Overview

overview

10

Static

static

10

825eabd345...6b.exe

windows7-x64

10

825eabd345...6b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    825eabd3457553233f4689f6fc90a2ce1762159238777c3877f85ad963aea86b.exe

  • Size

    920KB

  • MD5

    0cda0025c54f147c107c2e8eb4e5ed7d

  • SHA1

    ebcb149ac9488c85c6504319b5ed57951d10dbdd

  • SHA256

    825eabd3457553233f4689f6fc90a2ce1762159238777c3877f85ad963aea86b

  • SHA512

    58e95a96b52b1bec791978249eaa877dd3a1ae1a55ec57393fba6f524b27afb02960db7e59e9a548788f3c1b7fcab10fd20e543482163590f451513d9bb232fe

  • SSDEEP

    12288:CFOPpaLvKe0Hq7K+7dG1lFlWcYT70pxnnaaoawomqflrUBIgjLPrZNrI0AilFEvo:YEqr4MROxnFZC5nrZlI0AilFEvxHiMC

Score
10/10
orcuspersistenceratspywarestealer

Malware Config

Extracted

Family

orcus

C2

127.0.0.1:8964

Mutex

4b67e0c2fb0c41e0a9078f5661444ec7

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Windows Update

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus family
    orcus
  • Orcus main payload 1 IoCs
  • Orcurs Rat Executable 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\825eabd3457553233f4689f6fc90a2ce1762159238777c3877f85ad963aea86b.exe
    "C:\Users\Admin\AppData\Local\Temp\825eabd3457553233f4689f6fc90a2ce1762159238777c3877f85ad963aea86b.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3112
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vh_hoisx.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F0E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2F0D.tmp"
        3⤵
          PID:4900
      • C:\Windows\SysWOW64\WindowsInput.exe
        "C:\Windows\SysWOW64\WindowsInput.exe" --install
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:3988
      • C:\Program Files\Orcus\Orcus.exe
        "C:\Program Files\Orcus\Orcus.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:1672
    • C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe"
      1⤵
      • Executes dropped EXE
      PID:436

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Orcus\Orcus.exe
      Filesize

      920KB

      MD5

      0cda0025c54f147c107c2e8eb4e5ed7d

      SHA1

      ebcb149ac9488c85c6504319b5ed57951d10dbdd

      SHA256

      825eabd3457553233f4689f6fc90a2ce1762159238777c3877f85ad963aea86b

      SHA512

      58e95a96b52b1bec791978249eaa877dd3a1ae1a55ec57393fba6f524b27afb02960db7e59e9a548788f3c1b7fcab10fd20e543482163590f451513d9bb232fe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES2F0E.tmp
      Filesize

      1KB

      MD5

      c384e4ea0b6a2224966744ad4725c247

      SHA1

      e375dfcc7ee66db3269afbf2f67285e91077e95e

      SHA256

      3ae5d8aa9b321b9fe410204a83431e070bccd3764789de12ce2d268412e67458

      SHA512

      3535f430a8a5e95c5dd02c63600ef041daedd2f39bc8872dc01058eb91caeef448708125b5b27f0505741c7ca861b98600bcf8d223e8f97cb529c66a2129fd68

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vh_hoisx.dll
      Filesize

      76KB

      MD5

      2c2629d55920817d0f941ffa6683f33f

      SHA1

      abaa46160adb7fb90ba710b99e82a0db08c9e19f

      SHA256

      089d5a9beff6bc54cb48c60029b8aa9a00e1055c15276b2f8f992274ba951b38

      SHA512

      ff81c351d206e97a543d86db43739f821cad3fa3eb6df5f0332b0095c16e3ba864d052fc058ca1f28330bb846b1e6ed3e5c1037cd41728dc3f203573a5df3d3b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Orcus\err_4b67e0c2fb0c41e0a9078f5661444ec7.dat
      Filesize

      1KB

      MD5

      7bcb065ab4135156c519e86b9dd4aa2c

      SHA1

      03098eacdc40f814da23615a1750c672994de586

      SHA256

      728274ad05d9fc7077b4b122161e47b594473169b6889151acb830ed3edbc3ce

      SHA512

      5258635f5f720e565b8d689721e2b6ab138818483e8c3ccaa1d96c8e519955c54acb047391ec71d8c8800fd9eb7af7a433365eb84f6effe7658211bc6d49be93

      Download Submit

    • C:\Windows\SysWOW64\WindowsInput.exe
      Filesize

      21KB

      MD5

      e6fcf516d8ed8d0d4427f86e08d0d435

      SHA1

      c7691731583ab7890086635cb7f3e4c22ca5e409

      SHA256

      8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

      SHA512

      c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

      Download Submit

    • C:\Windows\SysWOW64\WindowsInput.exe.config
      Filesize

      357B

      MD5

      a2b76cea3a59fa9af5ea21ff68139c98

      SHA1

      35d76475e6a54c168f536e30206578babff58274

      SHA256

      f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

      SHA512

      b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\CSC2F0D.tmp
      Filesize

      676B

      MD5

      76628f0454dd92361e1851bfab07530d

      SHA1

      4a24416ea0c3023ce4d4d2721fd591b4ab26dd83

      SHA256

      e29a0fcbd2141d5a37180c8bb8bdb46a3c1f49a9c320333dcd59249d703cc009

      SHA512

      39b28598cdfa7414f45bbb6353c590d1e5a8ed033ecd7a38a6cd74e88bd82992027e3041513176ae52edc1d8e5c9fb52c2d933db57a6398da10e9748ac92e9ad

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\vh_hoisx.0.cs
      Filesize

      208KB

      MD5

      47cb3bcc9f5d80506d557c6d2c442824

      SHA1

      619a19cb4442472ad1dfc0addf5cdfb389107f65

      SHA256

      721145cf61bb40f5d63fa377c70b439475ab94e0f68e129a0cecefebf9715ecb

      SHA512

      6de0e7188095afc38eff928e8ff823841831502b87813f35b6b6e19075e70a695bf2fd56fdb8cf203954583962a77337d733886b7fb23686f7632066657acd57

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\vh_hoisx.cmdline
      Filesize

      349B

      MD5

      fdcdea6ad1e040c3bdc3e4bf4d98dc79

      SHA1

      1d083191fdef8961bead6eaaf0872c8f4d802982

      SHA256

      138dd3bf94252e0b18eb6096cdc7dd10daecc1b05dbb955b4e51e5f4b1a736c0

      SHA512

      900b7933a7bdcba5e84db3c3a43c3e8238ca56a71f2b595c364e2111e6b0d790ce28a8ca49cb053c53686ed17ad16028e2e45642388cb4a3d2280d6fa399e8ea

      Download Submit

    • memory/436-59-0x000000001A6A0000-0x000000001A7AA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1672-76-0x0000000002EC0000-0x0000000002ED2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1672-79-0x000000001B990000-0x000000001B9DE000-memory.dmp

      Filesize

      312KB

      Download

    • memory/1672-80-0x000000001B910000-0x000000001B928000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1672-75-0x0000000000C60000-0x0000000000D4C000-memory.dmp

      Filesize

      944KB

      Download

    • memory/1672-81-0x000000001B930000-0x000000001B940000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1672-82-0x000000001C460000-0x000000001C622000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2796-16-0x00007FFD9A670000-0x00007FFD9B011000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2796-21-0x00007FFD9A670000-0x00007FFD9B011000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3112-30-0x000000001DDF0000-0x000000001DEE0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/3112-8-0x000000001C420000-0x000000001C4BC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3112-0-0x00007FFD9A925000-0x00007FFD9A926000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3112-31-0x000000001D030000-0x000000001D04E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3112-32-0x000000001DEF0000-0x000000001DF39000-memory.dmp

      Filesize

      292KB

      Download

    • memory/3112-33-0x00007FFD9A670000-0x00007FFD9B011000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3112-34-0x000000001DFD0000-0x000000001E040000-memory.dmp

      Filesize

      448KB

      Download

    • memory/3112-35-0x00007FFD9A670000-0x00007FFD9B011000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3112-37-0x000000001E2A0000-0x000000001E2C0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3112-28-0x000000001CED0000-0x000000001CF32000-memory.dmp

      Filesize

      392KB

      Download

    • memory/3112-26-0x000000001B6B0000-0x000000001B6B8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3112-1-0x00007FFD9A670000-0x00007FFD9B011000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3112-2-0x000000001B7E0000-0x000000001B83C000-memory.dmp

      Filesize

      368KB

      Download

    • memory/3112-5-0x000000001B9D0000-0x000000001B9DE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3112-6-0x00007FFD9A670000-0x00007FFD9B011000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3112-27-0x000000001B7D0000-0x000000001B7D8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3112-25-0x000000001B6D0000-0x000000001B6E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3112-74-0x00007FFD9A670000-0x00007FFD9B011000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3112-23-0x000000001CAE0000-0x000000001CAF6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/3112-29-0x000000001D830000-0x000000001DDEA000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3112-7-0x000000001BEB0000-0x000000001C37E000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3988-54-0x0000000002CE0000-0x0000000002D1C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3988-53-0x0000000002C80000-0x0000000002C92000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3988-52-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3988-51-0x00007FFD96DF3000-0x00007FFD96DF5000-memory.dmp

      Filesize

      8KB

      Download