orcus | 93db7516173baef742090e042347142ab0c48ab7d5175417ec7aa10ae66961fe

General

Target

93db7516173baef742090e042347142ab0c48ab7d5175417ec7aa10ae66961fe.exe
Size

3.0MB
MD5

035a7d77f518443bed37aba5e028437d
SHA1

2b4090d2c65e08fda29b48e1a43267f132f76a53
SHA256

93db7516173baef742090e042347142ab0c48ab7d5175417ec7aa10ae66961fe
SHA512

ea59649116c3137123c6ced6c51e977770bcaf2a3446a9bf7d06e1d90aad055dae18d55364749b8050f72dba8674325d8af1fe3b46146ed29a256e58717b063e
SSDEEP

49152:gjXS4QZeM9/sj9aB50J5srKq9lPAypQxbvVo9JnCm8eWncFfHIp4gJ3DF:gmKSf0HcyypSbvVo9JCm

Score

10^/10

orcus discovery persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

vimeworldserverstat.serveminecraft.net:3306

Mutex

ea91e682793844fca9bc0ca6e3ab757b

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%appdata%\Microsoft Edge\Const\Edge.exe
reconnect_delay
10000
registry_keyname
Edge
taskscheduler_taskname
Orcus
watchdog_path
AppData\EdgeUpgater.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcurs Rat Executable 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5020-1-0x000001BE89BF0000-0x000001BE89EEA000-memory.dmp	orcus
C:\Users\Admin\AppData\Roaming\Microsoft Edge\Const\Edge.exe	orcus

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Edge.exeEdgeUpgater.exe93db7516173baef742090e042347142ab0c48ab7d5175417ec7aa10ae66961fe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Edge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	EdgeUpgater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	93db7516173baef742090e042347142ab0c48ab7d5175417ec7aa10ae66961fe.exe

Executes dropped EXE 3 IoCs

Processes:

Edge.exeEdgeUpgater.exeEdgeUpgater.exe

pid process

4956 Edge.exe
4840 EdgeUpgater.exe
2940 EdgeUpgater.exe

pid	process
4956	Edge.exe
4840	EdgeUpgater.exe
2940	EdgeUpgater.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Edge.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Edge = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft Edge\\Const\\Edge.exe\""	Edge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

EdgeUpgater.exeEdgeUpgater.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EdgeUpgater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EdgeUpgater.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

EdgeUpgater.exeEdge.exe

pid	process
2940	EdgeUpgater.exe
2940	EdgeUpgater.exe
4956	Edge.exe
4956	Edge.exe
4956	Edge.exe
2940	EdgeUpgater.exe
2940	EdgeUpgater.exe
4956	Edge.exe
2940	EdgeUpgater.exe
4956	Edge.exe
4956	Edge.exe
2940	EdgeUpgater.exe
2940	EdgeUpgater.exe
4956	Edge.exe
2940	EdgeUpgater.exe
4956	Edge.exe
2940	EdgeUpgater.exe
4956	Edge.exe
4956	Edge.exe
2940	EdgeUpgater.exe
4956	Edge.exe
2940	EdgeUpgater.exe
4956	Edge.exe
2940	EdgeUpgater.exe
4956	Edge.exe
2940	EdgeUpgater.exe
2940	EdgeUpgater.exe
4956	Edge.exe
4956	Edge.exe
2940	EdgeUpgater.exe
2940	EdgeUpgater.exe
4956	Edge.exe
2940	EdgeUpgater.exe
4956	Edge.exe
2940	EdgeUpgater.exe
4956	Edge.exe
4956	Edge.exe
2940	EdgeUpgater.exe
4956	Edge.exe
2940	EdgeUpgater.exe
4956	Edge.exe
2940	EdgeUpgater.exe
4956	Edge.exe
2940	EdgeUpgater.exe
2940	EdgeUpgater.exe
4956	Edge.exe
2940	EdgeUpgater.exe
4956	Edge.exe
2940	EdgeUpgater.exe
4956	Edge.exe
4956	Edge.exe
2940	EdgeUpgater.exe
2940	EdgeUpgater.exe
4956	Edge.exe
4956	Edge.exe
2940	EdgeUpgater.exe
2940	EdgeUpgater.exe
4956	Edge.exe
4956	Edge.exe
2940	EdgeUpgater.exe
4956	Edge.exe
2940	EdgeUpgater.exe
2940	EdgeUpgater.exe
4956	Edge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Edge.exeEdgeUpgater.exeEdgeUpgater.exe

description pid process

Token: SeDebugPrivilege 4956 Edge.exe
Token: SeDebugPrivilege 4840 EdgeUpgater.exe
Token: SeDebugPrivilege 2940 EdgeUpgater.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Edge.exe

pid process

4956 Edge.exe

description	pid	process
Token: SeDebugPrivilege	4956	Edge.exe
Token: SeDebugPrivilege	4840	EdgeUpgater.exe
Token: SeDebugPrivilege	2940	EdgeUpgater.exe

pid	process
4956	Edge.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

93db7516173baef742090e042347142ab0c48ab7d5175417ec7aa10ae66961fe.exeEdge.exeEdgeUpgater.exe

description	pid	process	target process
PID 5020 wrote to memory of 4956	5020	93db7516173baef742090e042347142ab0c48ab7d5175417ec7aa10ae66961fe.exe	Edge.exe
PID 5020 wrote to memory of 4956	5020	93db7516173baef742090e042347142ab0c48ab7d5175417ec7aa10ae66961fe.exe	Edge.exe
PID 4956 wrote to memory of 4840	4956	Edge.exe	EdgeUpgater.exe
PID 4956 wrote to memory of 4840	4956	Edge.exe	EdgeUpgater.exe
PID 4956 wrote to memory of 4840	4956	Edge.exe	EdgeUpgater.exe
PID 4840 wrote to memory of 2940	4840	EdgeUpgater.exe	EdgeUpgater.exe
PID 4840 wrote to memory of 2940	4840	EdgeUpgater.exe	EdgeUpgater.exe
PID 4840 wrote to memory of 2940	4840	EdgeUpgater.exe	EdgeUpgater.exe

C:\Users\Admin\AppData\Local\Temp\93db7516173baef742090e042347142ab0c48ab7d5175417ec7aa10ae66961fe.exe
"C:\Users\Admin\AppData\Local\Temp\93db7516173baef742090e042347142ab0c48ab7d5175417ec7aa10ae66961fe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Roaming\Microsoft Edge\Const\Edge.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft Edge\Const\Edge.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Users\Admin\AppData\Roaming\EdgeUpgater.exe
    "C:\Users\Admin\AppData\Roaming\EdgeUpgater.exe" /launchSelfAndExit "C:\Users\Admin\AppData\Roaming\Microsoft Edge\Const\Edge.exe" 4956
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Users\Admin\AppData\Roaming\EdgeUpgater.exe
      "C:\Users\Admin\AppData\Roaming\EdgeUpgater.exe" /watchProcess "C:\Users\Admin\AppData\Roaming\Microsoft Edge\Const\Edge.exe" 4956
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\EdgeUpgater.exe

Filesize
9KB

MD5
cc2ff368c6e1b1341951d9ecb5978528

SHA1
32f3783de76e9560e80eca0e50099de69e6399c5

SHA256
28041d5b2c468d55dc799509f3e687a480239544daf103e9296a3f61969f55a1

SHA512
6a9b99f52227826470a7c8cf263a4ad14d5aa8ec65b2e41965ed3320e10a1389832d83d3ec63b23ff7f40713a9a63aa9a2232439615b4f6abb2ca0c093975157

Download Submit
C:\Users\Admin\AppData\Roaming\EdgeUpgater.exe.config

Filesize
157B

MD5
7efa291047eb1202fde7765adac4b00d

SHA1
22d4846caff5e45c18e50738360579fbbed2aa8d

SHA256
807fb6eeaa7c77bf53831d8a4422a53a5d8ccd90e6bbc17c655c0817460407b6

SHA512
159c95eb1e817ba2d281f39c3939dd963ab62c0cd29bf66ca3beb0aff53f4617d47f48474e58319130ae4146a044a42fc75f63c343330c1b6d2be7034b9fa724

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft Edge\Const\Edge.exe

Filesize
3.0MB

MD5
035a7d77f518443bed37aba5e028437d

SHA1
2b4090d2c65e08fda29b48e1a43267f132f76a53

SHA256
93db7516173baef742090e042347142ab0c48ab7d5175417ec7aa10ae66961fe

SHA512
ea59649116c3137123c6ced6c51e977770bcaf2a3446a9bf7d06e1d90aad055dae18d55364749b8050f72dba8674325d8af1fe3b46146ed29a256e58717b063e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft Edge\Const\Edge.exe.config

Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
memory/4840-43-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/4956-23-0x00007FF918300000-0x00007FF918DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4956-46-0x00000242605E0000-0x00000242605F2000-memory.dmp

Filesize
72KB

Download
memory/4956-50-0x00007FF918300000-0x00007FF918DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4956-49-0x00007FF918300000-0x00007FF918DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4956-21-0x00007FF918300000-0x00007FF918DC1000-memory.dmp

Filesize
10.8MB

Download
memory/4956-48-0x0000024260790000-0x000002426089A000-memory.dmp

Filesize
1.0MB

Download
memory/4956-24-0x000002425FCA0000-0x000002425FCF8000-memory.dmp

Filesize
352KB

Download
memory/4956-25-0x0000024247120000-0x0000024247138000-memory.dmp

Filesize
96KB

Download
memory/4956-26-0x0000024247100000-0x0000024247110000-memory.dmp

Filesize
64KB

Download
memory/4956-27-0x000002425FED0000-0x0000024260092000-memory.dmp

Filesize
1.8MB

Download
memory/4956-47-0x0000024260640000-0x000002426067C000-memory.dmp

Filesize
240KB

Download
memory/5020-2-0x000001BE8BA60000-0x000001BE8BABC000-memory.dmp

Filesize
368KB

Download
memory/5020-1-0x000001BE89BF0000-0x000001BE89EEA000-memory.dmp

Filesize
3.0MB

Download
memory/5020-5-0x000001BEA4430000-0x000001BEA4442000-memory.dmp

Filesize
72KB

Download
memory/5020-3-0x000001BE8A280000-0x000001BE8A28E000-memory.dmp

Filesize
56KB

Download
memory/5020-0-0x00007FF918303000-0x00007FF918305000-memory.dmp

Filesize
8KB

Download
memory/5020-22-0x00007FF918300000-0x00007FF918DC1000-memory.dmp

Filesize
10.8MB

Download
memory/5020-4-0x00007FF918300000-0x00007FF918DC1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads