orcus | d8a644f5aef669e0682ae0fbe2685e1453b2d0e7eda5e178d0b0547b747120ef

Analysis

max time kernel
13s
max time network
15s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
02-01-2025 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vmax.exe
Size

909KB
MD5

09ba4336061b39c6de460e559a86144d
SHA1

814db11290e5f753814f1525eb8c4d609aa6c1de
SHA256

8054ececfb1c163cc15de00bae2b97b490e381875863864be9c0e4a8399a7ad6
SHA512

e8c3a4334f18e1d07c95a4ce210a495e654fc20898dc27832f8b54ebeadb5be12f4ff0e758af7610964e9fcde787519683e0152c729fc4e95be7d28b20aaaedc
SSDEEP

24576:PZw4MROxnFj3cxXFHXRrZlI0AilFEvxHirAf:PZTMi1ERhrZlI0AilFEvxHi

Score

10^/10

orcus discovery persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

127.0.0.1:10134

Mutex

2da3ffc776c743d289a69d0dcbf09041

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Window\paint.exe
reconnect_delay
10000
registry_keyname
svhost
taskscheduler_taskname
Orcus
watchdog_path
AppData\svhost.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0029000000046216-27.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x0029000000046216-27.dat	orcus
behavioral1/memory/2660-32-0x0000000000E00000-0x0000000000EE8000-memory.dmp	orcus

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000\Control Panel\International\Geo\Nation	paint.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000\Control Panel\International\Geo\Nation	svhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000\Control Panel\International\Geo\Nation	vmax.exe

Executes dropped EXE 4 IoCs

pid	Process
2660	paint.exe
1352	paint.exe
2716	svhost.exe
3060	svhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "\"C:\\Program Files\\Window\\paint.exe\""	paint.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	vmax.exe
File created	C:\Windows\assembly\Desktop.ini	vmax.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Window\paint.exe	vmax.exe
File created	C:\Program Files\Window\paint.exe	vmax.exe
File created	C:\Program Files\Window\paint.exe.config	vmax.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	vmax.exe
File created	C:\Windows\assembly\Desktop.ini	vmax.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	vmax.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2660	paint.exe
2660	paint.exe
2660	paint.exe
3060	svhost.exe
3060	svhost.exe
3060	svhost.exe
2660	paint.exe
3060	svhost.exe
2660	paint.exe
3060	svhost.exe
2660	paint.exe
3060	svhost.exe
2660	paint.exe
3060	svhost.exe
2660	paint.exe
3060	svhost.exe
2660	paint.exe
3060	svhost.exe
2660	paint.exe
3060	svhost.exe
2660	paint.exe
3060	svhost.exe
2660	paint.exe
3060	svhost.exe
2660	paint.exe
3060	svhost.exe
2660	paint.exe
3060	svhost.exe
2660	paint.exe
3060	svhost.exe
2660	paint.exe
3060	svhost.exe
2660	paint.exe
3060	svhost.exe
2660	paint.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	paint.exe
Token: SeDebugPrivilege	2716	svhost.exe
Token: SeDebugPrivilege	3060	svhost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2660	paint.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2660	paint.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2660	paint.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 4276	2128	vmax.exe	82
PID 2128 wrote to memory of 4276	2128	vmax.exe	82
PID 4276 wrote to memory of 4948	4276	csc.exe	85
PID 4276 wrote to memory of 4948	4276	csc.exe	85
PID 2128 wrote to memory of 2660	2128	vmax.exe	86
PID 2128 wrote to memory of 2660	2128	vmax.exe	86
PID 2660 wrote to memory of 2716	2660	paint.exe	90
PID 2660 wrote to memory of 2716	2660	paint.exe	90
PID 2660 wrote to memory of 2716	2660	paint.exe	90
PID 2716 wrote to memory of 3060	2716	svhost.exe	93
PID 2716 wrote to memory of 3060	2716	svhost.exe	93
PID 2716 wrote to memory of 3060	2716	svhost.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\vmax.exe
"C:\Users\Admin\AppData\Local\Temp\vmax.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wqmktvnr.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF28.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCF27.tmp"
    3⤵
    PID:4948
- C:\Program Files\Window\paint.exe
  "C:\Program Files\Window\paint.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Users\Admin\AppData\Roaming\svhost.exe
    "C:\Users\Admin\AppData\Roaming\svhost.exe" /launchSelfAndExit "C:\Program Files\Window\paint.exe" 2660 /protectFile
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Users\Admin\AppData\Roaming\svhost.exe
      "C:\Users\Admin\AppData\Roaming\svhost.exe" /watchProcess "C:\Program Files\Window\paint.exe" 2660 "/protectFile"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3060

C:\Program Files\Window\paint.exe
"C:\Program Files\Window\paint.exe"
1⤵
- Executes dropped EXE
PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Window\paint.exe

Filesize
909KB

MD5
09ba4336061b39c6de460e559a86144d

SHA1
814db11290e5f753814f1525eb8c4d609aa6c1de

SHA256
8054ececfb1c163cc15de00bae2b97b490e381875863864be9c0e4a8399a7ad6

SHA512
e8c3a4334f18e1d07c95a4ce210a495e654fc20898dc27832f8b54ebeadb5be12f4ff0e758af7610964e9fcde787519683e0152c729fc4e95be7d28b20aaaedc

Download Submit
C:\Program Files\Window\paint.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svhost.exe.log

Filesize
425B

MD5
8c7889bde41724ce3db7c67e730677f6

SHA1
485891cc9120cb2203a2483754dbd5e6ea24f28e

SHA256
83c70bfcb1b41892c9c50cabe9bc2d96b2f7420b28545afabd32f682ac62d0ad

SHA512
b7c3aab27fc924dcaef78987b492931e164b9e30b813c532fe87e1d40001ed1861c4b5ddbdd85cd2278681a22e32eee816877f4f63cecaa9972976d87e38f5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCF28.tmp

Filesize
1KB

MD5
0325d5c81152412df82a8b327ed4037f

SHA1
bea434448e6a9758bf541c10faa652cdf638e3c2

SHA256
7a858726e25b601605b0e2f89748ee9d99ab6e9b118f8fef8522c74e99ce15ef

SHA512
925b5c58c1dfcf98188708ac63d5f315d3a13b327425cd4067a9745796c8efd74e57d729e7569fb6445f74491c5044e8245d2e801d1a02421d216a3ccf55101a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wqmktvnr.dll

Filesize
76KB

MD5
7cd0b33f4671e5a10e54a9bbcc4b564f

SHA1
8dc0333268e95f67e6ac7ffd3becf95fdd62137e

SHA256
9c679845562aecc116d199ffc4a119f220a18e59b982ae79e25d264dcfdac60b

SHA512
97af724d89b74b1785559fada23f85908e22b2e3e32527c181a6e5d1371f21104dcc8d4a043986f456d16298dd300ef43406b1b9c428cef026706f48e74c9f60

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCCF27.tmp

Filesize
676B

MD5
c5d2cf72f35900e68a66b57cf3208903

SHA1
9a4f7101d2e4e6fe7fcab105552e32be04ef5714

SHA256
fec37f9244fcea7bcea074054577d8b2b6858b3b8565cb1515de466a614cfeef

SHA512
169168aed5f4a51894bc71755f71ff94d878ee4511520bd5b419cd01f8a1ce4644e356d232f7e1e0db37ce662489c894c6e88797613b48bea4aab367dceec91c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wqmktvnr.0.cs

Filesize
208KB

MD5
1c7bcda10e624df41140075ba632ebb0

SHA1
0a3cdd1322770c10ff408b47cae36fb85a9ac774

SHA256
7ada97fa8f928ad1d0465a727cb4dd40e8c7a63959ecaa904e3d8039867777b3

SHA512
3af5500f00723d889bf2bb344f065bfaf923edc67859454a5f1736c8aedf4e5ea07204c3b2d1c80198d983d053481968dc021ec6feea9ae3bd5e81511b075e8f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wqmktvnr.cmdline

Filesize
349B

MD5
dde06fdf46d7d418bae582eea31b04ea

SHA1
5da880d16e3d2d03a3e2607d99afa888256eaf6e

SHA256
d1ca1476b2e3f302d6e070b951d5b4663288c74648795f537864394d6620c8b7

SHA512
370b0a1f648ddbf87f833f1a6e89f3ded19d2a74e95d11dc87dbb89e3db10f6fcf07f707277fa538807b582423e14dcac91e1b164c890d3d0233063814399ca9

Download Submit
memory/2128-31-0x00007FFA595B0000-0x00007FFA59F51000-memory.dmp

Filesize
9.6MB

Download
memory/2128-23-0x000000001DB60000-0x000000001DB76000-memory.dmp

Filesize
88KB

Download
memory/2128-1-0x00007FFA595B0000-0x00007FFA59F51000-memory.dmp

Filesize
9.6MB

Download
memory/2128-2-0x000000001BF50000-0x000000001BFAC000-memory.dmp

Filesize
368KB

Download
memory/2128-0-0x00007FFA59865000-0x00007FFA59866000-memory.dmp

Filesize
4KB

Download
memory/2128-6-0x000000001CF30000-0x000000001D3FE000-memory.dmp

Filesize
4.8MB

Download
memory/2128-25-0x0000000001B70000-0x0000000001B82000-memory.dmp

Filesize
72KB

Download
memory/2128-7-0x00007FFA595B0000-0x00007FFA59F51000-memory.dmp

Filesize
9.6MB

Download
memory/2128-5-0x000000001CA50000-0x000000001CA5E000-memory.dmp

Filesize
56KB

Download
memory/2128-8-0x000000001D4A0000-0x000000001D53C000-memory.dmp

Filesize
624KB

Download
memory/2660-30-0x00007FFA56273000-0x00007FFA56275000-memory.dmp

Filesize
8KB

Download
memory/2660-32-0x0000000000E00000-0x0000000000EE8000-memory.dmp

Filesize
928KB

Download
memory/2660-34-0x000000001D060000-0x000000001D0AE000-memory.dmp

Filesize
312KB

Download
memory/2660-36-0x000000001D1F0000-0x000000001D208000-memory.dmp

Filesize
96KB

Download
memory/2660-37-0x000000001D530000-0x000000001D6F2000-memory.dmp

Filesize
1.8MB

Download
memory/2660-38-0x000000001D310000-0x000000001D320000-memory.dmp

Filesize
64KB

Download
memory/2660-33-0x0000000003080000-0x0000000003092000-memory.dmp

Filesize
72KB

Download
memory/2660-60-0x00007FFA56273000-0x00007FFA56275000-memory.dmp

Filesize
8KB

Download
memory/2716-55-0x0000000000960000-0x0000000000968000-memory.dmp

Filesize
32KB

Download
memory/4276-21-0x00007FFA595B0000-0x00007FFA59F51000-memory.dmp

Filesize
9.6MB

Download
memory/4276-14-0x00007FFA595B0000-0x00007FFA59F51000-memory.dmp

Filesize
9.6MB

Download