orcus | 7e7f54be771fd2aa38fe215442508a4673163aa87f39eabb7c6cf9de77d1546d

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2025 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Update.exe
Size

3.0MB
MD5

2fe71c8b3764c2e139e32d132437bc67
SHA1

70bdbce5ad67ce24d75bd76b41cb6eecdcc24dc7
SHA256

7e7f54be771fd2aa38fe215442508a4673163aa87f39eabb7c6cf9de77d1546d
SHA512

f12e8d338824c18384a300a78a21d88cf7d589d26d06c18d4b6f00f9fc50c567f8ac024990fa69a49323632f82124d2cfc890ba040eaac15934a283029ac2a2d
SSDEEP

49152:G+1xzMQNZKMx6Y3BfoKTL0lmGlrtWAypQxbno9JnCmoyrZEI0AilFCvxHd:G+1n666WTMXypSbno9JCm

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

dc.deenote4396.com:10134

Mutex

3749f50e4c6b4cbfb5eac93f5e5530bb

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\Lenovo\Update.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Lenovo
watchdog_path
AppData\Lenovo.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023c88-52.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023c88-52.dat	orcus
behavioral2/memory/2376-62-0x00000000001A0000-0x000000000049E000-memory.dmp	orcus

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	Lenovo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	Update.exe

Executes dropped EXE 6 IoCs

pid	Process
4560	WindowsInput.exe
2684	WindowsInput.exe
2376	Update.exe
2860	Update.exe
2696	Lenovo.exe
440	Lenovo.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe	Update.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	Update.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Lenovo\Update.exe.config	Update.exe
File created	C:\Program Files\Lenovo\Update.exe	Update.exe
File opened for modification	C:\Program Files\Lenovo\Update.exe	Update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenovo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenovo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2376	Update.exe
2376	Update.exe
2376	Update.exe
440	Lenovo.exe
440	Lenovo.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe
2376	Update.exe
440	Lenovo.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	Update.exe
Token: SeDebugPrivilege	2696	Lenovo.exe
Token: SeDebugPrivilege	440	Lenovo.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2376	Update.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 2784	3176	Update.exe	85
PID 3176 wrote to memory of 2784	3176	Update.exe	85
PID 2784 wrote to memory of 1788	2784	csc.exe	87
PID 2784 wrote to memory of 1788	2784	csc.exe	87
PID 3176 wrote to memory of 4560	3176	Update.exe	88
PID 3176 wrote to memory of 4560	3176	Update.exe	88
PID 3176 wrote to memory of 2376	3176	Update.exe	90
PID 3176 wrote to memory of 2376	3176	Update.exe	90
PID 2376 wrote to memory of 2696	2376	Update.exe	92
PID 2376 wrote to memory of 2696	2376	Update.exe	92
PID 2376 wrote to memory of 2696	2376	Update.exe	92
PID 2696 wrote to memory of 440	2696	Lenovo.exe	93
PID 2696 wrote to memory of 440	2696	Lenovo.exe	93
PID 2696 wrote to memory of 440	2696	Lenovo.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Update.exe
"C:\Users\Admin\AppData\Local\Temp\Update.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f70tsvl5.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD189.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD188.tmp"
    3⤵
    PID:1788
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4560
- C:\Program Files\Lenovo\Update.exe
  "C:\Program Files\Lenovo\Update.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Users\Admin\AppData\Roaming\Lenovo.exe
    "C:\Users\Admin\AppData\Roaming\Lenovo.exe" /launchSelfAndExit "C:\Program Files\Lenovo\Update.exe" 2376 /protectFile
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Users\Admin\AppData\Roaming\Lenovo.exe
      "C:\Users\Admin\AppData\Roaming\Lenovo.exe" /watchProcess "C:\Program Files\Lenovo\Update.exe" 2376 "/protectFile"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:440

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2684

C:\Program Files\Lenovo\Update.exe
"C:\Program Files\Lenovo\Update.exe"
1⤵
- Executes dropped EXE
PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Lenovo\Update.exe

Filesize
3.0MB

MD5
2fe71c8b3764c2e139e32d132437bc67

SHA1
70bdbce5ad67ce24d75bd76b41cb6eecdcc24dc7

SHA256
7e7f54be771fd2aa38fe215442508a4673163aa87f39eabb7c6cf9de77d1546d

SHA512
f12e8d338824c18384a300a78a21d88cf7d589d26d06c18d4b6f00f9fc50c567f8ac024990fa69a49323632f82124d2cfc890ba040eaac15934a283029ac2a2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Lenovo.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD189.tmp

Filesize
1KB

MD5
dbd957eb71a2ca305ce128ca177e8e22

SHA1
97e464e2f78fe79decc4f76e33b532794f0ee64e

SHA256
e8411aae4420e1106566a09de6e8211fdf1ac4b7a150255de859cd339a460940

SHA512
5d70aaf0d57d7e2c2c3a29df5b7681a888c07db39e4a73b64fab4a3e213d8db38c42424a86ebde3f50d333ae22fb7175283ffb433a7422d6ad6bf150e96d3efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\f70tsvl5.dll

Filesize
76KB

MD5
6c244cb253f0488a857c4b704b259609

SHA1
c6c7b23904899ff91607bbd654215a99e9356d18

SHA256
b2306cc855c53a743dceab2ca3fc65b0b6acc20af29161e3c531abca2c577b33

SHA512
a06c37585936e3e1dae9340d657e5990420f6bb25bc91dbe3361de3f4ad8db4a280e6f10e4da43436d37fb23cf968d7ccf9e77dcd0e1d586ce3b1398bcfdf8df

