Overview

overview

10

Static

static

10

815948363e...07.exe

windows7-x64

10

815948363e...07.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-01-2025 01:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    815948363eaaf293964c190ac3665d0865503781110b211f6f39f64d49574607.exe

  • Size

    918KB

  • MD5

    32d54c2fa9f4f6534e5fe9d790977a15

  • SHA1

    63d1dfb167024dea8a7bd5a5d72b2eb962bede4b

  • SHA256

    815948363eaaf293964c190ac3665d0865503781110b211f6f39f64d49574607

  • SHA512

    28ae36ad42cadf490101572f1dd3a88b72593e25869784cefff7ad0bf75e2a3cf7b6399bc34949d95b279dfd3050c68679fa0e970caa87883219336c0b86d21b

  • SSDEEP

    24576:PGOd4MROxnFi3uUr2rZlI0AilFEvxHiJv:PGdMioVarZlI0AilFEvxHi

Score
10/10
orcusdiscoveryratspywarestealer

Malware Config

Extracted

Family

orcus

C2

25.ip.gl.ply.gg:1909

Mutex

039f583b53844dc68ee502bf8377e03c

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus family
    orcus
  • Orcus main payload 1 IoCs
  • Orcurs Rat Executable 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\815948363eaaf293964c190ac3665d0865503781110b211f6f39f64d49574607.exe
    "C:\Users\Admin\AppData\Local\Temp\815948363eaaf293964c190ac3665d0865503781110b211f6f39f64d49574607.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3840
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nimwgi-p.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1408
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA45F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA45E.tmp"
        3⤵
          PID:5072
      • C:\Program Files\Orcus\Orcus.exe
        "C:\Program Files\Orcus\Orcus.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3208
        • C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
          "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Orcus\Orcus.exe" 3208 /protectFile
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4932
          • C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
            "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Orcus\Orcus.exe" 3208 "/protectFile"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1104
    • C:\Program Files\Orcus\Orcus.exe
      "C:\Program Files\Orcus\Orcus.exe"
      1⤵
      • Executes dropped EXE
      PID:4628

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\Orcus\Orcus.exe
      Filesize

      918KB

      MD5

      32d54c2fa9f4f6534e5fe9d790977a15

      SHA1

      63d1dfb167024dea8a7bd5a5d72b2eb962bede4b

      SHA256

      815948363eaaf293964c190ac3665d0865503781110b211f6f39f64d49574607

      SHA512

      28ae36ad42cadf490101572f1dd3a88b72593e25869784cefff7ad0bf75e2a3cf7b6399bc34949d95b279dfd3050c68679fa0e970caa87883219336c0b86d21b

      Download Submit

    • C:\Program Files\Orcus\Orcus.exe.config
      Filesize

      357B

      MD5

      a2b76cea3a59fa9af5ea21ff68139c98

      SHA1

      35d76475e6a54c168f536e30206578babff58274

      SHA256

      f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

      SHA512

      b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OrcusWatchdog.exe.log
      Filesize

      425B

      MD5

      4eaca4566b22b01cd3bc115b9b0b2196

      SHA1

      e743e0792c19f71740416e7b3c061d9f1336bf94

      SHA256

      34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

      SHA512

      bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RESA45F.tmp
      Filesize

      1KB

      MD5

      35bb17cfb9f96a0ac082da91b1f8cb87

      SHA1

      3d1f23d2ec2ef4be14894b3b12d0fd8eb7ab9d93

      SHA256

      210ba6447db6153eaffb57e0cca20fa6d0f1c11e297a5a68fcfffadb813fad5a

      SHA512

      0744f34ba6a0b91d8e999f127a32e40c94eafda8e1d1c9862c403bc11831309d1a1f32a3709b2aff707780846caff41d173013e73223cfceb94ec650cb41d03a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nimwgi-p.dll
      Filesize

      76KB

      MD5

      2ef5db65bb36655a25934eb2f38d4753

      SHA1

      de12ab049ec6a03b1c8675a478818c05d9a4496f

      SHA256

      6dd5fada87ab20aa71e5ddf4b79a94904736a39347e7c4153ed21eebe3854ca0

      SHA512

      712d4a6a312f54d9e7f46daa9c4ff615d889346809c5b4994e69d6068fe4c398bc121a33d9e21b5e1bf2ab3ab1d96ff48ce36b229f2f8a674476bc60a0013380

      Download Submit

    • C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
      Filesize

      9KB

      MD5

      913967b216326e36a08010fb70f9dba3

      SHA1

      7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

      SHA256

      8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

      SHA512

      c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Orcus\err_039f583b53844dc68ee502bf8377e03c.dat
      Filesize

