orcus | 2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183

General

Target

2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe
Size

919KB
MD5

fa6c9a01e8fd6075e4143fe869f26633
SHA1

b3b7bfb052306ef1f33d327d90c0ba630b6c57ee
SHA256

2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183
SHA512

25ec4a100ec760b2a671900ff92438c716fe107be0002ed1b43d7e5ca9baa8796002ccb22ec8db05098af3f68f1c499c56b85dc0536094efb8f313ec1c7bbe0a
SSDEEP

12288:GRzyAHWSkJ6ZBy37dG1lFlWcYT70pxnnaaoawhmD9kgWr8rZNrI0AilFEvxHvBMw:xk84MROxnF31vrZlI0AilFEvxHic+C

Score

10^/10

orcus persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

Ezzka1337123123-52059.portmap.host:52059

Mutex

ca01f7484a6e4c3dbdd4b2c03f15df00

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
WindowsDefender
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023cbd-55.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023cbd-55.dat	orcus
behavioral2/memory/3352-66-0x0000000000D30000-0x0000000000E1C000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe

Executes dropped EXE 4 IoCs

pid	Process
1340	WindowsInput.exe
4688	WindowsInput.exe
3352	Orcus.exe
4756	Orcus.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "\"C:\\Program Files\\Orcus\\Orcus.exe\""	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe
File created	C:\Windows\assembly\Desktop.ini	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3352	Orcus.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3352	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3352	Orcus.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2896	3028	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe	84
PID 3028 wrote to memory of 2896	3028	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe	84
PID 2896 wrote to memory of 4256	2896	csc.exe	86
PID 2896 wrote to memory of 4256	2896	csc.exe	86
PID 3028 wrote to memory of 1340	3028	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe	87
PID 3028 wrote to memory of 1340	3028	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe	87
PID 3028 wrote to memory of 3352	3028	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe	89
PID 3028 wrote to memory of 3352	3028	2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe
"C:\Users\Admin\AppData\Local\Temp\2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\webrhzgi.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES950D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC950C.tmp"
    3⤵
    PID:4256
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1340
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3352

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:4688

C:\Program Files\Orcus\Orcus.exe
"C:\Program Files\Orcus\Orcus.exe"
1⤵
- Executes dropped EXE
PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
919KB

MD5
fa6c9a01e8fd6075e4143fe869f26633

SHA1
b3b7bfb052306ef1f33d327d90c0ba630b6c57ee

SHA256
2ddbc053baf510f2bb819973fd1b421d84f917522bed05dbb41ab326d5d28183

SHA512
25ec4a100ec760b2a671900ff92438c716fe107be0002ed1b43d7e5ca9baa8796002ccb22ec8db05098af3f68f1c499c56b85dc0536094efb8f313ec1c7bbe0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES950D.tmp

Filesize
1KB

MD5
2d1b45cd4dd7e10eb48104965136677c

SHA1
cc898a890f0634d496be1559e7e201a88f6a917a

SHA256
f8d7c8fb0f11cb740273a58a1eadcd113322f0f8c9de52b945b3fa08fffc2f2f

SHA512
a19bdd224c9aed6d43c412ac6389a7722a34ef26aca09b8e59effdf93d9f39f3c32b5c5f6c8c4c4ebf4f31f3c1903a43e8721e484389804546778effbeb59b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\webrhzgi.dll

Filesize
76KB

MD5
00d3a3cbf5b0b084303a116a0341b1a3

SHA1
d9abae2f24fdbf99172850cec9b8d0e89ba0e542

SHA256
2c05e2734080823b0d2507ecc202f0541d5dacf0ba001adbaa206ae25491abd5

SHA512
1a046b4f4a68abf91cdd0eeef481735bf9d27b609362386cb4d4b044d81941722d67265a97b44652959116db723a3ece77451b4cd37519bbfeddde3310ae7b12

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC950C.tmp

Filesize
676B

MD5
ef1a4d9aa37c9d74875cb7566d269e70

SHA1
8d4e27a76fdbc2dd1f9ad0d39dd1d21da71969a6

SHA256
ae7b3a99e0103f16867d0c6f363c50f4d9d61541794e7398101fe8b67eacec51

SHA512
9642136b80bdab803d3cb674f265b4aa8851c6af51f814b0dca5fdb98ac4fcf99978728ca6a7150b625618edce69c53bc44fc5db3fa20ccd7423679c1c4433b4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\webrhzgi.0.cs

