orcus | 1895ea7718500dfd7ddf4ccbf5057816fc06f849e72e644ba72c57f6241ca860

General

Target

1895ea7718500dfd7ddf4ccbf5057816fc06f849e72e644ba72c57f6241ca860.exe
Size

3.0MB
MD5

5061282fe58821440585f7bbb1708423
SHA1

f64e5554bd39d34f872f9e74bef2b6bdcdb5541d
SHA256

1895ea7718500dfd7ddf4ccbf5057816fc06f849e72e644ba72c57f6241ca860
SHA512

3ad7f99cba8fded3c1be9c3ee3611308915eedaea18ec9c02b7ef245d2cd4bb7caab8cb15f50db00f64eb4c6c2ac180feeb7fc5d4f91caab0943c2e1fbb3d61d
SSDEEP

49152:Y02N8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCmFWncFf0I74gu3tM:Yd0wGGzBjryX82uypSb9ndo9JCm

Score

10^/10

orcus persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

192.168.50.155:10134

Mutex

5c4ed961518e4098bff05128f1a5b804

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\sistem\sistem.exe
reconnect_delay
10000
registry_keyname
sistem
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcurs Rat Executable 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1796-1-0x0000000000B90000-0x0000000000E8A000-memory.dmp	orcus
C:\Program Files\sistem\sistem.exe	orcus
behavioral1/memory/2476-32-0x0000000000D10000-0x000000000100A000-memory.dmp	orcus

Executes dropped EXE 3 IoCs

Processes:

WindowsInput.exeWindowsInput.exesistem.exe

pid process

2312 WindowsInput.exe
2764 WindowsInput.exe
2476 sistem.exe

pid	process
2312	WindowsInput.exe
2764	WindowsInput.exe
2476	sistem.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sistem.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sistem = "\"C:\\Program Files\\sistem\\sistem.exe\""	sistem.exe

Drops file in System32 directory 3 IoCs

Processes:

1895ea7718500dfd7ddf4ccbf5057816fc06f849e72e644ba72c57f6241ca860.exeWindowsInput.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.exe	1895ea7718500dfd7ddf4ccbf5057816fc06f849e72e644ba72c57f6241ca860.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	1895ea7718500dfd7ddf4ccbf5057816fc06f849e72e644ba72c57f6241ca860.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 3 IoCs

Processes:

1895ea7718500dfd7ddf4ccbf5057816fc06f849e72e644ba72c57f6241ca860.exe

description	ioc	process
File created	C:\Program Files\sistem\sistem.exe	1895ea7718500dfd7ddf4ccbf5057816fc06f849e72e644ba72c57f6241ca860.exe
File opened for modification	C:\Program Files\sistem\sistem.exe	1895ea7718500dfd7ddf4ccbf5057816fc06f849e72e644ba72c57f6241ca860.exe
File created	C:\Program Files\sistem\sistem.exe.config	1895ea7718500dfd7ddf4ccbf5057816fc06f849e72e644ba72c57f6241ca860.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

sistem.exe

description pid process

Token: SeDebugPrivilege 2476 sistem.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

sistem.exe

pid process

2476 sistem.exe

description	pid	process
Token: SeDebugPrivilege	2476	sistem.exe

pid	process
2476	sistem.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1895ea7718500dfd7ddf4ccbf5057816fc06f849e72e644ba72c57f6241ca860.exe

description	pid	process	target process
PID 1796 wrote to memory of 2312	1796	1895ea7718500dfd7ddf4ccbf5057816fc06f849e72e644ba72c57f6241ca860.exe	WindowsInput.exe
PID 1796 wrote to memory of 2312	1796	1895ea7718500dfd7ddf4ccbf5057816fc06f849e72e644ba72c57f6241ca860.exe	WindowsInput.exe
PID 1796 wrote to memory of 2312	1796	1895ea7718500dfd7ddf4ccbf5057816fc06f849e72e644ba72c57f6241ca860.exe	WindowsInput.exe
PID 1796 wrote to memory of 2476	1796	1895ea7718500dfd7ddf4ccbf5057816fc06f849e72e644ba72c57f6241ca860.exe	sistem.exe
PID 1796 wrote to memory of 2476	1796	1895ea7718500dfd7ddf4ccbf5057816fc06f849e72e644ba72c57f6241ca860.exe	sistem.exe
PID 1796 wrote to memory of 2476	1796	1895ea7718500dfd7ddf4ccbf5057816fc06f849e72e644ba72c57f6241ca860.exe	sistem.exe

C:\Users\Admin\AppData\Local\Temp\1895ea7718500dfd7ddf4ccbf5057816fc06f849e72e644ba72c57f6241ca860.exe
"C:\Users\Admin\AppData\Local\Temp\1895ea7718500dfd7ddf4ccbf5057816fc06f849e72e644ba72c57f6241ca860.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2312
- C:\Program Files\sistem\sistem.exe
  "C:\Program Files\sistem\sistem.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2476

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\sistem\sistem.exe

Filesize
3.0MB

MD5
5061282fe58821440585f7bbb1708423

SHA1
f64e5554bd39d34f872f9e74bef2b6bdcdb5541d

SHA256
1895ea7718500dfd7ddf4ccbf5057816fc06f849e72e644ba72c57f6241ca860

SHA512
3ad7f99cba8fded3c1be9c3ee3611308915eedaea18ec9c02b7ef245d2cd4bb7caab8cb15f50db00f64eb4c6c2ac180feeb7fc5d4f91caab0943c2e1fbb3d61d

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
a80be96476032d2eaa901d180fe9fb73

SHA1
f378d0bc5fefb9ea0b5006f020091ffcbcd7acec

SHA256
d6075c1ed6f285f5de01ce0cc6a817b59054da8b19f20bc7081cfe7fb2b1af42

SHA512
210c0c4c845b416a601015fba5ccd2a3e8a4b81d3b4c5e0491b07bd0dcad938d9b118728bb1abc21eb73c5f9263a3c08e1822ece91002a2d1f0983857f0192ea

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
memory/1796-0-0x000007FEF57D3000-0x000007FEF57D4000-memory.dmp

Filesize
4KB

Download
memory/1796-1-0x0000000000B90000-0x0000000000E8A000-memory.dmp

Filesize
3.0MB

Download
memory/1796-3-0x0000000000250000-0x000000000025E000-memory.dmp

Filesize
56KB

Download
memory/1796-2-0x00000000024E0000-0x000000000253C000-memory.dmp

Filesize
368KB

Download
memory/1796-4-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/1796-5-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/1796-31-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/2312-17-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/2312-20-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/2312-16-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

Filesize
9.9MB

Download
memory/2312-15-0x0000000000220000-0x000000000022C000-memory.dmp

Filesize
48KB

Download
memory/2476-32-0x0000000000D10000-0x000000000100A000-memory.dmp

Filesize
3.0MB

Download
memory/2476-33-0x0000000000BD0000-0x0000000000BE2000-memory.dmp

Filesize
72KB

Download
memory/2476-34-0x000000001AF00000-0x000000001AF58000-memory.dmp

Filesize
352KB

Download
memory/2476-35-0x0000000000BE0000-0x0000000000BF8000-memory.dmp

Filesize
96KB

Download
memory/2476-36-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

Filesize
64KB

Download
memory/2764-22-0x0000000000800000-0x000000000080C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads