orcus | 7e7f54be771fd2aa38fe215442508a4673163aa87f39eabb7c6cf9de77d1546d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
30/01/2025, 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Update.exe
Size

3.0MB
MD5

2fe71c8b3764c2e139e32d132437bc67
SHA1

70bdbce5ad67ce24d75bd76b41cb6eecdcc24dc7
SHA256

7e7f54be771fd2aa38fe215442508a4673163aa87f39eabb7c6cf9de77d1546d
SHA512

f12e8d338824c18384a300a78a21d88cf7d589d26d06c18d4b6f00f9fc50c567f8ac024990fa69a49323632f82124d2cfc890ba040eaac15934a283029ac2a2d
SSDEEP

49152:G+1xzMQNZKMx6Y3BfoKTL0lmGlrtWAypQxbno9JnCmoyrZEI0AilFCvxHd:G+1n666WTMXypSbno9JCm

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

dc.deenote4396.com:10134

Mutex

3749f50e4c6b4cbfb5eac93f5e5530bb

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\Lenovo\Update.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Lenovo
watchdog_path
AppData\Lenovo.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023c35-52.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023c35-52.dat	orcus
behavioral2/memory/644-62-0x0000000000CB0000-0x0000000000FAE000-memory.dmp	orcus

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	Lenovo.exe

Executes dropped EXE 6 IoCs

pid	Process
4920	WindowsInput.exe
984	WindowsInput.exe
644	Update.exe
1756	Update.exe
2212	Lenovo.exe
3264	Lenovo.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	Update.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	Update.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Lenovo\Update.exe	Update.exe
File opened for modification	C:\Program Files\Lenovo\Update.exe	Update.exe
File created	C:\Program Files\Lenovo\Update.exe.config	Update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenovo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lenovo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
644	Update.exe
644	Update.exe
644	Update.exe
3264	Lenovo.exe
3264	Lenovo.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe
644	Update.exe
3264	Lenovo.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	644	Update.exe
Token: SeDebugPrivilege	2212	Lenovo.exe
Token: SeDebugPrivilege	3264	Lenovo.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
644	Update.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 4524	3504	Update.exe	87
PID 3504 wrote to memory of 4524	3504	Update.exe	87
PID 4524 wrote to memory of 4568	4524	csc.exe	89
PID 4524 wrote to memory of 4568	4524	csc.exe	89
PID 3504 wrote to memory of 4920	3504	Update.exe	90
PID 3504 wrote to memory of 4920	3504	Update.exe	90
PID 3504 wrote to memory of 644	3504	Update.exe	92
PID 3504 wrote to memory of 644	3504	Update.exe	92
PID 644 wrote to memory of 2212	644	Update.exe	94
PID 644 wrote to memory of 2212	644	Update.exe	94
PID 644 wrote to memory of 2212	644	Update.exe	94
PID 2212 wrote to memory of 3264	2212	Lenovo.exe	95
PID 2212 wrote to memory of 3264	2212	Lenovo.exe	95
PID 2212 wrote to memory of 3264	2212	Lenovo.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Update.exe
"C:\Users\Admin\AppData\Local\Temp\Update.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hntladlm.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD8BD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD8BC.tmp"
    3⤵
    PID:4568
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4920
- C:\Program Files\Lenovo\Update.exe
  "C:\Program Files\Lenovo\Update.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:644
- - C:\Users\Admin\AppData\Roaming\Lenovo.exe
    "C:\Users\Admin\AppData\Roaming\Lenovo.exe" /launchSelfAndExit "C:\Program Files\Lenovo\Update.exe" 644 /protectFile
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Users\Admin\AppData\Roaming\Lenovo.exe
      "C:\Users\Admin\AppData\Roaming\Lenovo.exe" /watchProcess "C:\Program Files\Lenovo\Update.exe" 644 "/protectFile"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3264

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:984

C:\Program Files\Lenovo\Update.exe
"C:\Program Files\Lenovo\Update.exe"
1⤵
- Executes dropped EXE
PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Lenovo\Update.exe

Filesize
3.0MB

MD5
2fe71c8b3764c2e139e32d132437bc67

SHA1
70bdbce5ad67ce24d75bd76b41cb6eecdcc24dc7

SHA256
7e7f54be771fd2aa38fe215442508a4673163aa87f39eabb7c6cf9de77d1546d

SHA512
f12e8d338824c18384a300a78a21d88cf7d589d26d06c18d4b6f00f9fc50c567f8ac024990fa69a49323632f82124d2cfc890ba040eaac15934a283029ac2a2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Lenovo.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD8BD.tmp

Filesize
1KB

MD5
1bf56844523bc6fbb39397e34254b5e8

SHA1
7581dcde7776471d1b6c416edf98ca1dc43b342f

SHA256
348dc89c778f5b75d4fe0046d3786292f5853944187d016b5530008fa63af379

SHA512
5cf0f99fa13065b4ad3113654e94022dbb69ed4d35e3eaa55f48b8f6ee75223296cbf92d97299ebdd3ab8fab0fdb4d1f71318155e5df6e0a71acdde649518bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hntladlm.dll

Filesize
76KB

MD5
1a467a8b5440dd47a03fe22ce5fa15bc

SHA1
b056dd37c7bf35ec8c7f5b3cebdff8db15781fdc

SHA256
83db7acb41dfa297db7ce60b395a1daf8265d462e11cfc640646677839022a99

SHA512
c7b182dd1cd15a068f7d4ed74c4c6d053251953105e2353bf21e0061bc3c18e0a76edc933833233f1307d8154aaa6b4d749446056cadf1fef19d27805519641c

Download Submit
C:\Users\Admin\AppData\Roaming\Lenovo.exe

Filesize
9KB

MD5
2d755da0539c2158464fd680aeeafa10

SHA1
027be49916ebb28b6af7112ac3f5921e016ab67b

SHA256
a3e0e958ea53e5a0ed8c8debf5a24be30bcfabe423ea09337098674f4c125cc6

SHA512
6dbc740c760b1fc33dca1986d73f61e6213918584a1cf1f1be5775d0931a26701650ebd894767696127f09f3a10d4f9c44535add9a68c94d0f4eed6022fbdad1

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
3bfc2e9172bbd881cd34f0923724596a

SHA1
f1cd48baadd891c39b7ef45a9d71ff8355ea5df7

SHA256
a9cd2113e12ac6b42a2523755bd71ed129b71562e8cd4bb274d0141db7e40899

SHA512
882b5afac26bb9be88269c93c7800f5d0c6153ad0a895193c9acf70a0724137518a8b52584c16c248b2f79929c83072fa72bbbd9da3f0fba4ff1f9b50837d5d6

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
349B

MD5
89817519e9e0b4e703f07e8c55247861

SHA1
4636de1f6c997a25c3190f73f46a3fd056238d78

SHA256
f40dfaa50dcbff93611d45607009158f798e9cd845170939b1d6088a7d10ee13

SHA512
b017cb7a522b9c6794f3691cb7266ec82f565a90d7d07cc9beb53b939d2e9bf34275bc25f6f32d9a9c7136a0aab2189d9556af7244450c610d11ed7a4f584ba3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCD8BC.tmp

Filesize
676B

MD5
5a40b740e24089e477e7e28486686dee

SHA1
2fa0b6ab5bf9ad03c6ac7fb7d9d003d19ea4e8b9

SHA256
b98e00d6ec4b02026bb3a117f447f875a59f5dd3062a9c0662c27599a5b3debe

SHA512
c6a470f276ab80716942782e4dbc7352387363cab3665b06daec8d3adf9abd3a759331274c292f9aebdbf13b79e4d54c4a31ca3e89112a1ec0e36b9f25850434

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hntladlm.0.cs

Filesize
208KB

MD5
3d8f4eddd37ae95e3043c9433ed3c5f2

SHA1
93be07b8af6212190eee6a4cb9dd5d257974b9a1

SHA256
42343e33ca7264ffdb632dee4bbc8d47abd3cfe4d1740017dd365d23c6671294

SHA512
54329aefe375bddcddc9d84c3f152ab2a78f231cdd8e3021ecf0e44f6d1c5e94fb653639098ed71ca565d2328a48c6ae9d211996210c02144fb9e1c5db9732fd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hntladlm.cmdline

Filesize
349B

MD5
ba3c3308ea9fe50fed4e1d7d24190f4e

SHA1
05d0989f4d423c021e764ce1d60082ff606b60b0

SHA256
002e85af6d433132df6b65654f5b576a498d292b742c4500a8e46eb991a60218

SHA512
dac0d1f6a930a7a666ab7f187e308b52bf4a1c9bdf9cbb561964cf1ec90af8112a05d3625b94876c224c2515751ddb16ab3c6ff719c63dbe999c67daf4e327ac

Download Submit
memory/644-67-0x000000001C420000-0x000000001C430000-memory.dmp

Filesize
64KB

Download
memory/644-66-0x000000001C660000-0x000000001C822000-memory.dmp

Filesize
1.8MB

Download
memory/644-65-0x000000001C2F0000-0x000000001C308000-memory.dmp

Filesize
96KB

Download
memory/644-63-0x000000001BC10000-0x000000001BC5E000-memory.dmp

Filesize
312KB

Download
memory/644-62-0x0000000000CB0000-0x0000000000FAE000-memory.dmp

Filesize
3.0MB

Download
memory/984-46-0x000000001ACE0000-0x000000001ADEA000-memory.dmp

Filesize
1.0MB

Download
memory/2212-81-0x00000000008F0000-0x00000000008F8000-memory.dmp

Filesize
32KB

Download
memory/3504-23-0x000000001CD40000-0x000000001CD52000-memory.dmp

Filesize
72KB

Download
memory/3504-21-0x000000001CD60000-0x000000001CD76000-memory.dmp

Filesize
88KB

Download
memory/3504-1-0x00007FFEBFD20000-0x00007FFEC06C1000-memory.dmp

Filesize
9.6MB

Download
memory/3504-2-0x000000001BDF0000-0x000000001BE4C000-memory.dmp

Filesize
368KB

Download
memory/3504-4-0x00007FFEBFD20000-0x00007FFEC06C1000-memory.dmp

Filesize
9.6MB

Download
memory/3504-6-0x000000001CC80000-0x000000001CD1C000-memory.dmp

Filesize
624KB

Download
memory/3504-5-0x000000001C7B0000-0x000000001CC7E000-memory.dmp

Filesize
4.8MB

Download
memory/3504-3-0x0000000001AE0000-0x0000000001AEE000-memory.dmp

Filesize
56KB

Download
memory/3504-61-0x00007FFEBFD20000-0x00007FFEC06C1000-memory.dmp

Filesize
9.6MB

Download
memory/3504-24-0x000000001D2A0000-0x000000001D2C0000-memory.dmp

Filesize
128KB

Download
memory/3504-0-0x00007FFEBFFD5000-0x00007FFEBFFD6000-memory.dmp

Filesize
4KB

Download
memory/4524-19-0x00007FFEBFD20000-0x00007FFEC06C1000-memory.dmp

Filesize
9.6MB

Download
memory/4524-16-0x00007FFEBFD20000-0x00007FFEC06C1000-memory.dmp

Filesize
9.6MB

Download
memory/4920-41-0x0000000002E40000-0x0000000002E7C000-memory.dmp

Filesize
240KB

Download
memory/4920-40-0x00000000012B0000-0x00000000012C2000-memory.dmp

Filesize
72KB

Download
memory/4920-39-0x00007FFEBD0E3000-0x00007FFEBD0E5000-memory.dmp

Filesize
8KB

Download
memory/4920-38-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

Filesize
48KB

Download