orcus | e607e52cb362cdca751c9cf27c91b8f5087649c720d49fd31ee925176107e501

Resubmissions

13-01-2025 04:02

250113-el1zlavlf1 10

12-01-2025 15:18

250112-sp351szpcr 10

Analysis

max time kernel
896s
max time network
901s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

resemblec2.exe
Size

670KB
MD5

a7816959bd66c9c1de58176164a9a346
SHA1

828184b97df950a1ca6288b7693ee35c5c4193b7
SHA256

e607e52cb362cdca751c9cf27c91b8f5087649c720d49fd31ee925176107e501
SHA512

b510573b0a7679534c331b70b9c338ed62c8b3907474209fa91567f9e5884137cce981e5aa95fad424d1f81f1bc54012437745d9dd05936268e48796581376bd
SSDEEP

12288:DwXfR1kAiLQSeSiDrSBOsHENlXme4ylVUGpR9UR7BDF66zL/wVh/4ixdgWrE8qnD:DwvR1kkSebDedE3X/lvpR9U/Ft/Ch/v4

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

6.tcp.eu.ngrok.io

Mutex

ff1f02c9f26f4253869c1d0a04907775

Attributes

administration_rights_required
false
anti_debugger
false
anti_tcp_analyzer
false
antivm
false
autostart_method
1
change_creation_date
false
force_installer_administrator_privileges
false
hide_file
false
install
false
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
installservice
false
keylogger_enabled
false
newcreationdate
01/12/2025 14:58:32
plugins
AgUFyfihswTdIPqEArukcmEdSF06Hw9CAFMAbwBEACAAUAByAG8AdABlAGMAdABpAG8AbgAHAzEALgAwAEEgMwBhADkAYwAwADkAOQA3AGEANgBlADQANAA2AGMAMQBiADYANgA4ADkAMgA1ADgAMQBjADMAYgAxADMAOABlAAEFl6aNkQPXkQKOmwKLvFcpr24sKCsVRABpAHMAYQBiAGwAZQAgAFcAZQBiAGMAYQBtACAATABpAGcAaAB0AHMABwMxAC4AMABBIGIAOABiAGQANQAxADUAOAA0ADkAZABjADQAMwAzADIAOQAxAGUAMQBiADEANQBmADYANQBiAGMAMwA3ADAAZAABAAAEBA==
reconnect_delay
10000
registry_autostart_keyname
Audio HD Driver
registry_hidden_autostart
false
set_admin_flag
false
tasksch_name
Audio HD Driver
tasksch_request_highest_privileges
false
try_other_autostart_onfail
false

aes.plain

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Executes dropped EXE 2 IoCs

pid	Process
1804	idk.exe
2672	AudioDriver.exe

Loads dropped DLL 1 IoCs

pid	Process
1804	idk.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs

Web Service

T1102

flow	ioc
23	6.tcp.eu.ngrok.io
60	6.tcp.eu.ngrok.io
63	6.tcp.eu.ngrok.io
68	6.tcp.eu.ngrok.io
77	6.tcp.eu.ngrok.io
2	6.tcp.eu.ngrok.io
9	6.tcp.eu.ngrok.io
70	6.tcp.eu.ngrok.io
90	6.tcp.eu.ngrok.io
16	6.tcp.eu.ngrok.io
48	6.tcp.eu.ngrok.io
29	6.tcp.eu.ngrok.io
36	6.tcp.eu.ngrok.io
83	6.tcp.eu.ngrok.io
41	6.tcp.eu.ngrok.io
53	6.tcp.eu.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AudioDriver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe
2672	AudioDriver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2568	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	AudioDriver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2672	AudioDriver.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2672	AudioDriver.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2568	AcroRd32.exe
2568	AcroRd32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 1328	2484	resemblec2.exe	31
PID 2484 wrote to memory of 1328	2484	resemblec2.exe	31
PID 2484 wrote to memory of 1328	2484	resemblec2.exe	31
PID 2484 wrote to memory of 1804	2484	resemblec2.exe	32
PID 2484 wrote to memory of 1804	2484	resemblec2.exe	32
PID 2484 wrote to memory of 1804	2484	resemblec2.exe	32
PID 2484 wrote to memory of 1804	2484	resemblec2.exe	32
PID 1804 wrote to memory of 2672	1804	idk.exe	33
PID 1804 wrote to memory of 2672	1804	idk.exe	33
PID 1804 wrote to memory of 2672	1804	idk.exe	33
PID 1804 wrote to memory of 2672	1804	idk.exe	33
PID 1328 wrote to memory of 2568	1328	rundll32.exe	34
PID 1328 wrote to memory of 2568	1328	rundll32.exe	34
PID 1328 wrote to memory of 2568	1328	rundll32.exe	34
PID 1328 wrote to memory of 2568	1328	rundll32.exe	34

C:\Users\Admin\AppData\Local\Temp\resemblec2.exe
C:\Users\Admin\AppData\Local\Temp\resemblec2.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\resemble.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\resemble.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2568
- C:\Users\Admin\AppData\Local\Temp\idk.exe
  "C:\Users\Admin\AppData\Local\Temp\idk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\idk.exe

Filesize
845KB

MD5
c0f4b33fab9864dfebccb1f7621ac76a

SHA1
9e65684a22bae25570f019366657a83522434590

SHA256
ce59e3370985a4b7f243de0fb67848bcb223781077dee528e2f4adb8e9d8d656

SHA512
6cd5672e2b3615ebb94fb96de29fe1b2cbfa81c1e18080ad6fbb48b25457481e17d8919823970e5bd1e230e2e8c76d379a515551e35bdc10f305d3349ab3cefe

Download Submit
C:\Users\Admin\AppData\Local\Temp\resemble.py

Filesize
27KB

MD5
23f1fabaef532d89fcb6d5bb14a36ef3

SHA1
679a82ed172d49f298bf07b6fa0de9b6c2ce0046

SHA256
e4410bc67b1ee8af2df456713b85040917b8cf749fb7d660feeb625b25ec9c51

SHA512
96e2baa6ce0220b9ad167b60220c683d5b080a9ba9a2e4d320aae6989f4aa2d241f8078e69bdd2da39a20d9b57ae84240da912d29e5e1db36cc90cf6a0537458

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
9d02a0c762957fabaa9463b762115d2a

SHA1
b35edeb9109258329ea2a821f32ff55215efdf0a

SHA256
2598a413ec3b6ae90046b88249b2207e9775357081f045b06dcbfc37b5938407

SHA512
35c0b389d077ec8beb41ae76694a816cb64ddf2016cb227ef04d3339914f32277416b53014b255159cef8979db1776fff94599ff3664729dcdb8798977a9829c

Download Submit
memory/2484-0-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

Filesize
4KB

Download
memory/2484-1-0x0000000000DE0000-0x0000000000E8E000-memory.dmp

Filesize
696KB

Download
memory/2484-4-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-10-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download