Filesize
208KB

MD5
dc4dc3eed7cd4f5b7613b424b7dfec5e

SHA1
274d582731acce499886c7beeb6ef5ef39a96632

SHA256
d24fd4e229794e7f90d4da12f1be4a7ba59aa722cc6521d75c8de2d77b7f7f7b

SHA512
cc21a969e6cb9a57118785734d2d4e5bd8f249568b76c0ee52bce44b3099a5b4e30435be759f90dd5e048a276147ad48e2e3ac730a5016b8ddc1c8e272423f11

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\webrhzgi.cmdline

Filesize
349B

MD5
99bd2326e23ae4ad30aa838f9db8e964

SHA1
d0b5d1ce882dfe5ff889fc44b1062171fbf1097a

SHA256
d4268a60278f3b8acd1583a1f9323677d59650c45c0fbc794e9175569eb0f963

SHA512
8642eeb13c34a67893bad51016182d513817484d4c37bd12fd4edb5283c23d6ac512f51a1a6febdb4e00db3b77fc0847a66ad61e43ac304bffe8a20539b00473

Download Submit
memory/1340-43-0x0000000001700000-0x0000000001712000-memory.dmp

Filesize
72KB

Download
memory/1340-41-0x00007FFE56433000-0x00007FFE56435000-memory.dmp

Filesize
8KB

Download
memory/1340-42-0x0000000000F00000-0x0000000000F0C000-memory.dmp

Filesize
48KB

Download
memory/1340-44-0x000000001BB60000-0x000000001BB9C000-memory.dmp

Filesize
240KB

Download
memory/2896-14-0x00007FFE58B60000-0x00007FFE59501000-memory.dmp

Filesize
9.6MB

Download
memory/2896-21-0x00007FFE58B60000-0x00007FFE59501000-memory.dmp

Filesize
9.6MB

Download
memory/3028-26-0x0000000001630000-0x0000000001638000-memory.dmp

Filesize
32KB

Download
memory/3028-2-0x00007FFE58B60000-0x00007FFE59501000-memory.dmp

Filesize
9.6MB

Download
memory/3028-0-0x00007FFE58E15000-0x00007FFE58E16000-memory.dmp

Filesize
4KB

Download
memory/3028-27-0x000000001D2E0000-0x000000001D300000-memory.dmp

Filesize
128KB

Download
memory/3028-23-0x000000001D2A0000-0x000000001D2B6000-memory.dmp

Filesize
88KB

Download
memory/3028-8-0x000000001CBE0000-0x000000001CC7C000-memory.dmp

Filesize
624KB

Download
memory/3028-7-0x000000001C670000-0x000000001CB3E000-memory.dmp

Filesize
4.8MB

Download
memory/3028-6-0x000000001C090000-0x000000001C09E000-memory.dmp

Filesize
56KB

Download
memory/3028-3-0x000000001BF90000-0x000000001BFEC000-memory.dmp

Filesize
368KB

Download
memory/3028-25-0x0000000001A20000-0x0000000001A32000-memory.dmp

Filesize
72KB

Download
memory/3028-65-0x00007FFE58B60000-0x00007FFE59501000-memory.dmp

Filesize
9.6MB

Download
memory/3028-1-0x00007FFE58B60000-0x00007FFE59501000-memory.dmp

Filesize
9.6MB

Download
memory/3352-66-0x0000000000D30000-0x0000000000E1C000-memory.dmp

Filesize
944KB

Download
memory/3352-67-0x0000000003050000-0x0000000003062000-memory.dmp

Filesize
72KB

Download
memory/3352-68-0x000000001C860000-0x000000001C8AE000-memory.dmp

Filesize
312KB

Download
memory/3352-70-0x000000001CA00000-0x000000001CA18000-memory.dmp

Filesize
96KB

Download
memory/3352-71-0x000000001CB30000-0x000000001CB40000-memory.dmp

Filesize
64KB

Download
memory/4688-49-0x0000000019FB0000-0x000000001A0BA000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads