orcus | 7e7f54be771fd2aa38fe215442508a4673163aa87f39eabb7c6cf9de77d1546d

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
30-01-2025 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Update.exe
Size

3.0MB
MD5

2fe71c8b3764c2e139e32d132437bc67
SHA1

70bdbce5ad67ce24d75bd76b41cb6eecdcc24dc7
SHA256

7e7f54be771fd2aa38fe215442508a4673163aa87f39eabb7c6cf9de77d1546d
SHA512

f12e8d338824c18384a300a78a21d88cf7d589d26d06c18d4b6f00f9fc50c567f8ac024990fa69a49323632f82124d2cfc890ba040eaac15934a283029ac2a2d
SSDEEP

49152:G+1xzMQNZKMx6Y3BfoKTL0lmGlrtWAypQxbno9JnCmoyrZEI0AilFCvxHd:G+1n666WTMXypSbno9JCm

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

dc.deenote4396.com:10134

Mutex

3749f50e4c6b4cbfb5eac93f5e5530bb

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\Lenovo\Update.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Lenovo
watchdog_path
AppData\Lenovo.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016cb2-38.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016cb2-38.dat	orcus
behavioral1/memory/2952-41-0x0000000000F50000-0x000000000124E000-memory.dmp	orcus

Executes dropped EXE 6 IoCs

pid	Process
2696	WindowsInput.exe
2716	WindowsInput.exe
2952	Update.exe
2164	Update.exe
2996	Lenovo.exe
2912	Lenovo.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	Update.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	Update.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Lenovo\Update.exe	Update.exe
File opened for modification	C:\Program Files\Lenovo\Update.exe	Update.exe
File created	C:\Program Files\Lenovo\Update.exe.config	Update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenovo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenovo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2952	Update.exe
2952	Update.exe
2952	Update.exe
2912	Lenovo.exe
2912	Lenovo.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe
2952	Update.exe
2912	Lenovo.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	Update.exe
Token: SeDebugPrivilege	2996	Lenovo.exe
Token: SeDebugPrivilege	2912	Lenovo.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2952	Update.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 2352	1064	Update.exe	30
PID 1064 wrote to memory of 2352	1064	Update.exe	30
PID 1064 wrote to memory of 2352	1064	Update.exe	30
PID 2352 wrote to memory of 1372	2352	csc.exe	32
PID 2352 wrote to memory of 1372	2352	csc.exe	32
PID 2352 wrote to memory of 1372	2352	csc.exe	32
PID 1064 wrote to memory of 2696	1064	Update.exe	33
PID 1064 wrote to memory of 2696	1064	Update.exe	33
PID 1064 wrote to memory of 2696	1064	Update.exe	33
PID 1064 wrote to memory of 2952	1064	Update.exe	35
PID 1064 wrote to memory of 2952	1064	Update.exe	35
PID 1064 wrote to memory of 2952	1064	Update.exe	35
PID 2712 wrote to memory of 2164	2712	taskeng.exe	37
PID 2712 wrote to memory of 2164	2712	taskeng.exe	37
PID 2712 wrote to memory of 2164	2712	taskeng.exe	37
PID 2952 wrote to memory of 2996	2952	Update.exe	38
PID 2952 wrote to memory of 2996	2952	Update.exe	38
PID 2952 wrote to memory of 2996	2952	Update.exe	38
PID 2952 wrote to memory of 2996	2952	Update.exe	38
PID 2996 wrote to memory of 2912	2996	Lenovo.exe	39
PID 2996 wrote to memory of 2912	2996	Lenovo.exe	39
PID 2996 wrote to memory of 2912	2996	Lenovo.exe	39
PID 2996 wrote to memory of 2912	2996	Lenovo.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Update.exe
"C:\Users\Admin\AppData\Local\Temp\Update.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8h3j8rz2.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F6C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9F6B.tmp"
    3⤵
    PID:1372
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2696
- C:\Program Files\Lenovo\Update.exe
  "C:\Program Files\Lenovo\Update.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Users\Admin\AppData\Roaming\Lenovo.exe
    "C:\Users\Admin\AppData\Roaming\Lenovo.exe" /launchSelfAndExit "C:\Program Files\Lenovo\Update.exe" 2952 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Users\Admin\AppData\Roaming\Lenovo.exe
      "C:\Users\Admin\AppData\Roaming\Lenovo.exe" /watchProcess "C:\Program Files\Lenovo\Update.exe" 2952 "/protectFile"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2912

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2716

C:\Windows\system32\taskeng.exe
taskeng.exe {68536D72-CA49-49FF-9561-8C7F3F5B9E72} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Program Files\Lenovo\Update.exe
  "C:\Program Files\Lenovo\Update.exe"
  2⤵
  - Executes dropped EXE
  PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Lenovo\Update.exe

Filesize
3.0MB

MD5
2fe71c8b3764c2e139e32d132437bc67

SHA1
70bdbce5ad67ce24d75bd76b41cb6eecdcc24dc7

SHA256
7e7f54be771fd2aa38fe215442508a4673163aa87f39eabb7c6cf9de77d1546d

SHA512
f12e8d338824c18384a300a78a21d88cf7d589d26d06c18d4b6f00f9fc50c567f8ac024990fa69a49323632f82124d2cfc890ba040eaac15934a283029ac2a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8h3j8rz2.dll

Filesize
76KB

MD5
0c2b155633c0a6fd4b714a6c2dd0cdbc

SHA1
ca4fabf346f96350b04fd0f0a0695b07bcce7871

SHA256
0a29202b58f024f2adcbed4be424421f46eb9cac67845e5e9d83c88522319472

SHA512
0998c3827d8336a31bc7ee74dc0d1102cc2525a0613dbc57b511244374158d86f87ba30389b4c90c3a4e39456107a937348c7cc19412075adbf4a73d11026602

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9F6C.tmp

Filesize
1KB

MD5
cbf1ef8c11f17a77b89675a761b5e1b1

SHA1
1da494fde7de6f8f60996a719ae6b9571402c886

SHA256
6c60a8a8e698b636e2d5c0418b0a3f111dae075409868b49e9ca3dee2415da42

SHA512
5cd9ef8f36fcb9d3b020a035d135b2055ea0ec8f28f5e10d8369415d7b09a564f1866bb005b9a0e83ee96e57989efa7bbb2038564d7a0aa608248b897a4344cf

Download Submit
C:\Users\Admin\AppData\Roaming\Lenovo.exe

Filesize
9KB

MD5
2d755da0539c2158464fd680aeeafa10

SHA1
027be49916ebb28b6af7112ac3f5921e016ab67b

SHA256
a3e0e958ea53e5a0ed8c8debf5a24be30bcfabe423ea09337098674f4c125cc6

SHA512
6dbc740c760b1fc33dca1986d73f61e6213918584a1cf1f1be5775d0931a26701650ebd894767696127f09f3a10d4f9c44535add9a68c94d0f4eed6022fbdad1

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
3bfc2e9172bbd881cd34f0923724596a

SHA1
f1cd48baadd891c39b7ef45a9d71ff8355ea5df7

SHA256
a9cd2113e12ac6b42a2523755bd71ed129b71562e8cd4bb274d0141db7e40899

SHA512
882b5afac26bb9be88269c93c7800f5d0c6153ad0a895193c9acf70a0724137518a8b52584c16c248b2f79929c83072fa72bbbd9da3f0fba4ff1f9b50837d5d6

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8h3j8rz2.0.cs

Filesize
208KB

MD5
06eeab740666436d8531263bbe94ee74

SHA1
8690baaf1c5e28c59186f0edba23ce21a91ede79

SHA256
e6234e233792bd2046997c327bb75defd74bf62b09c1978eb1a01d7c1ecaebea

SHA512
08a95015d2d14ed93e1f9b16e1589599863da932281d7092bfaff694e0ed8c110715c5ec8d0dfd9aac4d04a90b69c0cc23861d314698ef8738d166c68a06a954

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8h3j8rz2.cmdline

Filesize
349B

MD5
07bf21c6e655b98867f0563f0ba28813

SHA1
0cfeb70bdf4e96ed19ac63781f4a7584957b1e90

SHA256
6c24bf05013bf99c35625b24ff8acdd7671b9e1015903a090a9d6ed15ce82dd8

SHA512
7c674d809516b858f983186e4a9bd5681b8e18d59daaf8caeee8c3833d04bd1ccff775ef2016468c08b53cab0be5e4cdeaae23c057dee5dabefad57cbc55e671

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9F6B.tmp

Filesize
676B

MD5
d528cf9a3ccefa10add241881824be82

SHA1
c68ea00e17075ae414d919d4ffeb1e582357717b

SHA256
0c6ee55a594e3ca3af8f12786f46d57819be7c8840954238531c8fb2139a9c91

SHA512
d71f8076b60c3340491f41c6351b20894daf4b3c4a1d923b4f1a76f903229900903858f4dd837f5aa5f91333fc62607f9b70c12ab49fd268635d44a4c6427719

Download Submit
memory/1064-42-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/1064-19-0x00000000008F0000-0x0000000000906000-memory.dmp

Filesize
88KB

Download
memory/1064-0-0x000007FEF570E000-0x000007FEF570F000-memory.dmp

Filesize
4KB

Download
memory/1064-3-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/1064-2-0x0000000000170000-0x000000000017E000-memory.dmp

Filesize
56KB

Download
memory/1064-4-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/1064-21-0x00000000001B0000-0x00000000001C2000-memory.dmp

Filesize
72KB

Download
memory/1064-1-0x0000000002510000-0x000000000256C000-memory.dmp

Filesize
368KB

Download
memory/2352-13-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/2352-17-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/2696-29-0x00000000001C0000-0x00000000001CC000-memory.dmp

Filesize
48KB

Download
memory/2716-33-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/2952-41-0x0000000000F50000-0x000000000124E000-memory.dmp

Filesize
3.0MB

Download
memory/2952-43-0x0000000000BC0000-0x0000000000C0E000-memory.dmp

Filesize
312KB

Download
memory/2952-44-0x0000000000600000-0x0000000000618000-memory.dmp

Filesize
96KB

Download
memory/2952-45-0x0000000000B30000-0x0000000000B40000-memory.dmp

Filesize
64KB

Download
memory/2996-55-0x0000000000FE0000-0x0000000000FE8000-memory.dmp

Filesize
32KB

Download