orcus | e2c97f6df88c5b588867c5a4c9c260a0a295157b7c0f9cd87c3be07c2ef87bf6

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-10-2024 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2c97f6df88c5b588867c5a4c9c260a0a295157b7c0f9cd87c3be07c2ef87bf6.exe
Size

917KB
MD5

039debd99027407f731d115001b806c7
SHA1

7ee0fab4884c61693628691f8c7efc381c5336c2
SHA256

e2c97f6df88c5b588867c5a4c9c260a0a295157b7c0f9cd87c3be07c2ef87bf6
SHA512

fdcbbcef6117c65f74d21ae8a1cb2cf6730f395ce57805b205845dba5dac6e56df9c81dc72f91a96c32e241c85c1cacfcb53ac739ca1c92fc8ab8106b555afc1
SSDEEP

24576:9eu4MROxnFH3qkTZ2rZlI0AilFEvxHilI+:9etMihMrZlI0AilFEvxHil

Score

10^/10

orcus retard discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

Retard

detoxify-21656.portmap.host:35923

Mutex

d4ac76608be445ca91ed380bdd064484

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
C:\Windows\syscon.exe
reconnect_delay
10000
registry_keyname
svchost.exe
taskscheduler_taskname
conhost.exe
watchdog_path
AppData\svchost.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

Processes:

resource	yara_rule
C:\Windows\syscon.exe	family_orcus

Orcurs Rat Executable 2 IoCs

Processes:

resource	yara_rule
C:\Windows\syscon.exe	orcus
behavioral1/memory/2912-43-0x00000000001C0000-0x00000000002AC000-memory.dmp	orcus

Executes dropped EXE 6 IoCs

Processes:

WindowsInput.exeWindowsInput.exesyscon.exesyscon.exesvchost.exesvchost.exe

pid process

2064 WindowsInput.exe
2760 WindowsInput.exe
2912 syscon.exe
2604 syscon.exe
1504 svchost.exe
544 svchost.exe

pid	process
2064	WindowsInput.exe
2760	WindowsInput.exe
2912	syscon.exe
2604	syscon.exe
1504	svchost.exe
544	svchost.exe

Drops file in System32 directory 3 IoCs

Processes:

e2c97f6df88c5b588867c5a4c9c260a0a295157b7c0f9cd87c3be07c2ef87bf6.exeWindowsInput.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.exe	e2c97f6df88c5b588867c5a4c9c260a0a295157b7c0f9cd87c3be07c2ef87bf6.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	e2c97f6df88c5b588867c5a4c9c260a0a295157b7c0f9cd87c3be07c2ef87bf6.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Windows directory 3 IoCs

Processes:

e2c97f6df88c5b588867c5a4c9c260a0a295157b7c0f9cd87c3be07c2ef87bf6.exe

description	ioc	process
File created	C:\Windows\syscon.exe	e2c97f6df88c5b588867c5a4c9c260a0a295157b7c0f9cd87c3be07c2ef87bf6.exe
File opened for modification	C:\Windows\syscon.exe	e2c97f6df88c5b588867c5a4c9c260a0a295157b7c0f9cd87c3be07c2ef87bf6.exe
File created	C:\Windows\syscon.exe.config	e2c97f6df88c5b588867c5a4c9c260a0a295157b7c0f9cd87c3be07c2ef87bf6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

svchost.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exesyscon.exe

pid	process
544	svchost.exe
544	svchost.exe
2912	syscon.exe
2912	syscon.exe
2912	syscon.exe
544	svchost.exe
2912	syscon.exe
544	svchost.exe
544	svchost.exe
2912	syscon.exe
544	svchost.exe
2912	syscon.exe
544	svchost.exe
2912	syscon.exe
2912	syscon.exe
544	svchost.exe
544	svchost.exe
2912	syscon.exe
544	svchost.exe
2912	syscon.exe
2912	syscon.exe
544	svchost.exe
2912	syscon.exe
544	svchost.exe
544	svchost.exe
2912	syscon.exe
2912	syscon.exe
544	svchost.exe
2912	syscon.exe
544	svchost.exe
544	svchost.exe
2912	syscon.exe
544	svchost.exe
2912	syscon.exe
544	svchost.exe
2912	syscon.exe
544	svchost.exe
2912	syscon.exe
544	svchost.exe
2912	syscon.exe
544	svchost.exe
2912	syscon.exe
544	svchost.exe
2912	syscon.exe
544	svchost.exe
2912	syscon.exe
544	svchost.exe
2912	syscon.exe
2912	syscon.exe
544	svchost.exe
2912	syscon.exe
544	svchost.exe
544	svchost.exe
2912	syscon.exe
2912	syscon.exe
544	svchost.exe
2912	syscon.exe
544	svchost.exe
2912	syscon.exe
544	svchost.exe
544	svchost.exe
2912	syscon.exe
544	svchost.exe
2912	syscon.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

