Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
-
submitted
16-01-2025 16:19
General
-
Target
ez.exe
-
Size
903KB
-
MD5
1f0eaf2212e650d546ce25bed971ea6a
-
SHA1
10964f65e5f5cb5b39793948c47960b3df816a78
-
SHA256
5488f8ebdd761b238ac30772eaaf4bc470da2d9b518c13edccfae3ab4c3e9721
-
SHA512
d4773894f5a38fc4d994aff8985311e16310de775fbe88e0caf67aa0cd45b89ad2f175daa7fd3465b2112ed4c490c36832d92ab23b71bc50e568c4bd9aea8f68
-
SSDEEP
12288:R8shHAVBuQBBed37dG1lFlWcYT70pxnnaaoawMRVcTqSA+9rZNrI0AilFEvxHvBy:e3s4MROxnF9LqrZlI0AilFEvxHiVeo
Malware Config
Extracted
orcus
0.tcp.ngrok.io:18585
6aa90683b44541319ca2fec646e0dff6
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
Orcus main payload 1 IoCs
-
Orcurs Rat Executable 2 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Modifies WinLogon 2 TTPs 1 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ez.exe"C:\Users\Admin\AppData\Local\Temp\ez.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jvel7vya.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES77E0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC77DF.tmp"3⤵
-
-
-
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe"C:\Users\Admin\AppData\Local\Temp\RdpWrapper_a93660f341c34bb9a6e4f2ee805e434c.exe" -i -o3⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
903KB
MD51f0eaf2212e650d546ce25bed971ea6a
SHA110964f65e5f5cb5b39793948c47960b3df816a78
SHA2565488f8ebdd761b238ac30772eaaf4bc470da2d9b518c13edccfae3ab4c3e9721
SHA512d4773894f5a38fc4d994aff8985311e16310de775fbe88e0caf67aa0cd45b89ad2f175daa7fd3465b2112ed4c490c36832d92ab23b71bc50e568c4bd9aea8f68
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
114KB
MD5461ade40b800ae80a40985594e1ac236
SHA1b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26
-
Filesize
1KB
MD52fca075c4c53b5f285c9de18b420ca8c
SHA1a5c749c588d66a161ba2d5cf79dff2998fd53f27
SHA256d0c00a3086d21a0e0fc60902121bbf7c85c38b09680f2dbb8292dfad1dd75607
SHA512016ebe6ab31b5e048cb0afb35680e743cd1e1c88883e25a648cc9bbedfb6884c2fc1c65edf6fb39c8f1176ab018ecd0b9f5d9a46d043946ce06f01bfd8962e48
-
Filesize
1.3MB
MD59c257b1d15817a818a675749f0429130
SHA1234d14da613c1420ea17de60ab8c3621d1599f6f
SHA256b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c
SHA512b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521
-
Filesize
76KB
MD5871865f9d4b7d96b758bfd515deaf05e
SHA1648f0c9373e889a2c889f5d089fa190041e83c24
SHA2560a0e0e552d6a7b391ba88dd7905aa3b2d508f8c5b5c434e808313f5ad443c2d9
SHA512e7ed12c493800c472d4a79eab37e32b7bcc1c21a0760d7e9e1d2498d11e4e8c6bcff9eacac93a35b3f215d1845f500bc9eaa72d279dd1ef5e5bfdce95783fcbe
-
Filesize
60KB
MD517ed442e8485ac3f7dc5b3c089654a61
SHA1d3a17c1fdd6d54951141053f88bf8238dea0b937
SHA256666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b
SHA5129118bf11760354e9971ae8b27f7f6a405e46145b39ca6e6b413cb2e729e51304b895965e9140f66c9e3ef7caa4f344762bf059688b23dd32e4c2df271394fea2
-
Filesize
20KB
MD50bd34aa29c7ea4181900797395a6da78
SHA1ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8
SHA256bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d
SHA512a3734660c0aba1c2b27ab55f9e578371b56c82754a3b7cfd01e68c88967c8dada8d202260220831f1d1039a5a35bd1a67624398e689702481ac056d1c1ddcdb0
-
