orcus | ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722

General

Target

ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe
Size

913KB
MD5

da251d4a25d879b2b47d796b89a49bac
SHA1

55e66cef9543175ada225d7efb9dbf00d8acc396
SHA256

ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722
SHA512

7d75c3d90420fbcc21704c2ffae1cb37a136153b8712109232349722cc6e677341843f03960316d5a1be5904b591b1519d297a75701870606447f8ff381e2a96
SSDEEP

24576:cVl64MROxnFL5bHKTlQzrZlI0AilFEvxHi8Sw:cVDMiPzrZlI0AilFEvxHi

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

192.168.31.232:10134

Mutex

9a0711938f32476b9cf4a8909df7bbe0

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\SYSTEM\Sys.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023ca0-42.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023ca0-42.dat	orcus
behavioral2/memory/5024-53-0x0000000000680000-0x000000000076A000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe

Executes dropped EXE 2 IoCs

pid	Process
5024	Sys.exe
2564	Sys.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\SYSTEM\Sys.exe	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe
File opened for modification	C:\Program Files\SYSTEM\Sys.exe	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe
File created	C:\Program Files\SYSTEM\Sys.exe.config	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe
File created	C:\Windows\assembly\Desktop.ini	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5024	Sys.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5024	Sys.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
5024	Sys.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 3068	1496	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe	82
PID 1496 wrote to memory of 3068	1496	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe	82
PID 3068 wrote to memory of 2840	3068	csc.exe	84
PID 3068 wrote to memory of 2840	3068	csc.exe	84
PID 1496 wrote to memory of 5024	1496	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe	86
PID 1496 wrote to memory of 5024	1496	ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe
"C:\Users\Admin\AppData\Local\Temp\ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ywc-ethy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D1E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8D1D.tmp"
    3⤵
    PID:2840
- C:\Program Files\SYSTEM\Sys.exe
  "C:\Program Files\SYSTEM\Sys.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5024

C:\Program Files\SYSTEM\Sys.exe
"C:\Program Files\SYSTEM\Sys.exe"
1⤵
- Executes dropped EXE
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\SYSTEM\Sys.exe

Filesize
913KB

MD5
da251d4a25d879b2b47d796b89a49bac

SHA1
55e66cef9543175ada225d7efb9dbf00d8acc396

SHA256
ce82a484a45a53282099937c6a655fbd9101f2ff89a69ffc101473a92615f722

SHA512
7d75c3d90420fbcc21704c2ffae1cb37a136153b8712109232349722cc6e677341843f03960316d5a1be5904b591b1519d297a75701870606447f8ff381e2a96

Download Submit
C:\Program Files\SYSTEM\Sys.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8D1E.tmp

Filesize
1KB

MD5
e6a21f2e10533079f9a6713cf4b858fc

SHA1
74e26e517ff62694a36a918ec27317689a39f844

SHA256
9d72901d6f5a6867cf6e4afb32f257dfc569b91d032d9bd6c1482b56ad65c4ed

SHA512
6ff8472088f00531dd1cb1173f628fb9bff7c2aeffdf669891567bac517e1b2ad9a43cd21fd45803b33ceb5e2573800f2a6a3b4be7d0c31c4afeb3d80ee085ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywc-ethy.dll

Filesize
76KB

MD5
5e1548b8e8ff829bcaad5004cb1e6881

SHA1
630abffd1a039a5c7e50461abd5ce1f275438245

SHA256
28f8a8f2ccba204eddc39b9ffda7568b887c547aad5e9586c6b60ba8c1e90abd

SHA512
f91ddbdb70b302b8e8f7ad348932baf7ff96e4f0cb9d158c9875af12ce134b3565bef671bc783605fd301e797c06e1a8863bf49eda900912c1fefbe033356f47

Download Submit
C:\Users\Admin\AppData\Roaming\System32\err_9a0711938f32476b9cf4a8909df7bbe0.dat

Filesize
1KB

MD5
9ebbdde76a6e6f46fe97e3cb84c134a6

SHA1
5822dce79f42cb76caf3ad3cde3e98d3996a680a

SHA256
cc83505a1c23465fdcd24a7aeb3954f3d4a170b371aecab89b7c24ea50d79e92

SHA512
f9134affbb6bfac3ebc283bb198c50c4bca860ec62c23cfdcfeff2f045ead47e8d8a2ce26105f47d83a9f6800d8b09ef9aceb91d7b5f074e341afadb88ddf989

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8D1D.tmp

Filesize
676B

MD5
dded4ba809a9dbaabc6fff5d4754328f

SHA1
3f4e77dd21f45b3fceddc78e3fec33874e498cc8

SHA256
821c53fa4927e8563b375c80ec0d7c8dde2272cfbe2c2ad853638d6191c603cd

SHA512
726b64c5c758a649133a0a7ae411ab97acce65e1a4ed3ab811ee277327a01102a02aa5212005c1750999124f59d99cfb5b3e26c9cef79d9914bc5a0855d51f39

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ywc-ethy.0.cs

Filesize
208KB

MD5
acc22ad826adbb363a0f1c36c57e240a

SHA1
a8c4cbec7d5ff35d20c2654b8be9a81169c6e655

SHA256
ba89deeeccfc5dd1947f2840deacb202f813746dbbaa3518cec04f678d1398b0

SHA512
78a0d3d2723454a6a25e85985cab3e58b02ba719cece681e0b09fae46564a4583025e223a1ce2c81c4483b93846aebc9497f6c23bbd1dbf5b64375ca8fb0e76e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ywc-ethy.cmdline

Filesize
349B

MD5
e31f1213ff69ae2da34e275c4211607b

SHA1
d45b92810038498df14baa3ab312732bf0460e0a

SHA256
1b645a177a93379020b9011094dcb849f8a503b6e66bc49178f6ee8938ac76e7

SHA512
a3842fcbc0fbf157ffecca4d3b8c684fd1230e6cc6663f6dbc800de8138b87dcb267209e4a6bbab914f3a0bef179f9655c360292a9fdbcc444780a89a8581326

Download Submit
memory/1496-28-0x000000001CB90000-0x000000001CBF2000-memory.dmp

Filesize
392KB

Download
memory/1496-35-0x00007FF9A0710000-0x00007FF9A10B1000-memory.dmp

Filesize
9.6MB

Download
memory/1496-0-0x00007FF9A09C5000-0x00007FF9A09C6000-memory.dmp

Filesize
4KB

Download
memory/1496-7-0x000000001C0E0000-0x000000001C17C000-memory.dmp

Filesize
624KB

Download
memory/1496-6-0x000000001BB70000-0x000000001C03E000-memory.dmp

Filesize
4.8MB

Download
memory/1496-23-0x000000001C7A0000-0x000000001C7B6000-memory.dmp

Filesize
88KB

Download
memory/1496-5-0x000000001B690000-0x000000001B69E000-memory.dmp

Filesize
56KB

Download
memory/1496-52-0x00007FF9A0710000-0x00007FF9A10B1000-memory.dmp

Filesize
9.6MB

Download
memory/1496-1-0x00007FF9A0710000-0x00007FF9A10B1000-memory.dmp

Filesize
9.6MB

Download
memory/1496-8-0x00007FF9A0710000-0x00007FF9A10B1000-memory.dmp

Filesize
9.6MB

Download
memory/1496-25-0x000000001B3F0000-0x000000001B402000-memory.dmp

Filesize
72KB

Download
memory/1496-29-0x000000001D4F0000-0x000000001DAAA000-memory.dmp

Filesize
5.7MB

Download
memory/1496-30-0x000000001DAB0000-0x000000001DBA0000-memory.dmp

Filesize
960KB

Download
memory/1496-31-0x000000001CCF0000-0x000000001CD0E000-memory.dmp

Filesize
120KB

Download
memory/1496-32-0x000000001DBB0000-0x000000001DBF9000-memory.dmp

Filesize
292KB

Download
memory/1496-33-0x00007FF9A0710000-0x00007FF9A10B1000-memory.dmp

Filesize
9.6MB

Download
memory/1496-34-0x000000001DC90000-0x000000001DD00000-memory.dmp

Filesize
448KB

Download
memory/1496-27-0x000000001B480000-0x000000001B488000-memory.dmp

Filesize
32KB

Download
memory/1496-2-0x000000001B4B0000-0x000000001B50C000-memory.dmp

Filesize
368KB

Download
memory/1496-26-0x000000001B370000-0x000000001B378000-memory.dmp

Filesize
32KB

Download
memory/3068-17-0x00007FF9A0710000-0x00007FF9A10B1000-memory.dmp

Filesize
9.6MB

Download
memory/3068-21-0x00007FF9A0710000-0x00007FF9A10B1000-memory.dmp

Filesize
9.6MB

Download
memory/5024-50-0x00007FF99DD53000-0x00007FF99DD55000-memory.dmp

Filesize
8KB

Download
memory/5024-53-0x0000000000680000-0x000000000076A000-memory.dmp

Filesize
936KB

Download
memory/5024-54-0x00000000029F0000-0x0000000002A02000-memory.dmp

Filesize
72KB

Download
memory/5024-55-0x0000000002A30000-0x0000000002A42000-memory.dmp

Filesize
72KB

Download
memory/5024-56-0x0000000002A90000-0x0000000002ACC000-memory.dmp

Filesize
240KB

Download
memory/5024-57-0x000000001C410000-0x000000001C51A000-memory.dmp

Filesize
1.0MB

Download
memory/5024-60-0x000000001B4C0000-0x000000001B50E000-memory.dmp

Filesize
312KB

Download
memory/5024-62-0x000000001B540000-0x000000001B558000-memory.dmp

Filesize
96KB

Download
memory/5024-63-0x000000001C400000-0x000000001C410000-memory.dmp

Filesize
64KB

Download
memory/5024-65-0x00007FF99DD53000-0x00007FF99DD55000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing