orcus | 7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8

General

Target

7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe
Size

917KB
MD5

cf0dd193b3411fab2cdc43e49bc6b850
SHA1

1fc53efd2ee6eadcd145b35d1964fa80daed81ae
SHA256

7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8
SHA512

dbb54b172b4de3dea5d681fb2f2b96e8a38b5e1d65385c3500f71c26d95c214c20fd2d710d98e7107427a887307cedd6958dbdf74f6ac4235e6c2968ab79af6d
SSDEEP

12288:xMLaIPO6EJr/ThI7dG1lFlWcYT70pxnnaaoawhmy9kgWrUrZNrI0AilFEvxHvBMi:VDg4MROxnFe1/rZlI0AilFEvxHiOOYV

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

Ezzka1337212312331-64524.portmap.host:64524

Mutex

b36ed3c7eee04d05bd5e94ae29f2d7fb

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\.minecraft\Launcher.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b79-63.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b79-63.dat	orcus
behavioral2/memory/3052-64-0x0000000000DF0000-0x0000000000EDC000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe

Executes dropped EXE 3 IoCs

pid	Process
3528	WindowsInput.exe
4804	WindowsInput.exe
3052	Launcher.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\.minecraft\Launcher.exe	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe
File opened for modification	C:\Program Files\.minecraft\Launcher.exe	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe
File created	C:\Program Files\.minecraft\Launcher.exe.config	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe
File opened for modification	C:\Windows\assembly	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	Launcher.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3052	Launcher.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3052	Launcher.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 2748	3992	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe	82
PID 3992 wrote to memory of 2748	3992	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe	82
PID 2748 wrote to memory of 4140	2748	csc.exe	84
PID 2748 wrote to memory of 4140	2748	csc.exe	84
PID 3992 wrote to memory of 3528	3992	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe	85
PID 3992 wrote to memory of 3528	3992	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe	85
PID 3992 wrote to memory of 3052	3992	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe	87
PID 3992 wrote to memory of 3052	3992	7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe	87

C:\Users\Admin\AppData\Local\Temp\7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe
"C:\Users\Admin\AppData\Local\Temp\7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hwsqnkwf.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES78BB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC78BA.tmp"
    3⤵
    PID:4140
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3528
- C:\Program Files\.minecraft\Launcher.exe
  "C:\Program Files\.minecraft\Launcher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3052

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\.minecraft\Launcher.exe

Filesize
917KB

MD5
cf0dd193b3411fab2cdc43e49bc6b850

SHA1
1fc53efd2ee6eadcd145b35d1964fa80daed81ae

SHA256
7761133cb4ae903f269c35218b773acf119e0382ab1fd80958f6bb80515f8ee8

SHA512
dbb54b172b4de3dea5d681fb2f2b96e8a38b5e1d65385c3500f71c26d95c214c20fd2d710d98e7107427a887307cedd6958dbdf74f6ac4235e6c2968ab79af6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES78BB.tmp

Filesize
1KB

MD5
8391141c2f5fb65457666fe738ccb167

SHA1
3bf3fb3f01a74369b33fd51ca7486154db6233db

SHA256
151284414d0cf40ce7f36a843eaf93cf01e7f5fe5d3494dd60a959277a4afbb7

SHA512
6eba73f702a8ef046de7213de9bfdd45cd649ec246ec4fbc3dc239da07624f3e66ac7f349eda30f47a0a120526dc4851ae33a7d134ff335aefc2a2e695cb8eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwsqnkwf.dll

Filesize
76KB

MD5
0e49d4b6315adbc50642b3fbbf05a8f1

SHA1
7c74e4ee37e533d033f42eb93868675d400b7c33

SHA256
925f2aaa68e55a7a30a5cd2ef3f76941baa87d3ef173a3308e150c6164f91632

SHA512
4e6a5c692fe583f6a480aa3da2131cf81498598efeb35925553426c7e945e999cecc363cca2f579e882107b7374c271d57fd251a717952d4f7c6bf306a9f124c

