orcus | ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722

General

Target

ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe
Size

913KB
MD5

da251d4a25d879b2b47d796b89a49bac
SHA1

55e66cef9543175ada225d7efb9dbf00d8acc396
SHA256

ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722
SHA512

7d75c3d90420fbcc21704c2ffae1cb37a136153b8712109232349722cc6e677341843f03960316d5a1be5904b591b1519d297a75701870606447f8ff381e2a96
SSDEEP

24576:cVl64MROxnFL5bHKTlQzrZlI0AilFEvxHi8Sw:cVDMiPzrZlI0AilFEvxHi

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

192.168.31.232:10134

Mutex

9a0711938f32476b9cf4a8909df7bbe0

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\SYSTEM\Sys.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023c9c-42.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023c9c-42.dat	orcus
behavioral2/memory/988-52-0x00000000007D0000-0x00000000008BA000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe

Executes dropped EXE 2 IoCs

pid	Process
988	Sys.exe
1200	Sys.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\SYSTEM\Sys.exe	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe
File opened for modification	C:\Program Files\SYSTEM\Sys.exe	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe
File created	C:\Program Files\SYSTEM\Sys.exe.config	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe
File created	C:\Windows\assembly\Desktop.ini	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	988	Sys.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
988	Sys.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
988	Sys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 1304	4564	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe	82
PID 4564 wrote to memory of 1304	4564	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe	82
PID 1304 wrote to memory of 3572	1304	csc.exe	84
PID 1304 wrote to memory of 3572	1304	csc.exe	84
PID 4564 wrote to memory of 988	4564	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe	86
PID 4564 wrote to memory of 988	4564	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe
"C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mgazzg7a.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98A7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC98A6.tmp"
    3⤵
    PID:3572
- C:\Program Files\SYSTEM\Sys.exe
  "C:\Program Files\SYSTEM\Sys.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:988

C:\Program Files\SYSTEM\Sys.exe
"C:\Program Files\SYSTEM\Sys.exe"
1⤵
- Executes dropped EXE
PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\SYSTEM\Sys.exe

Filesize
913KB

MD5
da251d4a25d879b2b47d796b89a49bac

SHA1
55e66cef9543175ada225d7efb9dbf00d8acc396

SHA256
ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722

SHA512
7d75c3d90420fbcc21704c2ffae1cb37a136153b8712109232349722cc6e677341843f03960316d5a1be5904b591b1519d297a75701870606447f8ff381e2a96

Download Submit
C:\Program Files\SYSTEM\Sys.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES98A7.tmp

Filesize
1KB

MD5
11b66e87b5d201e603205ef38491072d

SHA1
8661cc5cab2535953beeefdc4935a0b6814cba9d

SHA256
4466e9925ab435412ed8203a1bd8f94c4085d3c6e4eff1f723622dafec3fd8b6

SHA512
84481b905592d9929db79912975d7d00203e19a9efee878a4a9c8de73e8b5f83383a9bb8ded08b2b7c97f7ee1ee63155a7273663a1ed17eaf53d3c5c311a1594

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgazzg7a.dll

Filesize
76KB

MD5
233dd6388963d6b869efafd0c066ed34

SHA1
fe0704ef2dafdc0a054d7bdbdc1147fab04cc9c5

SHA256
d3de5c703c4216c2f6fed47720258f823c75395279f0fb66691cc0b0b1c7d942

SHA512
42a1d02c9c037eb20ec2ae437be063f4263a4f45345ac17a7397983d274599c09400a816e4f1b8689b896bc2d4682ff3e122253c1214d554892798f15610d315

Download Submit
C:\Users\Admin\AppData\Roaming\System32\err_9a0711938f32476b9cf4a8909df7bbe0.dat

Filesize
1KB

MD5
38beef6bd25b0bdf5ed5c0a07ea021b8

SHA1
d8426c0d1d32a0ae7b0b8912e503c22c0192c7f5

SHA256
de9df6fb5ab3cb1fdccd81232b2b7754c742a9056fadc55dd58d2612872000ba

SHA512
2aeaad880249d4f4025f120073ba57df09d6fc9ae4120fc977e802d83f9f19c683b261b03d9b7b5d3edbf4dcde63040e518460db4b8864e8d8f885ac95657e78

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC98A6.tmp

Filesize
676B

MD5
34e13cdb110d928ec13a5ec9438fbc08

SHA1
9085489458ee47e44fa63d9c5288308594e68e29

SHA256
1d18ee0489047b74d09bc028c1023dc79408ae1f2e39a308051fb655737f1e7d

SHA512
e7cd6361d3ed26e26af6962df6e7029e387f0e3b8d2f4efb9933acf79191217407ac160901ed4af1dcdb7c8b9467837e44e95c533466e0f5ca19999e56ab7f60

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mgazzg7a.0.cs

Filesize
208KB

MD5
da1c81c4360fdd05b0629c84da57666a

SHA1
fca24fdc4652aba6155041c49e4857a53e1275a9

SHA256
db438ed89fbb58decc88d6bf70972f60f3bf5f2466f696ce55973819e9e55016

SHA512
135535c333fa9e9feceb2ceef685aac06c558178fd93e866c5ccba27d51131fb90315d2fd74c92a2228d929ee206bee02f04f5d1a724dd1d10c36b3e3abe6498

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mgazzg7a.cmdline

Filesize
349B

MD5
f6e768c7760e750884e06ee3b32ee0c9

SHA1
850451f29f2796d545050a0fc0531fe5457f4a7e

SHA256
448571e1c776aa11c66479f9eb4fffdd8008d2cf325d8b5d9144d0db82987cbe

SHA512
0edb1e49b86069600ec7289e21fc8147399973c282ef02c2bfb1c5d2716e304249fb45f3ae00603b7f81dffd1b7eb496802f1026fa8f6b50aa19098ee477adda

Download Submit
memory/988-51-0x00007FFE82323000-0x00007FFE82325000-memory.dmp

Filesize
8KB

Download
memory/988-57-0x000000001C4A0000-0x000000001C5AA000-memory.dmp

Filesize
1.0MB

Download
memory/988-60-0x000000001C6B0000-0x000000001C6FE000-memory.dmp

Filesize
312KB

Download
memory/988-62-0x000000001CA70000-0x000000001CA88000-memory.dmp

Filesize
96KB

Download
memory/988-65-0x00007FFE82323000-0x00007FFE82325000-memory.dmp

Filesize
8KB

Download
memory/988-63-0x000000001CB90000-0x000000001CBA0000-memory.dmp

Filesize
64KB

Download
memory/988-56-0x000000001C350000-0x000000001C38C000-memory.dmp

Filesize
240KB

Download
memory/988-55-0x000000001B560000-0x000000001B572000-memory.dmp

Filesize
72KB

Download
memory/988-54-0x000000001B520000-0x000000001B532000-memory.dmp

Filesize
72KB

Download
memory/988-52-0x00000000007D0000-0x00000000008BA000-memory.dmp

Filesize
936KB

Download
memory/1304-16-0x00007FFE84DA0000-0x00007FFE85741000-memory.dmp

Filesize
9.6MB

Download
memory/1304-21-0x00007FFE84DA0000-0x00007FFE85741000-memory.dmp

Filesize
9.6MB

Download
memory/4564-30-0x000000001D820000-0x000000001D910000-memory.dmp

Filesize
960KB

Download
memory/4564-31-0x000000001CA60000-0x000000001CA7E000-memory.dmp

Filesize
120KB

Download
memory/4564-32-0x000000001D920000-0x000000001D969000-memory.dmp

Filesize
292KB

Download
memory/4564-33-0x00007FFE84DA0000-0x00007FFE85741000-memory.dmp

Filesize
9.6MB

Download
memory/4564-34-0x000000001DA00000-0x000000001DA70000-memory.dmp

Filesize
448KB

Download
memory/4564-35-0x00007FFE84DA0000-0x00007FFE85741000-memory.dmp

Filesize
9.6MB

Download
memory/4564-0-0x00007FFE85055000-0x00007FFE85056000-memory.dmp

Filesize
4KB

Download
memory/4564-29-0x000000001D260000-0x000000001D81A000-memory.dmp

Filesize
5.7MB

Download
memory/4564-28-0x000000001C900000-0x000000001C962000-memory.dmp

Filesize
392KB

Download
memory/4564-27-0x000000001B1F0000-0x000000001B1F8000-memory.dmp

Filesize
32KB

Download
memory/4564-53-0x00007FFE84DA0000-0x00007FFE85741000-memory.dmp

Filesize
9.6MB

Download
memory/4564-26-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/4564-25-0x000000001B160000-0x000000001B172000-memory.dmp

Filesize
72KB

Download
memory/4564-23-0x000000001C510000-0x000000001C526000-memory.dmp

Filesize
88KB

Download
memory/4564-8-0x000000001BE90000-0x000000001BF2C000-memory.dmp

Filesize
624KB

Download
memory/4564-7-0x000000001B920000-0x000000001BDEE000-memory.dmp

Filesize
4.8MB

Download
memory/4564-5-0x000000001B300000-0x000000001B30E000-memory.dmp

Filesize
56KB

Download
memory/4564-6-0x00007FFE84DA0000-0x00007FFE85741000-memory.dmp

Filesize
9.6MB

Download
memory/4564-2-0x000000001B200000-0x000000001B25C000-memory.dmp

Filesize
368KB

Download
memory/4564-1-0x00007FFE84DA0000-0x00007FFE85741000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing