3ad5f2990414da79e320ea8f2ded41993adf0e2d0e0eefb11ab085f7e55f320c

Analysis

max time kernel
140s
max time network
135s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10/03/2025, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OrcusRAT/server/Orcus.Server.exe
Size

3.2MB
MD5

700a14ba55fb47f9b8a99ffa92267125
SHA1

43ef6ab246ba72d39cd1a72dd83fee68aceba493
SHA256

594f18a0b5b83c1c64c75830f8e9b2bd4d4629c9c5b9c70b3aa5f0f17b22789a
SHA512

c4ab308a65f267edee887085d358df1ddf83e55fa8f3507209cebc5b44e755f17d583956d170e57e6644d70505a175d58a17f1cdaab13ba7431c4185594804b4
SSDEEP

49152:VB+4yPRRGCvw2/986nZGeE9gwPs+vnEoXevXCdJsur8BF0xXIHnqww5VCkkhQIGa:VB+4mRF42/986wgzMEop+OxXIKZExc8

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2492	Orcus.Server.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.Server.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	Orcus.Server.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2492	Orcus.Server.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2492	Orcus.Server.exe

C:\Users\Admin\AppData\Local\Temp\OrcusRAT\server\Orcus.Server.exe
"C:\Users\Admin\AppData\Local\Temp\OrcusRAT\server\Orcus.Server.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Costura\21E29AD7CD88FD3C37963FFA4C49AEB2\32\sqlite3.dll

Filesize
626KB

MD5
d8aec01ff14e3e7ad43a4b71e30482e4

SHA1
e3015f56f17d845ec7eef11d41bbbc28cc16d096

SHA256
da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e

SHA512
f5b2f4bda0cc13e1d1c541fb0caea14081ee4daffd497e31a3d4d55d5f9d85a61158b4891a6527efe623b2f32b697ac912320d9be5c0303812ca98dcc8866fcf

Download Submit
memory/2492-19-0x00000000079F0000-0x0000000007A3C000-memory.dmp

Filesize
304KB

Download
memory/2492-37-0x000000007475E000-0x000000007475F000-memory.dmp

Filesize
4KB

Download
memory/2492-7-0x0000000005720000-0x000000000575E000-memory.dmp

Filesize
248KB

Download
memory/2492-8-0x0000000005C00000-0x0000000005C98000-memory.dmp

Filesize
608KB

Download
memory/2492-9-0x0000000074750000-0x0000000074F01000-memory.dmp

Filesize
7.7MB

Download
memory/2492-10-0x0000000006250000-0x00000000067F6000-memory.dmp

Filesize
5.6MB

Download
memory/2492-11-0x0000000005E20000-0x00000000060B6000-memory.dmp

Filesize
2.6MB

Download
memory/2492-12-0x0000000006E20000-0x0000000007438000-memory.dmp

Filesize
6.1MB

Download
memory/2492-13-0x0000000006800000-0x0000000006B57000-memory.dmp

Filesize
3.3MB

Download
memory/2492-14-0x0000000006D50000-0x0000000006DE2000-memory.dmp

Filesize
584KB

Download
memory/2492-15-0x0000000006CD0000-0x0000000006D2C000-memory.dmp

Filesize
368KB

Download
memory/2492-18-0x0000000007990000-0x00000000079C0000-memory.dmp

Filesize
192KB

Download
memory/2492-1-0x00000000009C0000-0x0000000000CF8000-memory.dmp

Filesize
3.2MB

Download
memory/2492-17-0x0000000008210000-0x000000000873C000-memory.dmp

Filesize
5.2MB

Download
memory/2492-16-0x0000000007B10000-0x0000000007CD2000-memory.dmp

Filesize
1.8MB

Download
memory/2492-21-0x0000000007A80000-0x0000000007AA1000-memory.dmp

Filesize
132KB

Download
memory/2492-20-0x0000000007AC0000-0x0000000007AFC000-memory.dmp

Filesize
240KB

Download
memory/2492-29-0x00000000081F0000-0x00000000081FA000-memory.dmp

Filesize
40KB

Download
memory/2492-30-0x0000000074750000-0x0000000074F01000-memory.dmp

Filesize
7.7MB

Download
memory/2492-31-0x0000000074750000-0x0000000074F01000-memory.dmp

Filesize
7.7MB

Download
memory/2492-32-0x00000000017D0000-0x00000000017EE000-memory.dmp

Filesize
120KB

Download
memory/2492-34-0x00000000017F0000-0x00000000017FC000-memory.dmp

Filesize
48KB

Download
memory/2492-35-0x0000000001830000-0x000000000183A000-memory.dmp

Filesize
40KB

Download
memory/2492-33-0x000000000D460000-0x000000000D4DC000-memory.dmp

Filesize
496KB

Download
memory/2492-0-0x000000007475E000-0x000000007475F000-memory.dmp

Filesize
4KB

Download
memory/2492-38-0x0000000074750000-0x0000000074F01000-memory.dmp

Filesize
7.7MB

Download
memory/2492-39-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download