Overview

overview

10

Static

static

10

8d034dca8a...29.exe

windows7-x64

10

8d034dca8a...29.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-12-2024 01:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8d034dca8a82224fd0d62ac8ec40a7726333343047cf7b9cc67f77594f352f29.exe

  • Size

    3.0MB

  • MD5

    dcc9d3e0c20da2dca991fb356f470c78

  • SHA1

    b48107835894784a0e5fb6fd2bce0923decc77e9

  • SHA256

    8d034dca8a82224fd0d62ac8ec40a7726333343047cf7b9cc67f77594f352f29

  • SHA512

    11fb0de367ca1390b532742dde43cacc60a2847f72acbf6e12e470eef76790a2914239c381bb279efc337fc713a5d962a2473310d493ed36583f160a574dfb17

  • SSDEEP

    49152:xzt1ZeM9/3EgHcyH4Z9fVTB4krLzS+HAypQxbOqUo9JnCm2xIP3GnlFreInnczWC:xztGjzD5rfLgypSbKo9JCm/Pz

Score
10/10
orcusdiscoveryratspywarestealer

Malware Config

Extracted

Family

orcus

C2

cidsfuckerminecraft.serveminecraft.net:3306

Mutex

dd8c7681cdfd49cd9e9ce006ba4a5567

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    false

  • install_path

    %programfiles%\Edge\Explorer.exe

  • reconnect_delay

    10000

  • registry_keyname

    Edge Update Service

  • taskscheduler_taskname

    Edge Update Service

  • watchdog_path

    Temp\Edge Update.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus family
    orcus
  • Orcurs Rat Executable 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d034dca8a82224fd0d62ac8ec40a7726333343047cf7b9cc67f77594f352f29.exe
    "C:\Users\Admin\AppData\Local\Temp\8d034dca8a82224fd0d62ac8ec40a7726333343047cf7b9cc67f77594f352f29.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4648
    • C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe" --install
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:2768
    • C:\Program Files\Edge\Explorer.exe
      "C:\Program Files\Edge\Explorer.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:856
      • C:\Users\Admin\AppData\Local\Temp\Edge Update.exe
        "C:\Users\Admin\AppData\Local\Temp\Edge Update.exe" /launchSelfAndExit "C:\Program Files\Edge\Explorer.exe" 856 /protectFile
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2500
        • C:\Users\Admin\AppData\Local\Temp\Edge Update.exe
          "C:\Users\Admin\AppData\Local\Temp\Edge Update.exe" /watchProcess "C:\Program Files\Edge\Explorer.exe" 856 "/protectFile"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2784
  • C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe"
    1⤵
    • Executes dropped EXE
    PID:4448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Edge\Explorer.exe
    Filesize

    3.0MB

    MD5

    dcc9d3e0c20da2dca991fb356f470c78

    SHA1

    b48107835894784a0e5fb6fd2bce0923decc77e9

    SHA256

    8d034dca8a82224fd0d62ac8ec40a7726333343047cf7b9cc67f77594f352f29

    SHA512

    11fb0de367ca1390b532742dde43cacc60a2847f72acbf6e12e470eef76790a2914239c381bb279efc337fc713a5d962a2473310d493ed36583f160a574dfb17

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Edge Update.exe.log
    Filesize

    425B

    MD5

    4eaca4566b22b01cd3bc115b9b0b2196

    SHA1

    e743e0792c19f71740416e7b3c061d9f1336bf94

    SHA256

    34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

    SHA512

    bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Edge Update.exe
    Filesize

    9KB

    MD5

    7796236d80b9e55f9571418e05a9578b

    SHA1

    14039d2800ca54c49c817b1fa35bdf45024ceab7

    SHA256

    02ea168ca6eb5b6211d7525ada5e100323d41155620ca40a149038b61fdb6cc5

    SHA512

    604b70f61bc0d8348b05921d46ce8aaa411a46ffa82ae516b4ba5e4df66759712e71bed77971a7c501e97b5f5d8a22440a29837fa7ce8e0a55ed5ee811e32cd5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Edge Update.exe.config
    Filesize

    157B

    MD5

    7efa291047eb1202fde7765adac4b00d

    SHA1

    22d4846caff5e45c18e50738360579fbbed2aa8d

    SHA256

    807fb6eeaa7c77bf53831d8a4422a53a5d8ccd90e6bbc17c655c0817460407b6

    SHA512

    159c95eb1e817ba2d281f39c3939dd963ab62c0cd29bf66ca3beb0aff53f4617d47f48474e58319130ae4146a044a42fc75f63c343330c1b6d2be7034b9fa724

    Download Submit

  • C:\Windows\SysWOW64\WindowsInput.exe
    Filesize

    21KB

    MD5

    20e49432591aeca9939d49f7e31d0ed5

    SHA1

    4fc0011186fd5b88620c503d42a3c62000a3b7fd

    SHA256

    7100036177c61bd0e5ecf14e70bb9803f75b2807b076974995dfa1175d2006c9

    SHA512

    37b23b5bb7f93e46fcc22d86c5fa1890e8db0b1683515aa2e22d03ce80e7ee0e8fcaad2de695582f2c4adee2e338d447a6be343ee04f0717482c746c07fd0afd

    Download Submit

  • C:\Windows\SysWOW64\WindowsInput.exe.config
    Filesize

    349B

    MD5

    89817519e9e0b4e703f07e8c55247861

    SHA1

    4636de1f6c997a25c3190f73f46a3fd056238d78

    SHA256

    f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

    SHA512

    b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

    Download Submit

  • memory/856-49-0x0000028954FA0000-0x0000028954FB8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/856-48-0x0000028954F40000-0x0000028954F98000-memory.dmp

    Filesize

    352KB

    Download

  • memory/856-70-0x0000028957600000-0x00000289577C2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/856-50-0x000002893C750000-0x000002893C760000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2500-66-0x00000000004F0000-0x00000000004F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2768-24-0x000001D178AC0000-0x000001D178AFC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2768-26-0x00007FFF6B500000-0x00007FFF6BFC1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2768-29-0x00007FFF6B500000-0x00007FFF6BFC1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2768-21-0x000001D1766D0000-0x000001D1766DC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2768-22-0x00007FFF6B500000-0x00007FFF6BFC1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2768-23-0x000001D176AB0000-0x000001D176AC2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4448-31-0x0000023EFBFE0000-0x0000023EFC0EA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4648-0-0x00007FFF6B503000-0x00007FFF6B505000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4648-5-0x000002309E000000-0x000002309E012000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4648-2-0x00000230B6850000-0x00000230B68AC000-memory.dmp

    Filesize

    368KB

    Download

  • memory/4648-3-0x000002309C6F0000-0x000002309C6FE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4648-47-0x00007FFF6B500000-0x00007FFF6BFC1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4648-1-0x000002309BFF0000-0x000002309C2FC000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4648-4-0x00007FFF6B500000-0x00007FFF6BFC1000-memory.dmp

    Filesize

    10.8MB

    Download