orcus | 7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8

General

Target

7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe
Size

917KB
MD5

cf0dd193b3411fab2cdc43e49bc6b850
SHA1

1fc53efd2ee6eadcd145b35d1964fa80daed81ae
SHA256

7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8
SHA512

dbb54b172b4de3dea5d681fb2f2b96e8a38b5e1d65385c3500f71c26d95c214c20fd2d710d98e7107427a887307cedd6958dbdf74f6ac4235e6c2968ab79af6d
SSDEEP

12288:xMLaIPO6EJr/ThI7dG1lFlWcYT70pxnnaaoawhmy9kgWrUrZNrI0AilFEvxHvBMi:VDg4MROxnFe1/rZlI0AilFEvxHiOOYV

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

Ezzka1337212312331-64524.portmap.host:64524

Mutex

b36ed3c7eee04d05bd5e94ae29f2d7fb

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\.minecraft\Launcher.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b97-55.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b97-55.dat	orcus
behavioral2/memory/4464-64-0x00000000004D0000-0x00000000005BC000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe

Executes dropped EXE 3 IoCs

pid	Process
3024	WindowsInput.exe
1872	WindowsInput.exe
4464	Launcher.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\.minecraft\Launcher.exe	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe
File opened for modification	C:\Program Files\.minecraft\Launcher.exe	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe
File created	C:\Program Files\.minecraft\Launcher.exe.config	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe
File opened for modification	C:\Windows\assembly	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4464	Launcher.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4464	Launcher.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4464	Launcher.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 4844	2008	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe	83
PID 2008 wrote to memory of 4844	2008	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe	83
PID 4844 wrote to memory of 4880	4844	csc.exe	85
PID 4844 wrote to memory of 4880	4844	csc.exe	85
PID 2008 wrote to memory of 3024	2008	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe	86
PID 2008 wrote to memory of 3024	2008	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe	86
PID 2008 wrote to memory of 4464	2008	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe	88
PID 2008 wrote to memory of 4464	2008	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe	88

C:\Users\Admin\AppData\Local\Temp\7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe
"C:\Users\Admin\AppData\Local\Temp\7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zl_sc_vb.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A9D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8A9C.tmp"
    3⤵
    PID:4880
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3024
- C:\Program Files\.minecraft\Launcher.exe
  "C:\Program Files\.minecraft\Launcher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4464

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\.minecraft\Launcher.exe

Filesize
917KB

MD5
cf0dd193b3411fab2cdc43e49bc6b850

SHA1
1fc53efd2ee6eadcd145b35d1964fa80daed81ae

SHA256
7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8

SHA512
dbb54b172b4de3dea5d681fb2f2b96e8a38b5e1d65385c3500f71c26d95c214c20fd2d710d98e7107427a887307cedd6958dbdf74f6ac4235e6c2968ab79af6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8A9D.tmp

Filesize
1KB

MD5
26aa6b90cdefe3f78df975e9c8063002

SHA1
346a0436733ab367dd27170e339e63e4f8cc99ee

SHA256
a0572eec21abbe64a07084aa9aaf7d133678727e424c6c4ff1d1871f9ece8068

SHA512
8c26bdb67e42f70c91c6e83826464e77e7e17994de37133104205ff1a141359b542210d9285fb448450a687653ff0d20e89febfbaf050c2f191e11af636d2e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zl_sc_vb.dll

Filesize
76KB

MD5
f8ef6bd604aeea3776bc0a978e260315

SHA1
e533f1529f7ae4db8d9c1ca2382c5bbdd6b1d529

SHA256
e064cde7074a4079a918ff878c6479356997e4f6df2d608bb372064a41ce47ac

SHA512
68e8b6cc8be204ed14f39af9be2e85b6220666b0fecd4a3786a90ff831400e0f3793cac3d63789a02b68197fba903a6144582be3d5d6bd8bf0853e36d062a60f

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8A9C.tmp

Filesize
676B

MD5
f5e53c0cf48b5cc899236e2407b61437

SHA1
6aa9fbe17f3e661e0315012a10c6ff25801d879a

SHA256
101aef59d722104ffbbc831fcf25adf3926dc1f959120f365b22f5124df95aec

SHA512
301751e87a7c088be71eff2c3cdf37c917d3a035b2c787280463811bd0a148a1e4bc8166760c57222dcef4fc1808336e266345ec77da619e1f0938f2ec428cf2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zl_sc_vb.0.cs

Filesize
208KB

MD5
3a61c2611445d3c42877517d4bf4edcd

SHA1
05f80b5aabb0d774013a2a0c792293b584ceeb8a

SHA256
b877f1821ddc0f900592301f7a097c8dac91133216f596b3417dca0cbb32c3a1

SHA512
618207991f28f134a1d1d365e8acce5a0aee1ff2a11213a267fcc062bb60596e9b476f08fa5dc55ba3e4cb61fa158105bb69b1b463a3fe7b9d815ca422be2896

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zl_sc_vb.cmdline

Filesize
349B

MD5
c3d65c5d637fe71df32ea6442f90c105

SHA1
3cbca7ca979c44c0e37d733f1b39f3052cc98714

SHA256
4ce8d8910db823ad65a8ee2d4ae68d9ad54700b0b04800a0f52480215b65a55e

SHA512
c47ca3176c93afaf83d4a073a55973468241dd921438606a51623875ab76e59bf2631fc5876a9ecd673175222d1b50c8ce5f0bb85b34459662f0ee751559accc

Download Submit
memory/1872-49-0x000000001A440000-0x000000001A54A000-memory.dmp

Filesize
1.0MB

Download
memory/2008-65-0x00007FFB5C3A0000-0x00007FFB5CD41000-memory.dmp

Filesize
9.6MB

Download
memory/2008-0-0x00007FFB5C655000-0x00007FFB5C656000-memory.dmp

Filesize
4KB

Download
memory/2008-8-0x00007FFB5C3A0000-0x00007FFB5CD41000-memory.dmp

Filesize
9.6MB

Download
memory/2008-7-0x000000001C730000-0x000000001C7CC000-memory.dmp

Filesize
624KB

Download
memory/2008-23-0x000000001CDF0000-0x000000001CE06000-memory.dmp

Filesize
88KB

Download
memory/2008-6-0x000000001C1C0000-0x000000001C68E000-memory.dmp

Filesize
4.8MB

Download
memory/2008-25-0x0000000001600000-0x0000000001612000-memory.dmp

Filesize
72KB

Download
memory/2008-26-0x00000000014D0000-0x00000000014D8000-memory.dmp

Filesize
32KB

Download
memory/2008-27-0x000000001CE30000-0x000000001CE50000-memory.dmp

Filesize
128KB

Download
memory/2008-5-0x000000001BCE0000-0x000000001BCEE000-memory.dmp

Filesize
56KB

Download
memory/2008-2-0x000000001BAE0000-0x000000001BB3C000-memory.dmp

Filesize
368KB

Download
memory/2008-1-0x00007FFB5C3A0000-0x00007FFB5CD41000-memory.dmp

Filesize
9.6MB

Download
memory/3024-42-0x0000000000B40000-0x0000000000B4C000-memory.dmp

Filesize
48KB

Download
memory/3024-43-0x0000000002BE0000-0x0000000002BF2000-memory.dmp

Filesize
72KB

Download
memory/3024-44-0x0000000002C40000-0x0000000002C7C000-memory.dmp

Filesize
240KB

Download
memory/3024-41-0x00007FFB59403000-0x00007FFB59405000-memory.dmp

Filesize
8KB

Download
memory/4464-64-0x00000000004D0000-0x00000000005BC000-memory.dmp

Filesize
944KB

Download
memory/4464-66-0x0000000000DC0000-0x0000000000DD2000-memory.dmp

Filesize
72KB

Download
memory/4464-67-0x0000000002690000-0x00000000026A8000-memory.dmp

Filesize
96KB

Download
memory/4464-68-0x0000000000DD0000-0x0000000000DE0000-memory.dmp

Filesize
64KB

Download
memory/4844-21-0x00007FFB5C3A0000-0x00007FFB5CD41000-memory.dmp

Filesize
9.6MB

Download
memory/4844-16-0x00007FFB5C3A0000-0x00007FFB5CD41000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing