orcus | 2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183

General

Target

2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe
Size

919KB
MD5

fa6c9a01e8fd6075e4143fe869f26633
SHA1

b3b7bfb052306ef1f33d327d90c0ba630b6c57ee
SHA256

2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183
SHA512

25ec4a100ec760b2a671900ff92438c716fe107be0002ed1b43d7e5ca9baa8796002ccb22ec8db05098af3f68f1c499c56b85dc0536094efb8f313ec1c7bbe0a
SSDEEP

12288:GRzyAHWSkJ6ZBy37dG1lFlWcYT70pxnnaaoawhmD9kgWr8rZNrI0AilFEvxHvBMw:xk84MROxnF31vrZlI0AilFEvxHic+C

Score

10^/10

orcus persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

Ezzka1337123123-52059.portmap.host:52059

Mutex

ca01f7484a6e4c3dbdd4b2c03f15df00

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
WindowsDefender
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016141-41.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016141-41.dat	orcus
behavioral1/memory/1676-42-0x0000000000FF0000-0x00000000010DC000-memory.dmp	orcus

Executes dropped EXE 4 IoCs

pid	Process
2788	WindowsInput.exe
2832	WindowsInput.exe
1676	Orcus.exe
1984	Orcus.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "\"C:\\Program Files\\Orcus\\Orcus.exe\""	Orcus.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1676	Orcus.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1676	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1676	Orcus.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 604 wrote to memory of 2052	604	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe	31
PID 604 wrote to memory of 2052	604	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe	31
PID 604 wrote to memory of 2052	604	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe	31
PID 2052 wrote to memory of 1816	2052	csc.exe	33
PID 2052 wrote to memory of 1816	2052	csc.exe	33
PID 2052 wrote to memory of 1816	2052	csc.exe	33
PID 604 wrote to memory of 2788	604	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe	34
PID 604 wrote to memory of 2788	604	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe	34
PID 604 wrote to memory of 2788	604	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe	34
PID 604 wrote to memory of 1676	604	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe	36
PID 604 wrote to memory of 1676	604	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe	36
PID 604 wrote to memory of 1676	604	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe	36
PID 3040 wrote to memory of 1984	3040	taskeng.exe	38
PID 3040 wrote to memory of 1984	3040	taskeng.exe	38
PID 3040 wrote to memory of 1984	3040	taskeng.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe
"C:\Users\Admin\AppData\Local\Temp\2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:604
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dpqc3vqj.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4E4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE4E3.tmp"
    3⤵
    PID:1816
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2788
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1676

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2832

C:\Windows\system32\taskeng.exe
taskeng.exe {A5A589E9-A829-4A16-9202-A679415191FF} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
919KB

MD5
fa6c9a01e8fd6075e4143fe869f26633

SHA1
b3b7bfb052306ef1f33d327d90c0ba630b6c57ee

SHA256
2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183

SHA512
25ec4a100ec760b2a671900ff92438c716fe107be0002ed1b43d7e5ca9baa8796002ccb22ec8db05098af3f68f1c499c56b85dc0536094efb8f313ec1c7bbe0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE4E4.tmp

Filesize
1KB

MD5
86f448a98e265e2bf0a214cb691a84d1

SHA1
5dce17f707a6fa03a884c5110f345d3eef19ab97

SHA256
45e937773a8adaf368f7f0073f09e21c8f5c28d34b7027168d67b737efb6f946

SHA512
57337f747d8c8439d37454b42e495d3136a23e74ccb7b3d184e7c9d2a1104e674adb84edc5196d3f20f9dd69bf7b9ec509646beed2caa313997af29fc79e7b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dpqc3vqj.dll

Filesize
76KB

MD5
e3b518cb5cb0713638131864a4c6d683

SHA1
0f568f2e451b148169f4dc907b56ffc108f16b79

SHA256
be72a0bfe7c13bffb85c48a78ffbdc92c946a927913d50dbb2e1121b71a50858

SHA512
dcc22774e1ef70e39cbf82e2c71d4f84b7e6af95e8b6d9699d6c55edab5d197669e86e69fdd2416f45c234ad0733384c3f16c20f84b00edbbd59495bf659369e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE4E3.tmp

Filesize
676B

MD5
b44ba9a78ef1cd65c0819d92692e31b9

SHA1
021b20c30cc19c841aef4218d8493c92b4425bfe

SHA256
dfca402c12b686cf82b8fab4d339e8cb2beff87370aa21f551809eaeea624116

SHA512
00c191275f81af0efa9159dff6a5e34540ca108ae1437da86360997f9e4c9cdd4f9bc27635ba89959300b0b7fbf7830975709857673f997a73c10f1bde7902cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dpqc3vqj.0.cs

Filesize
208KB

MD5
2b14ae8b54d216abf4d228493ceca44a

SHA1
d134351498e4273e9d6391153e35416bc743adef

SHA256
4e1cc3da1f7bf92773aae6cffa6d61bfc3e25aead3ad947f6215f93a053f346c

SHA512
5761b605add10ae3ef80f3b8706c8241b4e8abe4ac3ce36b7be8a97d08b08da5a72fedd5e976b3c9e1c463613a943ebb5d323e6a075ef6c7c3b1abdc0d53ac05

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dpqc3vqj.cmdline

Filesize
349B

MD5
a102e527a408a1a696b0cc963b358c1d

SHA1
828ebf73c6e21df55c3de1122b0fe3c3b8a99914

SHA256
98bc3c7f2fcd86eaeed86754a509287ff843bb79e55be2d612397bd3b6e80ad7

SHA512
42cfa9c0e8990a5df4e8390a590b077ee92b47343ac32d8211833156b9930489db7d4563572730c177ddf33c2a234fa6b3752c0510e5ac6d65bd92adbe7cdd5f

Download Submit
memory/604-1-0x0000000001FE0000-0x000000000203C000-memory.dmp

Filesize
368KB

Download
memory/604-3-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/604-2-0x0000000000270000-0x000000000027E000-memory.dmp

Filesize
56KB

Download
memory/604-22-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/604-4-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/604-21-0x00000000002A0000-0x00000000002B2000-memory.dmp

Filesize
72KB

Download
memory/604-19-0x0000000000720000-0x0000000000736000-memory.dmp

Filesize
88KB

Download
memory/604-43-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/604-0-0x000007FEF58FE000-0x000007FEF58FF000-memory.dmp

Filesize
4KB

Download
memory/1676-44-0x0000000000B70000-0x0000000000B82000-memory.dmp

Filesize
72KB

Download
memory/1676-42-0x0000000000FF0000-0x00000000010DC000-memory.dmp

Filesize
944KB

Download
memory/1676-45-0x0000000000C00000-0x0000000000C4E000-memory.dmp

Filesize
312KB

Download
memory/1676-46-0x0000000000D40000-0x0000000000D58000-memory.dmp

Filesize
96KB

Download
memory/1676-47-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/2052-10-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2052-17-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Filesize
9.6MB

Download
memory/2788-30-0x0000000001150000-0x000000000115C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads