orcus | 726fe765745a0052e532e040a71b6b252aceab5c3b6cb13ba774eb85494390fa

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/01/2025, 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Drunkdeer1.exe
Size

3.2MB
MD5

2e3a2248109098fa65295e84918518e0
SHA1

80c462ccf9ab80f3cafc1a1f43669c72c383db4a
SHA256

726fe765745a0052e532e040a71b6b252aceab5c3b6cb13ba774eb85494390fa
SHA512

f3b3ebccc507ecaf464f6c023e3f5a7b4174894a35a8bda186129b0f89c0dcc9389991b20cbf092692928614bc63024775b0ac5b8c2f83aa0a5bf28fe44bda8e
SSDEEP

49152:7GX87p1EZKMnkmWg8LX5prviYDyKS5AypQxbRQAo9JnCmpKu/nRFfjI7L0qb:7LHTPJg8z1mKnypSbRxo9JCm

Score

10^/10

orcus новый тег discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

Новый тег

31.44.184.52:27516

Mutex

sudo_bdnmfcpgeezwswzcg169jg3njnsdn3j8

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%appdata%\eternalasync\cpuuploads.exe
reconnect_delay
10000
registry_keyname
Sudik
taskscheduler_taskname
sudik
watchdog_path
AppData\aga.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000f000000017390-12.dat	family_orcus

Orcurs Rat Executable 8 IoCs

resource	yara_rule
behavioral1/memory/2708-1-0x0000000000EA0000-0x00000000011D8000-memory.dmp	orcus
behavioral1/files/0x000f000000017390-12.dat	orcus
behavioral1/memory/2684-18-0x00000000001B0000-0x00000000004E8000-memory.dmp	orcus
behavioral1/memory/2724-33-0x0000000000400000-0x0000000000738000-memory.dmp	orcus
behavioral1/memory/2724-32-0x0000000000400000-0x0000000000738000-memory.dmp	orcus
behavioral1/memory/2724-31-0x0000000000400000-0x0000000000738000-memory.dmp	orcus
behavioral1/memory/2724-26-0x0000000000400000-0x0000000000738000-memory.dmp	orcus
behavioral1/memory/2724-28-0x0000000000400000-0x0000000000738000-memory.dmp	orcus

Executes dropped EXE 2 IoCs

pid	Process
2684	cpuuploads.exe
3048	cpuuploads.exe

Loads dropped DLL 1 IoCs

pid	Process
2708	Drunkdeer1.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2684 set thread context of 2724	2684	cpuuploads.exe	33

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe	caspol.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cpuuploads.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Drunkdeer1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caspol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cpuuploads.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
956	PING.EXE
2264	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
956	PING.EXE
2264	PING.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2708	Drunkdeer1.exe
2684	cpuuploads.exe
2684	cpuuploads.exe
2724	caspol.exe
2724	caspol.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	Drunkdeer1.exe
Token: SeDebugPrivilege	2684	cpuuploads.exe
Token: SeDebugPrivilege	2724	caspol.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2684	2708	Drunkdeer1.exe	31
PID 2708 wrote to memory of 2684	2708	Drunkdeer1.exe	31
PID 2708 wrote to memory of 2684	2708	Drunkdeer1.exe	31
PID 2708 wrote to memory of 2684	2708	Drunkdeer1.exe	31
PID 2684 wrote to memory of 2724	2684	cpuuploads.exe	33
PID 2684 wrote to memory of 2724	2684	cpuuploads.exe	33
PID 2684 wrote to memory of 2724	2684	cpuuploads.exe	33
PID 2684 wrote to memory of 2724	2684	cpuuploads.exe	33
PID 2684 wrote to memory of 2724	2684	cpuuploads.exe	33
PID 2684 wrote to memory of 2724	2684	cpuuploads.exe	33
PID 2684 wrote to memory of 2724	2684	cpuuploads.exe	33
PID 2684 wrote to memory of 2724	2684	cpuuploads.exe	33
PID 2684 wrote to memory of 2724	2684	cpuuploads.exe	33
PID 108 wrote to memory of 3048	108	taskeng.exe	34
PID 108 wrote to memory of 3048	108	taskeng.exe	34
PID 108 wrote to memory of 3048	108	taskeng.exe	34
PID 108 wrote to memory of 3048	108	taskeng.exe	34
PID 2724 wrote to memory of 1932	2724	caspol.exe	36
PID 2724 wrote to memory of 1932	2724	caspol.exe	36
PID 2724 wrote to memory of 1932	2724	caspol.exe	36
PID 2724 wrote to memory of 1932	2724	caspol.exe	36
PID 2724 wrote to memory of 2008	2724	caspol.exe	37
PID 2724 wrote to memory of 2008	2724	caspol.exe	37
PID 2724 wrote to memory of 2008	2724	caspol.exe	37
PID 2724 wrote to memory of 2008	2724	caspol.exe	37
PID 1932 wrote to memory of 956	1932	cmd.exe	40
PID 1932 wrote to memory of 956	1932	cmd.exe	40
PID 1932 wrote to memory of 956	1932	cmd.exe	40
PID 1932 wrote to memory of 956	1932	cmd.exe	40
PID 2008 wrote to memory of 2264	2008	cmd.exe	41
PID 2008 wrote to memory of 2264	2008	cmd.exe	41
PID 2008 wrote to memory of 2264	2008	cmd.exe	41
PID 2008 wrote to memory of 2264	2008	cmd.exe	41
PID 1932 wrote to memory of 1796	1932	cmd.exe	42
PID 1932 wrote to memory of 1796	1932	cmd.exe	42
PID 1932 wrote to memory of 1796	1932	cmd.exe	42
PID 1932 wrote to memory of 1796	1932	cmd.exe	42
PID 1932 wrote to memory of 2000	1932	cmd.exe	43
PID 1932 wrote to memory of 2000	1932	cmd.exe	43
PID 1932 wrote to memory of 2000	1932	cmd.exe	43
PID 1932 wrote to memory of 2000	1932	cmd.exe	43
PID 1932 wrote to memory of 684	1932	cmd.exe	44
PID 1932 wrote to memory of 684	1932	cmd.exe	44
PID 1932 wrote to memory of 684	1932	cmd.exe	44
PID 1932 wrote to memory of 684	1932	cmd.exe	44
PID 1932 wrote to memory of 2512	1932	cmd.exe	45
PID 1932 wrote to memory of 2512	1932	cmd.exe	45
PID 1932 wrote to memory of 2512	1932	cmd.exe	45
PID 1932 wrote to memory of 2512	1932	cmd.exe	45
PID 2008 wrote to memory of 948	2008	cmd.exe	46
PID 2008 wrote to memory of 948	2008	cmd.exe	46
PID 2008 wrote to memory of 948	2008	cmd.exe	46
PID 2008 wrote to memory of 948	2008	cmd.exe	46
PID 2008 wrote to memory of 1388	2008	cmd.exe	47
PID 2008 wrote to memory of 1388	2008	cmd.exe	47
PID 2008 wrote to memory of 1388	2008	cmd.exe	47
PID 2008 wrote to memory of 1388	2008	cmd.exe	47
PID 2008 wrote to memory of 2536	2008	cmd.exe	48
PID 2008 wrote to memory of 2536	2008	cmd.exe	48
PID 2008 wrote to memory of 2536	2008	cmd.exe	48
PID 2008 wrote to memory of 2536	2008	cmd.exe	48
PID 2008 wrote to memory of 1648	2008	cmd.exe	49
PID 2008 wrote to memory of 1648	2008	cmd.exe	49
PID 2008 wrote to memory of 1648	2008	cmd.exe	49

C:\Users\Admin\AppData\Local\Temp\Drunkdeer1.exe
"C:\Users\Admin\AppData\Local\Temp\Drunkdeer1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Roaming\eternalasync\cpuuploads.exe
  "C:\Users\Admin\AppData\Roaming\eternalasync\cpuuploads.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\{15f9f43b-b33d-452b-9043-0ca8c1e97744}.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1932
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:956
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo j "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe""
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo j "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del C:\Users\Admin\AppData\Local\Temp\{15f9f43b-b33d-452b-9043-0ca8c1e97744}.bat"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2512
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\{9e0a445e-1f9c-4108-b38a-565692225782}.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2008
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2264
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo j "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe""
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1388
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo j "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2536
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del C:\Users\Admin\AppData\Local\Temp\{9e0a445e-1f9c-4108-b38a-565692225782}.bat"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1648

