orcus | ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722

General

Target

ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe
Size

913KB
MD5

da251d4a25d879b2b47d796b89a49bac
SHA1

55e66cef9543175ada225d7efb9dbf00d8acc396
SHA256

ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722
SHA512

7d75c3d90420fbcc21704c2ffae1cb37a136153b8712109232349722cc6e677341843f03960316d5a1be5904b591b1519d297a75701870606447f8ff381e2a96
SSDEEP

24576:cVl64MROxnFL5bHKTlQzrZlI0AilFEvxHi8Sw:cVDMiPzrZlI0AilFEvxHi

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

192.168.31.232:10134

Mutex

9a0711938f32476b9cf4a8909df7bbe0

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\SYSTEM\Sys.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000800000001939c-30.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000001939c-30.dat	orcus
behavioral1/memory/2476-35-0x0000000000950000-0x0000000000A3A000-memory.dmp	orcus

Executes dropped EXE 2 IoCs

pid	Process
2476	Sys.exe
2872	Sys.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\SYSTEM\Sys.exe	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe
File created	C:\Program Files\SYSTEM\Sys.exe.config	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe
File created	C:\Program Files\SYSTEM\Sys.exe	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	Sys.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2476	Sys.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2476	Sys.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 2576	1528	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe	30
PID 1528 wrote to memory of 2576	1528	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe	30
PID 1528 wrote to memory of 2576	1528	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe	30
PID 2576 wrote to memory of 948	2576	csc.exe	32
PID 2576 wrote to memory of 948	2576	csc.exe	32
PID 2576 wrote to memory of 948	2576	csc.exe	32
PID 1528 wrote to memory of 2476	1528	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe	34
PID 1528 wrote to memory of 2476	1528	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe	34
PID 1528 wrote to memory of 2476	1528	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe	34
PID 2656 wrote to memory of 2872	2656	taskeng.exe	36
PID 2656 wrote to memory of 2872	2656	taskeng.exe	36
PID 2656 wrote to memory of 2872	2656	taskeng.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe
"C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\655dr0fb.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D33.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8D32.tmp"
    3⤵
    PID:948
- C:\Program Files\SYSTEM\Sys.exe
  "C:\Program Files\SYSTEM\Sys.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2476

C:\Windows\system32\taskeng.exe
taskeng.exe {2A1E0322-BDF2-462C-A0B9-8D44FDF725CA} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Program Files\SYSTEM\Sys.exe
  "C:\Program Files\SYSTEM\Sys.exe"
  2⤵
  - Executes dropped EXE
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\SYSTEM\Sys.exe

Filesize
913KB

MD5
da251d4a25d879b2b47d796b89a49bac

SHA1
55e66cef9543175ada225d7efb9dbf00d8acc396

SHA256
ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722

SHA512
7d75c3d90420fbcc21704c2ffae1cb37a136153b8712109232349722cc6e677341843f03960316d5a1be5904b591b1519d297a75701870606447f8ff381e2a96

Download Submit
C:\Program Files\SYSTEM\Sys.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\655dr0fb.dll

Filesize
76KB

MD5
39ff948dd51252808697f5bc80bc5b09

SHA1
0fb19986b2af1b668d64ac089d9e9341df41657f

SHA256
f3e14fd5ab0514927ca8e222e7231b58e72607c6771f5d0dd23c5951a1e121f0

SHA512
0a3bd80665ff246345dcb29b03cb8745a69412aa28b7962345785fc1bb3706980ed11a955e1c1db5dde053bdcfbe8bf68e802d8dd65bfe9ab37ea1c0ad295637

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8D33.tmp

Filesize
1KB

MD5
be1531a85f91030bb40b36ffedf46557

SHA1
5e4247ba1edcab0ce3a7841be630fe2b943cdceb

SHA256
4be64f2a92fc504c65abfec6fb047362c9928fef5e2f3ea5e49049525fa69e1b

SHA512
6be460af123b974198c87b2df1d9951caed73ecde9645ae4db7068c82bcf31ed2cf46488ad295d356dcf53b6e8d52bd5d0028d6f2084d6983984e2fefd7725c8

Download Submit
C:\Users\Admin\AppData\Roaming\System32\err_9a0711938f32476b9cf4a8909df7bbe0.dat

Filesize
1KB

MD5
46d9cb02d0cb2c623f510f95d1ea1e6f

SHA1
2e168d7db38403cca9acfc2032e053ee8b5cb9e2

SHA256
b3152cfe1a4047ebc0d878b958bcd0b3ba9d29a2eeb2a405a7166938976c1cd8

SHA512
f33a36d1002fc2302c55f166eaddbd19dbb7314b7361e2d4dee626970bc32cb68889d1fb4d8b896216fc8f3f1b55718422c63d57ebd4db436740afb9857f3263

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\655dr0fb.0.cs

Filesize
208KB

MD5
c555d9796194c1d9a1310a05a2264e08

SHA1
82641fc4938680519c3b2e925e05e1001cbd71d7

SHA256
ccbb8fd27ab2f27fbbd871793886ff52ff1fbd9117c98b8d190c1a96b67e498a

SHA512
0b85ca22878998c7697c589739905b218f9b264a32c8f99a9f9dd73d0687a5de46cc7e851697ee16424baf94d301e411648aa2d061ac149a6d2e06b085e07090

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\655dr0fb.cmdline

Filesize
349B

MD5
3d389e78a1bc31023b9cdfb2df6f272d

SHA1
26a4af88225d0cffbee5fe9fdacdb98f16ef0a45

SHA256
fbdfb40315fa73367939ae0669bf5684d32564e696c39586d4fff1d0673bdd25

SHA512
6b690887a4350e02bddb83215cf0a47b1563059f5e2a96c32d791377d36883877751b153ea3cf8122c5045f481b757fce20eb171aa6e4dfc28aebd2630311157

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8D32.tmp

Filesize
676B

MD5
7d59ac63bca07b2a374ac972fbfee876

SHA1
21fad64011f501c44b0e4f6382065c11d3baf26d

SHA256
2bd4b97fe3e28a0b5d83f1a8953033fb55e12a0b019a717b0a4a5be5bb85aa5d

SHA512
6499c1a492db1b86e985f6d8a309c4d8ed99648726da110351398ddf0405c6f2277dd73f51cb0ab4e33c7d22cf3260bd2779641128a94f3c5fb44b1f90d13b76

Download Submit
memory/1528-2-0x0000000000380000-0x000000000038E000-memory.dmp

Filesize
56KB

Download
memory/1528-34-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/1528-0-0x000007FEF540E000-0x000007FEF540F000-memory.dmp

Filesize
4KB

Download
memory/1528-19-0x00000000021B0000-0x00000000021C6000-memory.dmp

Filesize
88KB

Download
memory/1528-21-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1528-4-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/1528-24-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/1528-23-0x0000000001FA0000-0x0000000001FA8000-memory.dmp

Filesize
32KB

Download
memory/1528-22-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/1528-1-0x000000001AD80000-0x000000001ADDC000-memory.dmp

Filesize
368KB

Download
memory/1528-3-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/1528-31-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2476-35-0x0000000000950000-0x0000000000A3A000-memory.dmp

Filesize
936KB

Download
memory/2476-38-0x00000000021E0000-0x000000000222E000-memory.dmp

Filesize
312KB

Download
memory/2476-40-0x000000001ABD0000-0x000000001ABE0000-memory.dmp

Filesize
64KB

Download
memory/2476-39-0x000000001ABB0000-0x000000001ABC8000-memory.dmp

Filesize
96KB

Download
memory/2576-12-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2576-17-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing