Overview

overview

10

Static

static

10

825eabd345...6b.exe

windows7-x64

10

825eabd345...6b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 01:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    825eabd3457553233f4689f6fc90a2ce1762159238777c3877f85ad963aea86b.exe

  • Size

    920KB

  • MD5

    0cda0025c54f147c107c2e8eb4e5ed7d

  • SHA1

    ebcb149ac9488c85c6504319b5ed57951d10dbdd

  • SHA256

    825eabd3457553233f4689f6fc90a2ce1762159238777c3877f85ad963aea86b

  • SHA512

    58e95a96b52b1bec791978249eaa877dd3a1ae1a55ec57393fba6f524b27afb02960db7e59e9a548788f3c1b7fcab10fd20e543482163590f451513d9bb232fe

  • SSDEEP

    12288:CFOPpaLvKe0Hq7K+7dG1lFlWcYT70pxnnaaoawomqflrUBIgjLPrZNrI0AilFEvo:YEqr4MROxnFZC5nrZlI0AilFEvxHiMC

Score
10/10
orcuspersistenceratspywarestealer

Malware Config

Extracted

Family

orcus

C2

127.0.0.1:8964

Mutex

4b67e0c2fb0c41e0a9078f5661444ec7

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Windows Update

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus family
    orcus
  • Orcus main payload 1 IoCs
  • Orcurs Rat Executable 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\825eabd3457553233f4689f6fc90a2ce1762159238777c3877f85ad963aea86b.exe
    "C:\Users\Admin\AppData\Local\Temp\825eabd3457553233f4689f6fc90a2ce1762159238777c3877f85ad963aea86b.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p0fo2k0b.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA545.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA544.tmp"
        3⤵
          PID:2304
      • C:\Windows\SysWOW64\WindowsInput.exe
        "C:\Windows\SysWOW64\WindowsInput.exe" --install
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:2132
      • C:\Program Files\Orcus\Orcus.exe
        "C:\Program Files\Orcus\Orcus.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:2692
    • C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe"
      1⤵
      • Executes dropped EXE
      PID:2704

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Orcus\Orcus.exe
      Filesize

      920KB

      MD5

      0cda0025c54f147c107c2e8eb4e5ed7d

      SHA1

      ebcb149ac9488c85c6504319b5ed57951d10dbdd

      SHA256

      825eabd3457553233f4689f6fc90a2ce1762159238777c3877f85ad963aea86b

      SHA512

      58e95a96b52b1bec791978249eaa877dd3a1ae1a55ec57393fba6f524b27afb02960db7e59e9a548788f3c1b7fcab10fd20e543482163590f451513d9bb232fe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RESA545.tmp
      Filesize

      1KB

      MD5

      5714d15673862b45e3639900cf854cd8

      SHA1

      c1e2344db0ce483d5e333f0feb666fec7cb7b70a

      SHA256

      cfe439d32916e3406bdf023177167f3bb0a6e0d1aa1fafca42fe098b47c4fc20

      SHA512

      10ab08a0949992384380df7200f82f3dc882db6751b50133f8690fe2bbcf6f4f2655a56bc506768e8d6ff50bdf7e71de8d28d8b77da4d06bee3b8a3344a79cb3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\p0fo2k0b.dll
      Filesize

      76KB

      MD5

      6b4c0338bcc962624afd2d897573b9e7

      SHA1

      26406cc885e0b114d1ea21615ed24f3a66264138

      SHA256

      84ad767aea57001853a9836fe7c2a73c157d033004645fd693557304d430b1bc

      SHA512

      43ceb89c45a843b13121b17298ec726d894be40cda693b33a227baf38c093de2a5494efa84ccc20bfed4667683098e629b45fca4ccab2eedbcab2a9017ec9734

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Orcus\err_4b67e0c2fb0c41e0a9078f5661444ec7.dat
      Filesize

      1KB

      MD5

      0244eb581256807fab7ecf24acb4a60f

      SHA1

      61cc0013aac90a487031fccb40eada142eeff700

      SHA256

      2c17e5e89ccec5f170081c4ec62460b313e5d097d848e1b939130c350d14c9cb

      SHA512

      0b454a05a4641bda0101d04701a6a4a6b965b5609908a19f52100628d493ab0f195c2e57524db636f8bf6de3418b660764ee82abdecd6b2a6cddd00e059800b5

      Download Submit

    • C:\Windows\SysWOW64\WindowsInput.exe
      Filesize

      21KB

      MD5

      e6fcf516d8ed8d0d4427f86e08d0d435

      SHA1

      c7691731583ab7890086635cb7f3e4c22ca5e409

      SHA256

      8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

      SHA512

      c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

      Download Submit

    • C:\Windows\SysWOW64\WindowsInput.exe.config
      Filesize

      357B

      MD5

      a2b76cea3a59fa9af5ea21ff68139c98

      SHA1

      35d76475e6a54c168f536e30206578babff58274

      SHA256

      f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

      SHA512

      b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\CSCA544.tmp
      Filesize

      676B

      MD5

      c1938746cf494dd4d1f24f4e4702eb76

      SHA1

      ccbf0e46162fa68a11a2f87dd0b7a03f03076f78

      SHA256

      048e013d1fd824bd072a7109260bdd7b8b13a9b73897755bcf9e5397f6743107

      SHA512

      c221dc3934cba9b61e4392e21a886aaaaf5609910662b82a69edb27bebf9e0664f9314ce07fc7e7e63e56d950a03bc7a1b278b40daef47828783d815cc3fb54e

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\p0fo2k0b.0.cs
      Filesize

      208KB

      MD5

      c080986bbfbc898379726b15e4b7110d

      SHA1

      11a08fc3f189914d2f5f42382efb6803c1a350fd

      SHA256

      6ec21f9ac665083be37e90b03e6a8f46784ae8a422ef5a00f114d3b7ef3dd6f5

      SHA512

      9f9ae7ee23804b53c20f1a85c452e121d4ce7ac2d850250f4ad53eacc3332a55d16f70a283a546a513dc80612243f4fdf147b2a53678a23809546183e822ef84

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\p0fo2k0b.cmdline
      Filesize

      349B

      MD5

      683d85629d81652205f8f8d58cdb8020

      SHA1

      01c87f5b5765ee7b16b9118458a32a5c9c12faa4

      SHA256

      fa95df5fe447b73aca28d22cec6595cb71dca54b45d59aaecc2c7dbd8b3a8e0e

      SHA512

      c76b10c313edbf23b981266963acfd0e50aa32fe84c11578a2395c6e13601daec3eff80cb32249159281956f16bbd8b3864eb7b222b55ee6305602dbfeb1d9c2

      Download Submit

    • memory/1900-10-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1900-17-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2132-34-0x0000000000090000-0x000000000009C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2292-22-0x0000000000A00000-0x0000000000A08000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2292-2-0x00000000002A0000-0x00000000002AE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2292-0-0x000007FEF62BE000-0x000007FEF62BF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2292-23-0x0000000000A30000-0x0000000000A38000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2292-24-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2292-19-0x000000001AEB0000-0x000000001AEC6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2292-30-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2292-4-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2292-3-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2292-21-0x00000000002D0000-0x00000000002E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2292-1-0x00000000023B0000-0x000000000240C000-memory.dmp

      Filesize

      368KB

      Download

    • memory/2292-46-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2692-47-0x00000000008B0000-0x000000000099C000-memory.dmp

      Filesize

      944KB

      Download

    • memory/2692-50-0x00000000007E0000-0x000000000082E000-memory.dmp

      Filesize

      312KB

      Download

    • memory/2692-51-0x0000000000620000-0x0000000000638000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2692-52-0x0000000002150000-0x0000000002160000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2704-38-0x00000000001E0000-0x00000000001EC000-memory.dmp

      Filesize

      48KB

      Download