syscon.exesvchost.exesvchost.exe

description pid process

Token: SeDebugPrivilege 2912 syscon.exe
Token: SeDebugPrivilege 1504 svchost.exe
Token: SeDebugPrivilege 544 svchost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

syscon.exe

pid process

2912 syscon.exe

description	pid	process
Token: SeDebugPrivilege	2912	syscon.exe
Token: SeDebugPrivilege	1504	svchost.exe
Token: SeDebugPrivilege	544	svchost.exe

pid	process
2912	syscon.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

e2c97f6df88c5b588867c5a4c9c260a0a295157b7c0f9cd87c3be07c2ef87bf6.execsc.exetaskeng.exesyscon.exesvchost.exe

description	pid	process	target process
PID 2480 wrote to memory of 1700	2480	e2c97f6df88c5b588867c5a4c9c260a0a295157b7c0f9cd87c3be07c2ef87bf6.exe	csc.exe
PID 2480 wrote to memory of 1700	2480	e2c97f6df88c5b588867c5a4c9c260a0a295157b7c0f9cd87c3be07c2ef87bf6.exe	csc.exe
PID 2480 wrote to memory of 1700	2480	e2c97f6df88c5b588867c5a4c9c260a0a295157b7c0f9cd87c3be07c2ef87bf6.exe	csc.exe
PID 1700 wrote to memory of 2204	1700	csc.exe	cvtres.exe
PID 1700 wrote to memory of 2204	1700	csc.exe	cvtres.exe
PID 1700 wrote to memory of 2204	1700	csc.exe	cvtres.exe
PID 2480 wrote to memory of 2064	2480	e2c97f6df88c5b588867c5a4c9c260a0a295157b7c0f9cd87c3be07c2ef87bf6.exe	WindowsInput.exe
PID 2480 wrote to memory of 2064	2480	e2c97f6df88c5b588867c5a4c9c260a0a295157b7c0f9cd87c3be07c2ef87bf6.exe	WindowsInput.exe
PID 2480 wrote to memory of 2064	2480	e2c97f6df88c5b588867c5a4c9c260a0a295157b7c0f9cd87c3be07c2ef87bf6.exe	WindowsInput.exe
PID 2480 wrote to memory of 2912	2480	e2c97f6df88c5b588867c5a4c9c260a0a295157b7c0f9cd87c3be07c2ef87bf6.exe	syscon.exe
PID 2480 wrote to memory of 2912	2480	e2c97f6df88c5b588867c5a4c9c260a0a295157b7c0f9cd87c3be07c2ef87bf6.exe	syscon.exe
PID 2480 wrote to memory of 2912	2480	e2c97f6df88c5b588867c5a4c9c260a0a295157b7c0f9cd87c3be07c2ef87bf6.exe	syscon.exe
PID 2612 wrote to memory of 2604	2612	taskeng.exe	syscon.exe
PID 2612 wrote to memory of 2604	2612	taskeng.exe	syscon.exe
PID 2612 wrote to memory of 2604	2612	taskeng.exe	syscon.exe
PID 2912 wrote to memory of 1504	2912	syscon.exe	svchost.exe
PID 2912 wrote to memory of 1504	2912	syscon.exe	svchost.exe
PID 2912 wrote to memory of 1504	2912	syscon.exe	svchost.exe
PID 2912 wrote to memory of 1504	2912	syscon.exe	svchost.exe
PID 1504 wrote to memory of 544	1504	svchost.exe	svchost.exe
PID 1504 wrote to memory of 544	1504	svchost.exe	svchost.exe
PID 1504 wrote to memory of 544	1504	svchost.exe	svchost.exe
PID 1504 wrote to memory of 544	1504	svchost.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e2c97f6df88c5b588867c5a4c9c260a0a295157b7c0f9cd87c3be07c2ef87bf6.exe
"C:\Users\Admin\AppData\Local\Temp\e2c97f6df88c5b588867c5a4c9c260a0a295157b7c0f9cd87c3be07c2ef87bf6.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vvfh4shy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC572.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC571.tmp"
    3⤵
    PID:2204
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2064
- C:\Windows\syscon.exe
  "C:\Windows\syscon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\syscon.exe" 2912 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\syscon.exe" 2912 "/protectFile"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:544

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2760

C:\Windows\system32\taskeng.exe
taskeng.exe {B181FF52-8EC6-4D38-9675-33C145F8D673} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\syscon.exe
  C:\Windows\syscon.exe
  2⤵
  - Executes dropped EXE
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC572.tmp

Filesize
1KB

MD5
218da67dfdf9a1313baa917b86b27fb0

SHA1
2cea3380d6c0da752523baac33ceaeb6fa31ba45

SHA256
cac948311573102ab5b57950d2c177b1b3a6fc32a778cca60745af77213bd4f1

SHA512
73b3d36905fdd7c8838f37447d0be79f000f100404117d87b2de55c9817d09c28b237643eb02ce7dd788ae030d263d7cdb75013f45e13de1764e22d711abc1e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvfh4shy.dll

Filesize
76KB

MD5
9fb5497597acd74e4bfc4362fadf5443

SHA1
79f250d3e40ebde3e3d0cdc125817f3952745ea4

SHA256
ac4085490ca2f00a4eee20638d63c8763984c7cfebc9b17305bffe65cc351cca

SHA512
3dabd2cfde3c8af2bb258e6d5e8af9113bcacdea884525ac09ccd8a818284db6506de27c45365c26573a173263ea8a6f52fd0f5d05d6353d2491dd38e69d0af3

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Windows\syscon.exe

Filesize
917KB

MD5
039debd99027407f731d115001b806c7

SHA1
7ee0fab4884c61693628691f8c7efc381c5336c2

SHA256
e2c97f6df88c5b588867c5a4c9c260a0a295157b7c0f9cd87c3be07c2ef87bf6

SHA512
fdcbbcef6117c65f74d21ae8a1cb2cf6730f395ce57805b205845dba5dac6e56df9c81dc72f91a96c32e241c85c1cacfcb53ac739ca1c92fc8ab8106b555afc1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCC571.tmp

Filesize
676B

MD5
c53a56ffcc50e97875af567ced5c235f

SHA1
594694d3b9412bb927646a2089f9f36d03d5a701

SHA256
58dc69b3b2d774a5617e4caa223b9eaf80f5e8d27b2f09e998d01e254f2eaa58

SHA512
1577f30df903be9ebd0b62d739193d0ecc66c8194f51eac4b9e7f0459911c273e20defd93af6dc8a34b7dce1e6f562d91ffd62e91003e0400babeb9cb6b4d357

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vvfh4shy.0.cs

Filesize
208KB

MD5
2b14ae8b54d216abf4d228493ceca44a

SHA1
d134351498e4273e9d6391153e35416bc743adef

SHA256
4e1cc3da1f7bf92773aae6cffa6d61bfc3e25aead3ad947f6215f93a053f346c

SHA512
5761b605add10ae3ef80f3b8706c8241b4e8abe4ac3ce36b7be8a97d08b08da5a72fedd5e976b3c9e1c463613a943ebb5d323e6a075ef6c7c3b1abdc0d53ac05

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vvfh4shy.cmdline

Filesize
349B

MD5
fdecb2203c490a46fbbfa04952931be2

SHA1
a849fe2450e4f75ecc1ccdcb05fca85a985b7ff2

SHA256
cadf176d3fdec3de5bf2bdf0d37783de65276819b7e32e215878253bd72a31d7

SHA512
8d1bcf77569e5d0cc72d04865e9ed8f91e6110f14f4ca608c8d9b4d61b63abf878f205580657061ed7558da6b726465c85777b8d8f4045fee248082e02404485

Download Submit
memory/1504-57-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/1700-17-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

Filesize
9.6MB

Download
memory/1700-10-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

Filesize
9.6MB

Download
memory/2064-30-0x0000000001090000-0x000000000109C000-memory.dmp

Filesize
48KB

Download
memory/2480-2-0x0000000000180000-0x000000000018E000-memory.dmp

Filesize
56KB

Download
memory/2480-22-0x00000000009F0000-0x00000000009F8000-memory.dmp

Filesize
32KB

Download
memory/2480-21-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/2480-19-0x0000000000A20000-0x0000000000A36000-memory.dmp

Filesize
88KB

Download
memory/2480-7-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

Filesize
9.6MB

Download
memory/2480-0-0x000007FEF556E000-0x000007FEF556F000-memory.dmp

Filesize
4KB

Download
memory/2480-44-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

Filesize
9.6MB

Download
memory/2480-1-0x0000000000BD0000-0x0000000000C2C000-memory.dmp

Filesize
368KB

Download
memory/2480-9-0x000007FEF52B0000-0x000007FEF5C4D000-memory.dmp

Filesize
9.6MB

Download
memory/2912-43-0x00000000001C0000-0x00000000002AC000-memory.dmp

Filesize
944KB

Download
memory/2912-45-0x00000000021D0000-0x000000000221E000-memory.dmp

Filesize
312KB

Download
memory/2912-46-0x0000000000510000-0x0000000000528000-memory.dmp

Filesize
96KB

Download
memory/2912-47-0x0000000000630000-0x0000000000640000-memory.dmp

Filesize
64KB

Download