Download Submit
C:\Users\Admin\AppData\Roaming\Lenovo.exe

Filesize
9KB

MD5
2d755da0539c2158464fd680aeeafa10

SHA1
027be49916ebb28b6af7112ac3f5921e016ab67b

SHA256
a3e0e958ea53e5a0ed8c8debf5a24be30bcfabe423ea09337098674f4c125cc6

SHA512
6dbc740c760b1fc33dca1986d73f61e6213918584a1cf1f1be5775d0931a26701650ebd894767696127f09f3a10d4f9c44535add9a68c94d0f4eed6022fbdad1

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
3bfc2e9172bbd881cd34f0923724596a

SHA1
f1cd48baadd891c39b7ef45a9d71ff8355ea5df7

SHA256
a9cd2113e12ac6b42a2523755bd71ed129b71562e8cd4bb274d0141db7e40899

SHA512
882b5afac26bb9be88269c93c7800f5d0c6153ad0a895193c9acf70a0724137518a8b52584c16c248b2f79929c83072fa72bbbd9da3f0fba4ff1f9b50837d5d6

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCD188.tmp

Filesize
676B

MD5
4802ef2afef2cacf0d6e12433a46041e

SHA1
448ab9e411c795b6a9895abc428d872bf59bda9c

SHA256
d79446c8e82d16a387f882ef3a43d5f1ba8110d6d9229c440ca2ed4aaf22cfbd

SHA512
6cce27dc5f5ba1054636efaa61a3487e649527e34c96def18e23d6351cf88f0050a117fe945e603c0bdcd890a60fef577c71b8008012f6730d24600668f85aba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f70tsvl5.0.cs

Filesize
208KB

MD5
62087c569bcaaf38478292254d7955e8

SHA1
8f0e8d803646ccb78b513deda15936a8b4e9daf2

SHA256
014718521624262237ac818ac50ce4dccbdf01ede4291f286d95716b4ff21c6b

SHA512
db0f90c57be42c10d7086e29473143d520875175f22911ff53ac01d90d9db6c3b46b5cb36d58fa3527ac9923b41686519abd62687a081ce21806f19c075e43cd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f70tsvl5.cmdline

Filesize
349B

MD5
6b8d823feeb97746949ec47ee3372ab9

SHA1
e2b6f246e750637f1d2c509956f27119043e306b

SHA256
72720e0dd02a6115c11a12974a899e2c51aab6f106aa84c9bd3ed32ef204f90e

SHA512
7c8972824844573ed56a78122e32e620041d679b76c7118299e270ea5d8ee047256081fd1ed5bbf3a8ce3b1048b83d5310882aaacd7e6e840ef8dbae807cc785

Download Submit
memory/2376-66-0x000000001BC40000-0x000000001BE02000-memory.dmp

Filesize
1.8MB

Download
memory/2376-67-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/2376-65-0x00000000025B0000-0x00000000025C8000-memory.dmp

Filesize
96KB

Download
memory/2376-63-0x0000000002500000-0x000000000254E000-memory.dmp

Filesize
312KB

Download
memory/2376-62-0x00000000001A0000-0x000000000049E000-memory.dmp

Filesize
3.0MB

Download
memory/2684-46-0x000000001AAC0000-0x000000001ABCA000-memory.dmp

Filesize
1.0MB

Download
memory/2696-81-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download
memory/2784-19-0x00007FFC9BBE0000-0x00007FFC9C581000-memory.dmp

Filesize
9.6MB

Download
memory/2784-12-0x00007FFC9BBE0000-0x00007FFC9C581000-memory.dmp

Filesize
9.6MB

Download
memory/3176-23-0x000000001CF00000-0x000000001CF12000-memory.dmp

Filesize
72KB

Download
memory/3176-21-0x000000001CF20000-0x000000001CF36000-memory.dmp

Filesize
88KB

Download
memory/3176-1-0x00007FFC9BBE0000-0x00007FFC9C581000-memory.dmp

Filesize
9.6MB

Download
memory/3176-0-0x00007FFC9BE95000-0x00007FFC9BE96000-memory.dmp

Filesize
4KB

Download
memory/3176-2-0x0000000001AD0000-0x0000000001B2C000-memory.dmp

Filesize
368KB

Download
memory/3176-3-0x0000000001A70000-0x0000000001A7E000-memory.dmp

Filesize
56KB

Download
memory/3176-61-0x00007FFC9BBE0000-0x00007FFC9C581000-memory.dmp

Filesize
9.6MB

Download
memory/3176-4-0x00007FFC9BBE0000-0x00007FFC9C581000-memory.dmp

Filesize
9.6MB

Download
memory/3176-5-0x000000001C8E0000-0x000000001CDAE000-memory.dmp

Filesize
4.8MB

Download
memory/3176-24-0x000000001D460000-0x000000001D480000-memory.dmp

Filesize
128KB

Download
memory/3176-6-0x000000001CE50000-0x000000001CEEC000-memory.dmp

Filesize
624KB

Download
memory/4560-39-0x0000000000F70000-0x0000000000F7C000-memory.dmp

Filesize
48KB

Download
memory/4560-38-0x00007FFC98BD3000-0x00007FFC98BD5000-memory.dmp

Filesize
8KB

Download
memory/4560-41-0x000000001BB80000-0x000000001BBBC000-memory.dmp

Filesize
240KB

Download
memory/4560-40-0x0000000002FF0000-0x0000000003002000-memory.dmp

Filesize
72KB

Download