C:\Windows\system32\taskeng.exe
taskeng.exe {5BA170C3-CE8F-4492-89FA-BC7AE055A95D} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:108
- C:\Users\Admin\AppData\Roaming\eternalasync\cpuuploads.exe
  C:\Users\Admin\AppData\Roaming\eternalasync\cpuuploads.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabEF50.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{15f9f43b-b33d-452b-9043-0ca8c1e97744}.bat

Filesize
195B

MD5
60a5a4ea2d5097df9d0bfdc55a755330

SHA1
b60563a53c09baed6fb41e6be102576995b81868

SHA256
a0efdde3cd58b3bdd43f5116f2c6deea5e29194590a2d4ac1181888aa3371107

SHA512
2a6a4dad04163247ddf2b6009d822f1452cbf62c53956a642e4357516cb9470f604233a395494ad0dec621290d9465a8e8062fbeb3923a2ce3c1283572b79101

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9e0a445e-1f9c-4108-b38a-565692225782}.bat

Filesize
195B

MD5
7454e46a0ad70d5b15f50861a2774c6c

SHA1
371eac7d225835e9037c6950a23ee16bbd13a84f

SHA256
7fd35161907294a20d12ef29e3e955d0482224f627cd7b12aa32871808a95f3d

SHA512
535ca15b7533b5259ef91c2d3a8e657de8296130c4580a4cda1e227668f805dcf5cc3268ed9eb79451f913249c35b38343639e552da2557eaa268ac5886a70b1

Download Submit
C:\Users\Admin\AppData\Roaming\eternalasync\cpuuploads.exe

Filesize
3.2MB

MD5
2e3a2248109098fa65295e84918518e0

SHA1
80c462ccf9ab80f3cafc1a1f43669c72c383db4a

SHA256
726fe765745a0052e532e040a71b6b252aceab5c3b6cb13ba774eb85494390fa

SHA512
f3b3ebccc507ecaf464f6c023e3f5a7b4174894a35a8bda186129b0f89c0dcc9389991b20cbf092692928614bc63024775b0ac5b8c2f83aa0a5bf28fe44bda8e

Download Submit
C:\Users\Admin\AppData\Roaming\eternalasync\cpuuploads.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
memory/2684-20-0x0000000000710000-0x0000000000722000-memory.dmp

Filesize
72KB

Download
memory/2684-17-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download
memory/2684-18-0x00000000001B0000-0x00000000004E8000-memory.dmp

Filesize
3.2MB

Download
memory/2684-19-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download
memory/2684-34-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download
memory/2684-21-0x0000000005030000-0x000000000507E000-memory.dmp

Filesize
312KB

Download
memory/2708-5-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/2708-16-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download
memory/2708-3-0x0000000074350000-0x0000000074A3E000-memory.dmp

Filesize
6.9MB

Download
memory/2708-0-0x000000007435E000-0x000000007435F000-memory.dmp

Filesize
4KB

Download
memory/2708-4-0x0000000000B00000-0x0000000000B5C000-memory.dmp

Filesize
368KB

Download
memory/2708-2-0x0000000000380000-0x000000000038E000-memory.dmp

Filesize
56KB

Download
memory/2708-1-0x0000000000EA0000-0x00000000011D8000-memory.dmp

Filesize
3.2MB

Download
memory/2724-23-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/2724-32-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/2724-31-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/2724-26-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/2724-28-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/2724-36-0x00000000009A0000-0x00000000009B8000-memory.dmp

Filesize
96KB

Download
memory/2724-37-0x0000000002340000-0x0000000002350000-memory.dmp

Filesize
64KB

Download
memory/2724-33-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/2724-54-0x0000000005570000-0x000000000557E000-memory.dmp

Filesize
56KB

Download
memory/2724-55-0x0000000005620000-0x0000000005622000-memory.dmp

Filesize
8KB

Download
memory/2724-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2724-24-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download