Filesize
125KB
MD52b44c70c49b70d797fbb748158b5d9bb
SHA193e00e6527e461c45c7868d14cf05c007e478081
SHA2563762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf
SHA512faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0
-
Filesize
271KB
MD598eb5ba5871acdeaebf3a3b0f64be449
SHA1c965284f60ef789b00b10b3df60ee682b4497de3
SHA256d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c
SHA512a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2
-
Filesize
338KB
MD5934da0e49208d0881c44fe19d5033840
SHA1a19c5a822e82e41752a08d3bd9110db19a8a5016
SHA25602da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7
SHA512de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59
-
Filesize
247KB
MD5ffb4b61cc11bec6d48226027c2c26704
SHA1fa8b9e344accbdc4dffa9b5d821d23f0716da29e
SHA256061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303
SHA51248aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9
-
Filesize
1.3MB
MD5ac6acc235ebef6374bed71b37e322874
SHA1a267baad59cd7352167636836bad4b971fcd6b6b
SHA256047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96
SHA51272ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081
-
Filesize
662KB
MD5b36cc7f7c7148a783fbed3493bc27954
SHA144b39651949a00cf2a5cbba74c3210b980ae81b4
SHA256c1ce9a872d33fb8757c59b5cd1f26c93b9eeec3e3cf57162c29a0783e6222a38
SHA512c987c689ecc2cc57350c74ee22b66cb543535bc17b790016ec6407c3d02c539a727f5c38e1451a201e8e7ccfcb4d4639780b6e68cd38b7e67b1b28034ad738a2
-
Filesize
676B
MD59dbc93ea7338b7fd663e0a3f71362a7e
SHA18c8fe4d900f988b1d6ca2343baa8a7fb4e123bf4
SHA256a3c66a2bb948893aac8f131b8c367759de679bfe0909a7cc5fbd3bda9a568dc3
SHA51240b5d1a8f141db94ba71cb87eb9f961cee03f050d0217fc01cbf5ac04760a7ff8e052528bba56fbeab845f672b7d725736f24197dea673759147428667ddd1f7
-
Filesize
208KB
MD5ef2933a93a879cccf7f0c1062bda4f09
SHA14bc6c94dbd9d428017e6f42c6c02c1988a72a3d1
SHA25651fbd676b0bff7dc1fd7d70e88a91fbfabd8396ef53c994764d9e04f9f2d15e9
SHA5125ca0b83343b54632a4ca4cc87bd26a3e4239dae12d4c7a909e0c389c97dcd33829f1db4c8272e29c630156254734a4854718ee4302c1fda4ed816f883324bc67
-
Filesize
349B
MD53cbbe9835a6b5beecb4c326666f516bd
SHA17c25642dfa7097163d179c2f227c91cc52e6ae3f
SHA2562816fd69b471419b15e14c645fdc2c8ff365d79f7d284726f01e311da4b04415
SHA512e736f457d6329ca8ca83665214b89edd2979a02fb3f735d7f766436db73a329fe7f195806be9322fdf20769d3d08a8acf568c5fe0f1e0bebb793df3490093774
-
Filesize
128KB
MD5dddd741ab677bdac8dcd4fa0dda05da2
SHA169d328c70046029a1866fd440c3e4a63563200f9
SHA2567d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668
SHA5126106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec
-
Filesize
64KB
-
Filesize
272KB
-
Filesize
624KB
-
Filesize
320KB
-
Filesize
928KB
-
Filesize
296KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
1.3MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
1.0MB
-
Filesize
1.8MB
-
Filesize
48KB
-
Filesize
1.3MB
-
Filesize
88KB
-
Filesize
152KB
-
Filesize
360KB
-
Filesize
296KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
72KB
-
Filesize
624KB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
88KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4.8MB
-
Filesize
56KB
-
Filesize
4KB
-
Filesize
368KB
-
Filesize
9.6MB
-
Filesize
1.3MB