      1KB

      MD5

      8d42c8a7bc715dc905ed8324bd6b46bd

      SHA1

      5784742613665d63c1e0a41eb85ba93f3d1a98a0

      SHA256

      2ca52233c7c98bbcc02d49b35aad2ce11fb93da58075e190e8f40da4287fe1a4

      SHA512

      61a839c4dfb5330ed04be23298e60d253df8168aa3a2b64987d2ea49e933c918ff32efce12e3c2b6719856b92bbadbc58a0d72f6250b2daa17e82bac2a06e746

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\CSCA45E.tmp
      Filesize

      676B

      MD5

      3b4eaa41784b6e35c6e167375555073c

      SHA1

      dead20139d7abf00619cfe87189d2fc92b53b092

      SHA256

      f6eca875cb120b505fc77f25461cb9e1062def82edd18134dd44003d0dac1448

      SHA512

      e8ebd15f0111f568e4b164a0a87f1e6b9266e1944ead38b195267168b0b009c3d60fad7a64f48993106c05a3c24a0517ea5b334fea043cfe7b1d6d454b5933fc

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\nimwgi-p.0.cs
      Filesize

      208KB

      MD5

      373cdffffb131d8478636b043fa84c29

      SHA1

      ccd7794122a7006c074d197c830b56e39f608c95

      SHA256

      7de3b503c4fa8956a919183ca7fb384453f0a81fec5adb7c7648b5d4654e84c6

      SHA512

      de07edc050c6f8d334641c6616a5591c56ddc4e882ea2c2fa509bb61d6d4b0f83727725bf4870dc67adde8c6639db7df4314fc866b41953fba23fbf9ab6d1f62

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\nimwgi-p.cmdline
      Filesize

      349B

      MD5

      1b934fd5160c356b1dc0c5b75a662727

      SHA1

      bdba3cc8ba67990d9a9d910960c0487159731d81

      SHA256

      4de9ca8044cddcda62f6b81a7d1188445906ab39526a56033431e0538e28a403

      SHA512

      75f23207e13bce51aded941da49b1af15a8e2e587bea8a7c7e10edb48019a18c84d29c17d8d4ede39cd21c96475d50f6f32d26f5f556997b00912848a103552a

      Download Submit

    • memory/1408-21-0x00007FF81EED0000-0x00007FF81F871000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1408-14-0x00007FF81EED0000-0x00007FF81F871000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3208-63-0x000000001C410000-0x000000001C428000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3208-61-0x000000001C080000-0x000000001C0CE000-memory.dmp

      Filesize

      312KB

      Download

    • memory/3208-64-0x000000001C530000-0x000000001C540000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3208-58-0x000000001BD70000-0x000000001BE7A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3208-57-0x000000001BC20000-0x000000001BC5C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3208-56-0x0000000002EA0000-0x0000000002EB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3208-55-0x0000000002CF0000-0x0000000002D02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3208-53-0x0000000000AF0000-0x0000000000BDC000-memory.dmp

      Filesize

      944KB

      Download

    • memory/3208-51-0x00007FF81B733000-0x00007FF81B735000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3208-83-0x00007FF81B733000-0x00007FF81B735000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3840-30-0x000000001D8D0000-0x000000001D9C0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/3840-26-0x0000000000BB0000-0x0000000000BB8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3840-34-0x000000001DAB0000-0x000000001DB20000-memory.dmp

      Filesize

      448KB

      Download

    • memory/3840-35-0x00007FF81EED0000-0x00007FF81F871000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3840-32-0x000000001D9D0000-0x000000001DA19000-memory.dmp

      Filesize

      292KB

      Download

    • memory/3840-31-0x000000001CB10000-0x000000001CB2E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3840-0-0x00007FF81F185000-0x00007FF81F186000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3840-29-0x000000001D310000-0x000000001D8CA000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3840-54-0x00007FF81EED0000-0x00007FF81F871000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3840-28-0x000000001C9B0000-0x000000001CA12000-memory.dmp

      Filesize

      392KB

      Download

    • memory/3840-27-0x0000000000E80000-0x0000000000E88000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3840-33-0x00007FF81EED0000-0x00007FF81F871000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3840-25-0x0000000000C30000-0x0000000000C42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3840-23-0x000000001C5C0000-0x000000001C5D6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/3840-8-0x000000001BF40000-0x000000001BFDC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3840-7-0x000000001BA70000-0x000000001BF3E000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/3840-6-0x00007FF81EED0000-0x00007FF81F871000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3840-5-0x000000001B4A0000-0x000000001B4AE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3840-1-0x00007FF81EED0000-0x00007FF81F871000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3840-2-0x000000001B2C0000-0x000000001B31C000-memory.dmp

      Filesize

      368KB

      Download

    • memory/4932-78-0x0000000000130000-0x0000000000138000-memory.dmp

      Filesize

      32KB

      Download