5c578e3c710ed82879e07dcef2fec
SHA5126f3e6073a1dafc679da1caa4a4c9cb7cc2da79c3f81034d7b7b7b1d855fd5421cbb517a7d3f9520f49d4d3b7f9577f4f8f92486994c8b78fabff5033b390a788
-
Filesize
349B
MD589817519e9e0b4e703f07e8c55247861
SHA14636de1f6c997a25c3190f73f46a3fd056238d78
SHA256f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13
SHA512b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3
-
Filesize
676B
MD5f8f718bbe095157e8456392d9aeece04
SHA112e766f37cf16c595c050f29d14600959e3c6e7e
SHA2566db189bea41354b0cba3da9b80a222adde3ef1551c7213810dbb1f7f7ccf25b4
SHA5120230db5c429875e1b03685a64d31f981a5f750a077f83a98ae1674d42fbe210c36b6b82fef130a1baa6c12ce49ff9309369651fd5cab95c7f51c29705d7fecda
-
Filesize
208KB
MD508fbb8126a1f8f5ace212252148c5059
SHA13376549ba938b6b007e247e9eb81dcdc351a2435
SHA256e99d003ff0d3ff5ef5da2c77a7a027d0fdd5255a41ddba40ecec6c9ac42b6228
SHA512fc45a76248db452ce9e047f24bff1b30bea67f903d45494013edf9802fbee54aa121b4b322867211a079f55a3d56edecd16b5b67c136ad4049dcc3594d713113
-
Filesize
349B
MD5734fdff5b2850910479e1b55735ac9c4
SHA12bcbb0e62eac8c459dfe2e12ba10ec0d9e9ea1ed
SHA2564ff01815c009845ad8a41884f3902483b8da360ed56a51f343d3104ec5cd473f
SHA512682e5180aaeff781e402065d91a2cb15b8a568796476e67eb0153cf14752602f7b041e82630b39aabb75333cafbbfff427c7dc65fe4c70fc60aa2b37baa7d0a0
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
8KB
-
Filesize
48KB
-
Filesize
248KB
-
Filesize
120KB
-
Filesize
128KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
88KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
368KB
-
Filesize
56KB
-
Filesize
624KB
-
Filesize
56KB
-
Filesize
528KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
192KB
-
Filesize
464KB
-
Filesize
3.0MB
-
Filesize
736KB
-
Filesize
712KB
-
Filesize
9.6MB
-
Filesize
128KB
-
Filesize
56KB
-
Filesize
592KB
-
Filesize
176KB
-
Filesize
96KB
-
Filesize
88KB
-
Filesize
168KB
-
Filesize
32KB
-
Filesize
48KB
-
Filesize
128KB
-
Filesize
152KB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
176KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
144KB
-
Filesize
160KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
120KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
48KB
-
Filesize
160KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
80KB
-
Filesize
96KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
64KB
-
Filesize
56KB
-
Filesize
136KB
-
Filesize
112KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
112KB
-
Filesize
112KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
168KB
-
Filesize
160KB
-
Filesize
120KB
-
Filesize
4.8MB
-
Filesize
1.0MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
136KB