orcus | 7e7f54be771fd2aa38fe215442508a4673163aa87f39eabb7c6cf9de77d1546d

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
30-01-2025 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Update.exe
Size

3.0MB
MD5

2fe71c8b3764c2e139e32d132437bc67
SHA1

70bdbce5ad67ce24d75bd76b41cb6eecdcc24dc7
SHA256

7e7f54be771fd2aa38fe215442508a4673163aa87f39eabb7c6cf9de77d1546d
SHA512

f12e8d338824c18384a300a78a21d88cf7d589d26d06c18d4b6f00f9fc50c567f8ac024990fa69a49323632f82124d2cfc890ba040eaac15934a283029ac2a2d
SSDEEP

49152:G+1xzMQNZKMx6Y3BfoKTL0lmGlrtWAypQxbno9JnCmoyrZEI0AilFCvxHd:G+1n666WTMXypSbno9JCm

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

dc.deenote4396.com:10134

Mutex

3749f50e4c6b4cbfb5eac93f5e5530bb

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\Lenovo\Update.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Lenovo
watchdog_path
AppData\Lenovo.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000700000001933b-40.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000001933b-40.dat	orcus
behavioral1/memory/2360-42-0x0000000000330000-0x000000000062E000-memory.dmp	orcus

Executes dropped EXE 6 IoCs

pid	Process
2864	WindowsInput.exe
2584	WindowsInput.exe
2360	Update.exe
1260	Update.exe
904	Lenovo.exe
2480	Lenovo.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe	Update.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	Update.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Lenovo\Update.exe	Update.exe
File opened for modification	C:\Program Files\Lenovo\Update.exe	Update.exe
File created	C:\Program Files\Lenovo\Update.exe.config	Update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenovo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenovo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2480	Lenovo.exe
2480	Lenovo.exe
2360	Update.exe
2360	Update.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe
2360	Update.exe
2480	Lenovo.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	Update.exe
Token: SeDebugPrivilege	904	Lenovo.exe
Token: SeDebugPrivilege	2480	Lenovo.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2360	Update.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 1880	2264	Update.exe	30
PID 2264 wrote to memory of 1880	2264	Update.exe	30
PID 2264 wrote to memory of 1880	2264	Update.exe	30
PID 1880 wrote to memory of 3060	1880	csc.exe	32
PID 1880 wrote to memory of 3060	1880	csc.exe	32
PID 1880 wrote to memory of 3060	1880	csc.exe	32
PID 2264 wrote to memory of 2864	2264	Update.exe	33
PID 2264 wrote to memory of 2864	2264	Update.exe	33
PID 2264 wrote to memory of 2864	2264	Update.exe	33
PID 2264 wrote to memory of 2360	2264	Update.exe	35
PID 2264 wrote to memory of 2360	2264	Update.exe	35
PID 2264 wrote to memory of 2360	2264	Update.exe	35
PID 3064 wrote to memory of 1260	3064	taskeng.exe	37
PID 3064 wrote to memory of 1260	3064	taskeng.exe	37
PID 3064 wrote to memory of 1260	3064	taskeng.exe	37
PID 2360 wrote to memory of 904	2360	Update.exe	38
PID 2360 wrote to memory of 904	2360	Update.exe	38
PID 2360 wrote to memory of 904	2360	Update.exe	38
PID 2360 wrote to memory of 904	2360	Update.exe	38
PID 904 wrote to memory of 2480	904	Lenovo.exe	39
PID 904 wrote to memory of 2480	904	Lenovo.exe	39
PID 904 wrote to memory of 2480	904	Lenovo.exe	39
PID 904 wrote to memory of 2480	904	Lenovo.exe	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Update.exe
"C:\Users\Admin\AppData\Local\Temp\Update.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1oydm0ob.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F45.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1F44.tmp"
    3⤵
    PID:3060
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2864
- C:\Program Files\Lenovo\Update.exe
  "C:\Program Files\Lenovo\Update.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\AppData\Roaming\Lenovo.exe
    "C:\Users\Admin\AppData\Roaming\Lenovo.exe" /launchSelfAndExit "C:\Program Files\Lenovo\Update.exe" 2360 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Users\Admin\AppData\Roaming\Lenovo.exe
      "C:\Users\Admin\AppData\Roaming\Lenovo.exe" /watchProcess "C:\Program Files\Lenovo\Update.exe" 2360 "/protectFile"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2480

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2584

C:\Windows\system32\taskeng.exe
taskeng.exe {D6690080-5C16-473C-B854-A078DAFFE254} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Program Files\Lenovo\Update.exe
  "C:\Program Files\Lenovo\Update.exe"
  2⤵
  - Executes dropped EXE
  PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Lenovo\Update.exe

Filesize
3.0MB

MD5
2fe71c8b3764c2e139e32d132437bc67

SHA1
70bdbce5ad67ce24d75bd76b41cb6eecdcc24dc7

SHA256
7e7f54be771fd2aa38fe215442508a4673163aa87f39eabb7c6cf9de77d1546d

SHA512
f12e8d338824c18384a300a78a21d88cf7d589d26d06c18d4b6f00f9fc50c567f8ac024990fa69a49323632f82124d2cfc890ba040eaac15934a283029ac2a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1oydm0ob.dll

Filesize
76KB

MD5
f47315c100bd45874b5b12501226d56f

SHA1
ab0c868b1a06a3e004c707a207fbce75b3345cfb

SHA256
727c825c7038158647b226195eeaca3cfedf4dcc9c6f216a9fb6b41e6878ee73

SHA512
a62292bae13ca2bb9878db2b36f877e367b3bfdef7d2e3f6355b8e01c208ac70643c8608c4a6738fa7427a07075fd1ec9f9e45b927f8efe4bf06377bd4e666fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1F45.tmp

Filesize
1KB

MD5
df446fb030873cad515a70c692840b00

SHA1
d799adf501e67c043bc6e32c37182217e5d76588

SHA256
23ce9c09c1f34745b3605d13167fdfcb03f842f36a0f1b4f1f71372150f99bed

SHA512
b1b1872635340f0105014740639321348c89919eb9878d106ac2db9d06ca7b925c2574702f8f87298edba45747dd4a2801eef97a6183010b56c25a35a15294ac

Download Submit
C:\Users\Admin\AppData\Roaming\Lenovo.exe

Filesize
9KB

MD5
2d755da0539c2158464fd680aeeafa10

SHA1
027be49916ebb28b6af7112ac3f5921e016ab67b

SHA256
a3e0e958ea53e5a0ed8c8debf5a24be30bcfabe423ea09337098674f4c125cc6

SHA512
6dbc740c760b1fc33dca1986d73f61e6213918584a1cf1f1be5775d0931a26701650ebd894767696127f09f3a10d4f9c44535add9a68c94d0f4eed6022fbdad1

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
3bfc2e9172bbd881cd34f0923724596a

SHA1
f1cd48baadd891c39b7ef45a9d71ff8355ea5df7

SHA256
a9cd2113e12ac6b42a2523755bd71ed129b71562e8cd4bb274d0141db7e40899

SHA512
882b5afac26bb9be88269c93c7800f5d0c6153ad0a895193c9acf70a0724137518a8b52584c16c248b2f79929c83072fa72bbbd9da3f0fba4ff1f9b50837d5d6

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1oydm0ob.0.cs

Filesize
208KB

MD5
369fcc6236e1f4ebc9a0a450b5e718f2

SHA1
042d6e65d177abbddc1d7d30153cb3c8a08906b7

SHA256
0b325b98540f2627557e0e1887c201dabf6964eb13746d9b90a3ae44613ca05c

SHA512
a111d5878095e8d1d9d2279857a2c08e8e15663c54b60a7e611e6673ed7bde5dabaa8aebb9c539d7d713a726450b4b85f898093a9632b597136e319963eeb36e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1oydm0ob.cmdline

Filesize
349B

MD5
f4866627b796a931e2340f2d4a5b270a

SHA1
0ac02aac355d55d887c8d01ea629e96fef125e90

SHA256
fd97a58b7f75b45a87b12c75c580a94bb4e0f71e615266a131aa9ec1f046bceb

SHA512
d356be942b5a9f0cbff4fddd793dd8d46656652595525c3f7bc85c6bbe6e5346ffe11eaca9a1a6c1a4655afb73d295d6ae89a1d3dcff809e23920e0ef7db17e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1F44.tmp

Filesize
676B

MD5
154921d8aee461d6d9ff5b34ebcb2cde

SHA1
f1d2e2dc7dfc8155c0ed6dbc26ff611fdcefaeec

SHA256
4c54712a1b4909422e462c973f551e9efbd371f9c5227abf7e043b508c04b7e2

SHA512
e76e8ebb054f7d089decd2c3cb255d6f36211b78cf117aa645fe741444432090a43ab72fc23f67d3742d882d24146a3181a50eaabb6b6d979a1c9a3a9d540b58

Download Submit
memory/904-56-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/1880-10-0x000007FEF68A0000-0x000007FEF723D000-memory.dmp

Filesize
9.6MB

Download
memory/1880-17-0x000007FEF68A0000-0x000007FEF723D000-memory.dmp

Filesize
9.6MB

Download
memory/2264-41-0x000007FEF68A0000-0x000007FEF723D000-memory.dmp

Filesize
9.6MB

Download
memory/2264-19-0x000000001AFD0000-0x000000001AFE6000-memory.dmp

Filesize
88KB

Download
memory/2264-21-0x00000000009E0000-0x00000000009F2000-memory.dmp

Filesize
72KB

Download
memory/2264-0-0x000007FEF6B5E000-0x000007FEF6B5F000-memory.dmp

Filesize
4KB

Download
memory/2264-9-0x000007FEF68A0000-0x000007FEF723D000-memory.dmp

Filesize
9.6MB

Download
memory/2264-2-0x00000000009A0000-0x00000000009AE000-memory.dmp

Filesize
56KB

Download
memory/2264-1-0x0000000000B70000-0x0000000000BCC000-memory.dmp

Filesize
368KB

Download
memory/2264-6-0x000007FEF68A0000-0x000007FEF723D000-memory.dmp

Filesize
9.6MB

Download
memory/2360-42-0x0000000000330000-0x000000000062E000-memory.dmp

Filesize
3.0MB

Download
memory/2360-43-0x0000000000290000-0x00000000002A2000-memory.dmp

Filesize
72KB

Download
memory/2360-44-0x0000000002450000-0x000000000249E000-memory.dmp

Filesize
312KB

Download
memory/2360-45-0x00000000021A0000-0x00000000021B8000-memory.dmp

Filesize
96KB

Download
memory/2360-46-0x00000000022B0000-0x00000000022C0000-memory.dmp

Filesize
64KB

Download
memory/2584-33-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/2864-29-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download