Overview

overview

10

Static

static

1

MpDefender...on.bat

windows7-x64

1

MpDefender...on.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    MpDefenderCoreProtection.bat

  • Size

    3.8MB

  • Sample

    241120-ze118stdln

  • MD5

    8e550a5c4dfd929f9569d55f70eae366

  • SHA1

    4d594deeeb29fd8501e0f81a351efe4b9220b939

  • SHA256

    8283f48cec6ebef1bdd41cfd9769f11db127ff431a71002b25112bb79b0b0122

  • SHA512

    d00a931f7c388589a0f267737c47a7fb348cb2eb457daf15d582b533301513a3eda0e190eb23fe7aa19fd81714d5f90a537e2382b574cbd87bdc964823bab92d

  • SSDEEP

    49152:yir7trkN31WUqslOGw9m1YmK2CalCFp0+UR:yP

Score
10/10
orcusexecutionratspywarestealer

Malware Config

Targets

    • Target

      MpDefenderCoreProtection.bat

    • Size

      3.8MB

    • MD5

      8e550a5c4dfd929f9569d55f70eae366

    • SHA1

      4d594deeeb29fd8501e0f81a351efe4b9220b939

    • SHA256

      8283f48cec6ebef1bdd41cfd9769f11db127ff431a71002b25112bb79b0b0122

    • SHA512

      d00a931f7c388589a0f267737c47a7fb348cb2eb457daf15d582b533301513a3eda0e190eb23fe7aa19fd81714d5f90a537e2382b574cbd87bdc964823bab92d

    • SSDEEP

      49152:yir7trkN31WUqslOGw9m1YmK2CalCFp0+UR:yP

    Score
    10/10
    orcusexecutionratspywarestealer

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Orcus family

      orcus

    • Orcurs Rat Executable

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks