orcus | ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722

General

Target

ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe
Size

913KB
MD5

da251d4a25d879b2b47d796b89a49bac
SHA1

55e66cef9543175ada225d7efb9dbf00d8acc396
SHA256

ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722
SHA512

7d75c3d90420fbcc21704c2ffae1cb37a136153b8712109232349722cc6e677341843f03960316d5a1be5904b591b1519d297a75701870606447f8ff381e2a96
SSDEEP

24576:cVl64MROxnFL5bHKTlQzrZlI0AilFEvxHi8Sw:cVDMiPzrZlI0AilFEvxHi

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

192.168.31.232:10134

Mutex

9a0711938f32476b9cf4a8909df7bbe0

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\SYSTEM\Sys.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00080000000195c0-31.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x00080000000195c0-31.dat	orcus
behavioral1/memory/2908-35-0x0000000000B80000-0x0000000000C6A000-memory.dmp	orcus

Executes dropped EXE 2 IoCs

pid	Process
2908	Sys.exe
2556	Sys.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\SYSTEM\Sys.exe	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe
File opened for modification	C:\Program Files\SYSTEM\Sys.exe	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe
File created	C:\Program Files\SYSTEM\Sys.exe.config	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	Sys.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2908	Sys.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2908	Sys.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 2624	2620	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe	30
PID 2620 wrote to memory of 2624	2620	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe	30
PID 2620 wrote to memory of 2624	2620	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe	30
PID 2624 wrote to memory of 1976	2624	csc.exe	32
PID 2624 wrote to memory of 1976	2624	csc.exe	32
PID 2624 wrote to memory of 1976	2624	csc.exe	32
PID 2620 wrote to memory of 2908	2620	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe	35
PID 2620 wrote to memory of 2908	2620	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe	35
PID 2620 wrote to memory of 2908	2620	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe	35
PID 2696 wrote to memory of 2556	2696	taskeng.exe	37
PID 2696 wrote to memory of 2556	2696	taskeng.exe	37
PID 2696 wrote to memory of 2556	2696	taskeng.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe
"C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hstkdaew.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC26.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCC25.tmp"
    3⤵
    PID:1976
- C:\Program Files\SYSTEM\Sys.exe
  "C:\Program Files\SYSTEM\Sys.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2908

C:\Windows\system32\taskeng.exe
taskeng.exe {E1DC4008-29C4-44D4-A24E-392E117D42F3} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Program Files\SYSTEM\Sys.exe
  "C:\Program Files\SYSTEM\Sys.exe"
  2⤵
  - Executes dropped EXE
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\SYSTEM\Sys.exe

Filesize
913KB

MD5
da251d4a25d879b2b47d796b89a49bac

SHA1
55e66cef9543175ada225d7efb9dbf00d8acc396

SHA256
ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722

SHA512
7d75c3d90420fbcc21704c2ffae1cb37a136153b8712109232349722cc6e677341843f03960316d5a1be5904b591b1519d297a75701870606447f8ff381e2a96

Download Submit
C:\Program Files\SYSTEM\Sys.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCC26.tmp

Filesize
1KB

MD5
67a97d7579f1928aa621562b237f7be4

SHA1
6048a16f9847e1478c0a37011323ebf4c33fc1cd

SHA256
83cb8a4fed25490085b538f20a4cd45f71826418ba10cb68a0c287a38361f7fa

SHA512
a717eff2cd29be57dc645e8dd7eb55bf33cb23be30b748c9ff78e6d718b4e1191b4b9312ab625c562de8e5586d3d77cfe5c002b5d4d1e11e6ab136fad54caa25

Download Submit
C:\Users\Admin\AppData\Local\Temp\hstkdaew.dll

Filesize
76KB

MD5
ac6d5803138269337e8bce95924af751

SHA1
6370279fec17912b49f20b512e9953dd21679299

SHA256
bae97f64dd245fd23f789c6d4170b096f0d351e4621effe9638305d6ac42a70a

SHA512
cded37db684caae3e6d1b92a4524d80f5d8f4122aaa1110d06f60ca4ca8a1964670d597950151094e8f4f497851567dc119d731097a65a6a6da8dd560349eaaf

Download Submit
C:\Users\Admin\AppData\Roaming\System32\err_9a0711938f32476b9cf4a8909df7bbe0.dat

Filesize
1KB

MD5
9a9b73169d6b69ee3dc7137cf471dcd3

SHA1
88629ca6aef28adb8b8e1ce688ffed3c56da7bee

SHA256
7e8d2ebc9772bd2b163091e3b725120f0dd547a96299f0db8072541430cccf6a

SHA512
aabb5ddd418545d0e509a5a943cb7014bd593e23cd708835ea27bfbf90684498bc9f33a420c51621ce94a54fe8e047a87367f35a3b58e270295419d05e5a0830

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCCC25.tmp

Filesize
676B

MD5
6c5e0c91ee515e59d30001db9c6801c9

SHA1
96b46d161abbdd00ed5379957eae4f9544044451

SHA256
1fcd40892a3f8376e6214bc6f0b22951c3fbcc896d55fc4eab56f287a09b8677

SHA512
634bcd02d66bc7704bff2ebb1e2ec3d3972504cdd97cee7c20872231e6b18607f6c06918916f0e61e7549535fe677727339ab2fef8f162f11392d9547b4cd3b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hstkdaew.0.cs

Filesize
208KB

MD5
250321226bbc2a616d91e1c82cb4ab2b

SHA1
7cffd0b2e9c842865d8961386ab8fcfac8d04173

SHA256
ef2707f83a0c0927cfd46b115641b9cae52a41123e4826515b9eeb561785218d

SHA512
bda59ca04cdf254f837f2cec6da55eff5c3d2af00da66537b9ebaa3601c502ae63772f082fd12663b63d537d2e03efe87a3b5746ef25e842aaf1c7d88245b4e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hstkdaew.cmdline

Filesize
349B

MD5
4c8f5c79474bb25ce9893c3257e490de

SHA1
32e1be83667bde10be8669798955e9d4015340ce

SHA256
a072a65059f3df29dba4191ae86a2171c430706aa7e09ba947fbe85d0b931dbf

SHA512
c1bd3e969d3d644b01e8c8c04ecdba2d7da601913190b646426c2bf31a46dff1132c481e955728823fd8723143499e9afe83a39b8acf9e8f1a97215a55996cc6

Download Submit
memory/2620-29-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

Filesize
9.6MB

Download
memory/2620-23-0x000000001AE20000-0x000000001AE28000-memory.dmp

Filesize
32KB

Download
memory/2620-24-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

Filesize
9.6MB

Download
memory/2620-4-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

Filesize
9.6MB

Download
memory/2620-19-0x000000001AE00000-0x000000001AE16000-memory.dmp

Filesize
88KB

Download
memory/2620-21-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/2620-22-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2620-1-0x000000001AF80000-0x000000001AFDC000-memory.dmp

Filesize
368KB

Download
memory/2620-2-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2620-0-0x000007FEF5C2E000-0x000007FEF5C2F000-memory.dmp

Filesize
4KB

Download
memory/2620-33-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

Filesize
9.6MB

Download
memory/2620-3-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

Filesize
9.6MB

Download
memory/2624-17-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

Filesize
9.6MB

Download
memory/2624-10-0x000007FEF5970000-0x000007FEF630D000-memory.dmp

Filesize
9.6MB

Download
memory/2908-41-0x0000000002360000-0x0000000002370000-memory.dmp

Filesize
64KB

Download
memory/2908-36-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/2908-39-0x000000001A850000-0x000000001A89E000-memory.dmp

Filesize
312KB

Download
memory/2908-40-0x00000000021A0000-0x00000000021B8000-memory.dmp

Filesize
96KB

Download
memory/2908-35-0x0000000000B80000-0x0000000000C6A000-memory.dmp

Filesize
936KB

Download

Analysis

Sharing