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC78BA.tmp

Filesize
676B

MD5
7757007770335a034779f53f8e10db04

SHA1
fa578707a300a1db796b6d054d2cf7be2ec39ccf

SHA256
05ef6e22a4300493cc633f5ac65ed71e4698ab641ac382a2c7c990762de14581

SHA512
cd46ea4608b7445742912e41f6239d8b41e2ff6ba85424a4f9479bc97c28c799f73098f24ec1e3f5acd12014c8bdfee56633324cb1fa97daa07d06976116f4b3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hwsqnkwf.0.cs

Filesize
208KB

MD5
adfaa85193023f1f7048c5154e086e73

SHA1
62558d12d3c01556112b31c2b42ea57b6f3a7aa8

SHA256
56a2a3f6a154d4cbbfbd1b0da44725671f12eb0ccfb6afc09de1ed13b6afd994

SHA512
7aa8180e08f4a675f30f11820f538d3772728e20878711277940d2385ad3c0e02277862a751dec1fe1fb4d7c23c86327c435f5ac9b24024acc128a1f9213e1ca

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hwsqnkwf.cmdline

Filesize
349B

MD5
c00084c65580dfa6cf48224ccf12bf2b

SHA1
96b36e9bcbc94d885c4e354411efdcfdf3572ffb

SHA256
cbc9f9b7a72648e94509f12e469e80ebbd2753089342e88cba90f573bdb3c912

SHA512
86c25f342005b25441503749b052d6582380b4355aa9201a66cba54b123128b01b12d0a244cc6081c1f02600a7446238b02b4a8a263c4839117ece9062151bdc

Download Submit
memory/2748-21-0x00007FFF48470000-0x00007FFF48E11000-memory.dmp

Filesize
9.6MB

Download
memory/2748-14-0x00007FFF48470000-0x00007FFF48E11000-memory.dmp

Filesize
9.6MB

Download
memory/3052-68-0x000000001BA60000-0x000000001BA70000-memory.dmp

Filesize
64KB

Download
memory/3052-67-0x000000001BA40000-0x000000001BA58000-memory.dmp

Filesize
96KB

Download
memory/3052-66-0x000000001BA30000-0x000000001BA42000-memory.dmp

Filesize
72KB

Download
memory/3052-64-0x0000000000DF0000-0x0000000000EDC000-memory.dmp

Filesize
944KB

Download
memory/3528-42-0x0000000000750000-0x000000000075C000-memory.dmp

Filesize
48KB

Download
memory/3528-43-0x00000000027E0000-0x00000000027F2000-memory.dmp

Filesize
72KB

Download
memory/3528-44-0x000000001B390000-0x000000001B3CC000-memory.dmp

Filesize
240KB

Download
memory/3528-41-0x00007FFF46073000-0x00007FFF46075000-memory.dmp

Filesize
8KB

Download
memory/3992-2-0x000000001B790000-0x000000001B7EC000-memory.dmp

Filesize
368KB

Download
memory/3992-8-0x000000001C3E0000-0x000000001C47C000-memory.dmp

Filesize
624KB

Download
memory/3992-3-0x00007FFF48470000-0x00007FFF48E11000-memory.dmp

Filesize
9.6MB

Download
memory/3992-25-0x0000000001350000-0x0000000001362000-memory.dmp

Filesize
72KB

Download
memory/3992-26-0x0000000001090000-0x0000000001098000-memory.dmp

Filesize
32KB

Download
memory/3992-27-0x000000001CAE0000-0x000000001CB00000-memory.dmp

Filesize
128KB

Download
memory/3992-1-0x00007FFF48470000-0x00007FFF48E11000-memory.dmp

Filesize
9.6MB

Download
memory/3992-0-0x00007FFF48725000-0x00007FFF48726000-memory.dmp

Filesize
4KB

Download
memory/3992-65-0x00007FFF48470000-0x00007FFF48E11000-memory.dmp

Filesize
9.6MB

Download
memory/3992-23-0x000000001CAA0000-0x000000001CAB6000-memory.dmp

Filesize
88KB

Download
memory/3992-6-0x000000001B980000-0x000000001B98E000-memory.dmp

Filesize
56KB

Download
memory/3992-7-0x000000001BF10000-0x000000001C3DE000-memory.dmp

Filesize
4.8MB

Download
memory/4804-49-0x000000001A010000-0x000000001A11A000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing