Overview

overview

10

Static

static

10

72328a364b...dc.exe

windows7-x64

10

72328a364b...dc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-12-2024 01:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe

  • Size

    3.0MB

  • MD5

    595866ce3023aa7a94a221bcff8bfe15

  • SHA1

    f1f8c080b238b7ea66d0d42732268fca9ae77364

  • SHA256

    72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc

  • SHA512

    75a406fdb7b862786f9ad402ca475affad57393d604669b2912db5cca3193f538f4fa5512d5f1524bdff4006cacd0ec664b5451f18a292ae2f34e2686f2d5308

  • SSDEEP

    49152:zkt1ZeM9/3EgHcyH4Z9fVTB4krLzS+HAypQxbOqUo9JnCmOK1IZfKGnlFr5Ixnc7:zktGjzD5rfLgypSbKo9JCm01n

Score
10/10
orcusstandoffdiscoveryratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

Standoff

C2

vimeworldserverstat.serveminecraft.net:3306

Mutex

578e841011a443d284fea21232fbf3a6

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    true

  • install_path

    %programfiles%\Syncing metadata\Explorer.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Explorer

  • watchdog_path

    AppData\Node S2-N.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus family
    orcus
  • Orcurs Rat Executable 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe
    "C:\Users\Admin\AppData\Local\Temp\72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe" --install
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:5020
    • C:\Program Files\Syncing metadata\Explorer.exe
      "C:\Program Files\Syncing metadata\Explorer.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3088
      • C:\Users\Admin\AppData\Roaming\Node S2-N.exe
        "C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /launchSelfAndExit "C:\Program Files\Syncing metadata\Explorer.exe" 3088 /protectFile
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4536
        • C:\Users\Admin\AppData\Roaming\Node S2-N.exe
          "C:\Users\Admin\AppData\Roaming\Node S2-N.exe" /watchProcess "C:\Program Files\Syncing metadata\Explorer.exe" 3088 "/protectFile"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4772
  • C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe"
    1⤵
    • Executes dropped EXE
    PID:2136

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Syncing metadata\Explorer.exe
    Filesize

    3.0MB

    MD5

    595866ce3023aa7a94a221bcff8bfe15

    SHA1

    f1f8c080b238b7ea66d0d42732268fca9ae77364

    SHA256

    72328a364b47db12bac7aa536cf3cb4c10c08712f762b8d85ce9307f45f2a7dc

    SHA512

    75a406fdb7b862786f9ad402ca475affad57393d604669b2912db5cca3193f538f4fa5512d5f1524bdff4006cacd0ec664b5451f18a292ae2f34e2686f2d5308

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Node S2-N.exe
    Filesize

    9KB

    MD5

    7796236d80b9e55f9571418e05a9578b

    SHA1

    14039d2800ca54c49c817b1fa35bdf45024ceab7

    SHA256

    02ea168ca6eb5b6211d7525ada5e100323d41155620ca40a149038b61fdb6cc5

    SHA512

    604b70f61bc0d8348b05921d46ce8aaa411a46ffa82ae516b4ba5e4df66759712e71bed77971a7c501e97b5f5d8a22440a29837fa7ce8e0a55ed5ee811e32cd5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Node S2-N.exe.config
    Filesize

    157B

    MD5

    7efa291047eb1202fde7765adac4b00d

    SHA1

    22d4846caff5e45c18e50738360579fbbed2aa8d

    SHA256

    807fb6eeaa7c77bf53831d8a4422a53a5d8ccd90e6bbc17c655c0817460407b6

    SHA512

    159c95eb1e817ba2d281f39c3939dd963ab62c0cd29bf66ca3beb0aff53f4617d47f48474e58319130ae4146a044a42fc75f63c343330c1b6d2be7034b9fa724

    Download Submit

  • C:\Windows\SysWOW64\WindowsInput.exe
    Filesize

    21KB

    MD5

    20e49432591aeca9939d49f7e31d0ed5

    SHA1

    4fc0011186fd5b88620c503d42a3c62000a3b7fd

    SHA256

    7100036177c61bd0e5ecf14e70bb9803f75b2807b076974995dfa1175d2006c9

    SHA512

    37b23b5bb7f93e46fcc22d86c5fa1890e8db0b1683515aa2e22d03ce80e7ee0e8fcaad2de695582f2c4adee2e338d447a6be343ee04f0717482c746c07fd0afd

    Download Submit

  • C:\Windows\SysWOW64\WindowsInput.exe.config
    Filesize

    349B

    MD5

    89817519e9e0b4e703f07e8c55247861

    SHA1

    4636de1f6c997a25c3190f73f46a3fd056238d78

    SHA256

    f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

    SHA512

    b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

    Download Submit

  • memory/840-4-0x00007FF8ABFF0000-0x00007FF8ACAB1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/840-5-0x00000236E0450000-0x00000236E0462000-memory.dmp

    Filesize

    72KB

    Download

  • memory/840-2-0x00000236E0570000-0x00000236E05CC000-memory.dmp

    Filesize

    368KB

    Download

  • memory/840-3-0x00000236C7BB0000-0x00000236C7BBE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/840-0-0x00007FF8ABFF3000-0x00007FF8ABFF5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/840-45-0x00007FF8ABFF0000-0x00007FF8ACAB1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/840-1-0x00000236C5D40000-0x00000236C604A000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2136-29-0x000001DC23F10000-0x000001DC2401A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3088-47-0x00000211C9790000-0x00000211C97E8000-memory.dmp

    Filesize

    352KB

    Download

  • memory/3088-46-0x00000211AF260000-0x00000211AF272000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3088-48-0x00000211AF2D0000-0x00000211AF2E8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3088-49-0x00000211C9B20000-0x00000211C9CE2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3088-50-0x00000211C9400000-0x00000211C9410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4536-66-0x0000000000580000-0x0000000000588000-memory.dmp

    Filesize

    32KB

    Download

  • memory/5020-27-0x00007FF8ABFF0000-0x00007FF8ACAB1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5020-26-0x00007FF8ABFF0000-0x00007FF8ACAB1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5020-21-0x0000024977D80000-0x0000024977D92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5020-22-0x000002497AE80000-0x000002497AEBC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5020-20-0x00007FF8ABFF0000-0x00007FF8ACAB1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5020-19-0x0000024977990000-0x000002497799C000-memory.dmp

    Filesize

    48KB

    Download