orcus | 7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8

General

Target

7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe
Size

917KB
MD5

cf0dd193b3411fab2cdc43e49bc6b850
SHA1

1fc53efd2ee6eadcd145b35d1964fa80daed81ae
SHA256

7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8
SHA512

dbb54b172b4de3dea5d681fb2f2b96e8a38b5e1d65385c3500f71c26d95c214c20fd2d710d98e7107427a887307cedd6958dbdf74f6ac4235e6c2968ab79af6d
SSDEEP

12288:xMLaIPO6EJr/ThI7dG1lFlWcYT70pxnnaaoawhmy9kgWrUrZNrI0AilFEvxHvBMi:VDg4MROxnFe1/rZlI0AilFEvxHiOOYV

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

Ezzka1337212312331-64524.portmap.host:64524

Mutex

b36ed3c7eee04d05bd5e94ae29f2d7fb

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\.minecraft\Launcher.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016d36-39.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016d36-39.dat	orcus
behavioral1/memory/2400-43-0x0000000000960000-0x0000000000A4C000-memory.dmp	orcus

Executes dropped EXE 3 IoCs

pid	Process
2756	WindowsInput.exe
1932	WindowsInput.exe
2400	Launcher.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\.minecraft\Launcher.exe	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe
File opened for modification	C:\Program Files\.minecraft\Launcher.exe	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe
File created	C:\Program Files\.minecraft\Launcher.exe.config	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	Launcher.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2400	Launcher.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2400	Launcher.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2020	1508	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe	31
PID 1508 wrote to memory of 2020	1508	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe	31
PID 1508 wrote to memory of 2020	1508	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe	31
PID 2020 wrote to memory of 2832	2020	csc.exe	33
PID 2020 wrote to memory of 2832	2020	csc.exe	33
PID 2020 wrote to memory of 2832	2020	csc.exe	33
PID 1508 wrote to memory of 2756	1508	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe	34
PID 1508 wrote to memory of 2756	1508	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe	34
PID 1508 wrote to memory of 2756	1508	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe	34
PID 1508 wrote to memory of 2400	1508	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe	36
PID 1508 wrote to memory of 2400	1508	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe	36
PID 1508 wrote to memory of 2400	1508	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe	36

C:\Users\Admin\AppData\Local\Temp\7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe
"C:\Users\Admin\AppData\Local\Temp\7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2vbv_s6f.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF23C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF23B.tmp"
    3⤵
    PID:2832
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2756
- C:\Program Files\.minecraft\Launcher.exe
  "C:\Program Files\.minecraft\Launcher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2400

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\.minecraft\Launcher.exe

Filesize
917KB

MD5
cf0dd193b3411fab2cdc43e49bc6b850

SHA1
1fc53efd2ee6eadcd145b35d1964fa80daed81ae

SHA256
7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8

SHA512
dbb54b172b4de3dea5d681fb2f2b96e8a38b5e1d65385c3500f71c26d95c214c20fd2d710d98e7107427a887307cedd6958dbdf74f6ac4235e6c2968ab79af6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2vbv_s6f.dll

Filesize
76KB

MD5
ac267bcefa99c56536ec7a13f3018af2

SHA1
3687b81c5d234324c3164f5b914eaa58cd4d9565

SHA256
bc06a56ac333b6153bb4d115273ad854a8aaaffa45cd6bdc759fbfbaf734cc33

SHA512
33165c204d4eba8fa96ecf130e871c1382649641dc68a4714a5b023285be83f3b72a82b2ab2762b660326f47bef6ea9473b29338a503dcde6486e079e026c394

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF23C.tmp

Filesize
1KB

MD5
018c5c2ae2f1426b5436ed97102a22d6

SHA1
815cf11dcbde56f52440e9970c687cf7becba015

SHA256
fdfd49033e3badebba84a4942b4c339a2e23daa60efe64be537d3501101d424d

SHA512
e692fe87beabd1a6e6143f4b1d602fcc039085ba5f78bc845981d05f2a4d89d040e76b50f5e54c693253ea7dbecaf4672b5dd5cabc1f89f3f4146583e7c256ef

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2vbv_s6f.0.cs

Filesize
208KB

MD5
972caddb10d36dc6fb05136b315e1f86

SHA1
17ac4c22b239b72123e4f66ef022598efaaeb040

SHA256
8bee7b8e7c51d1f399a010f6bb23e7b5dbf8e0124f954688a7b73ee84becbcbb

SHA512
d4ffe7b958e13963a360a5b2f02f54fc9f92cc0bc5e10330a5b0ca9170b4de2d4dc8549d0c21fbd302164bf79dc36b0d31a0c18c51c9aa0539520f04fb7e2e2a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2vbv_s6f.cmdline

Filesize
349B

MD5
23d35cf5b5e0bf5397df451f938a6e51

SHA1
f86ba0ab9f8cce1a04aa78aa5cc5d29101ced686

SHA256
00e35a5289ae95fa029a36cb6fdc76b893aa011b345e58c46c06dfdae2df61c7

SHA512
68a50f1531bf830ec58e2a7a1d0d9498512aa6f4e97255c40ddc30f75d942f4d5daec657d5ea7c083024c4b86826ff1634bd404b40818bfbb4698284471e07de

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF23B.tmp

Filesize
676B

MD5
920db188935b0f0cc33568fffb5640a7

SHA1
92c9b17e704557f3396225000fd6cfc12ac6db1f

SHA256
6ac0b4c6ae44f9a9b51859d3c399cb183189964a15de8e385002b7aecc153638

SHA512
cd8a9dc17489199edf0a7af3e248560aa5bc8a27f528b92847c1cc590261172d18c0a6cdec075a6af496ceb8a003eb7e5972c2920734020740ed7dd29b2e5f8e

Download Submit
memory/1508-6-0x000007FEF4EA0000-0x000007FEF583D000-memory.dmp

Filesize
9.6MB

Download
memory/1508-42-0x000007FEF4EA0000-0x000007FEF583D000-memory.dmp

Filesize
9.6MB

Download
memory/1508-19-0x000000001AFA0000-0x000000001AFB6000-memory.dmp

Filesize
88KB

Download
memory/1508-0-0x000007FEF515E000-0x000007FEF515F000-memory.dmp

Filesize
4KB

Download
memory/1508-21-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/1508-22-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/1508-9-0x000007FEF4EA0000-0x000007FEF583D000-memory.dmp

Filesize
9.6MB

Download
memory/1508-1-0x000000001AF20000-0x000000001AF7C000-memory.dmp

Filesize
368KB

Download
memory/1508-2-0x00000000004A0000-0x00000000004AE000-memory.dmp

Filesize
56KB

Download
memory/1932-34-0x0000000000FD0000-0x0000000000FDC000-memory.dmp

Filesize
48KB

Download
memory/2020-17-0x000007FEF4EA0000-0x000007FEF583D000-memory.dmp

Filesize
9.6MB

Download
memory/2020-10-0x000007FEF4EA0000-0x000007FEF583D000-memory.dmp

Filesize
9.6MB

Download
memory/2400-43-0x0000000000960000-0x0000000000A4C000-memory.dmp

Filesize
944KB

Download
memory/2400-44-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/2400-45-0x0000000000390000-0x00000000003A8000-memory.dmp

Filesize
96KB

Download
memory/2400-46-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/2756-30-0x0000000000CE0000-0x0000000000CEC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing