Analysis
-
max time kernel
111s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
22/03/2025, 18:58
Behavioral task
behavioral1
Sample
test.exe
Resource
win7-20241010-en
General
-
Target
test.exe
-
Size
913KB
-
MD5
3ec4232085e107853eb6787e80848efa
-
SHA1
3cc6617af32cd1da1b7ffc0996a1a32e1a171bf1
-
SHA256
2c79679727444f53ecabaa6c6d588cefb54b9c118ef858bc7e1fdc913440086a
-
SHA512
9b7f0d5f9d18b3c54d3c65eb7df0f95a799eaeccd383ef9aae44372896bac2e629d6a26c30c47d6ef839c91559a024a1083bd5f39a3187e63e817638f3d2a999
-
SSDEEP
24576:7Eqr4MROxnF25bHKTlQjrZlI0AilFEvxHiON:7EjMiwjrZlI0AilFEvxHi
Malware Config
Extracted
orcus
23.160.168.165:7058
eb4cdf8f2fdf48e2948ba799aa59ebe5
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcus family
-
Orcus main payload 1 IoCs
resource yara_rule behavioral2/files/0x000800000002424e-42.dat family_orcus -
Orcurs Rat Executable 2 IoCs
resource yara_rule behavioral2/files/0x000800000002424e-42.dat orcus behavioral2/memory/4652-53-0x0000000000EC0000-0x0000000000FAA000-memory.dmp orcus -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation test.exe Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation Orcus.exe -
Executes dropped EXE 1 IoCs
pid Process 4652 Orcus.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini test.exe File opened for modification C:\Windows\assembly\Desktop.ini test.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Orcus\Orcus.exe.config test.exe File opened for modification C:\Program Files\Orcus\Orcus.exe Orcus.exe File created C:\Program Files\Orcus\Orcus.exe test.exe File opened for modification C:\Program Files\Orcus\Orcus.exe test.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly test.exe File created C:\Windows\assembly\Desktop.ini test.exe File opened for modification C:\Windows\assembly\Desktop.ini test.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3576 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3576 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4652 Orcus.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4652 Orcus.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4652 Orcus.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1960 wrote to memory of 5788 1960 test.exe 89 PID 1960 wrote to memory of 5788 1960 test.exe 89 PID 5788 wrote to memory of 5428 5788 csc.exe 91 PID 5788 wrote to memory of 5428 5788 csc.exe 91 PID 1960 wrote to memory of 4652 1960 test.exe 93 PID 1960 wrote to memory of 4652 1960 test.exe 93 PID 4652 wrote to memory of 2908 4652 Orcus.exe 100 PID 4652 wrote to memory of 2908 4652 Orcus.exe 100 PID 2908 wrote to memory of 3576 2908 cmd.exe 102 PID 2908 wrote to memory of 3576 2908 cmd.exe 102 PID 2908 wrote to memory of 5256 2908 cmd.exe 103 PID 2908 wrote to memory of 5256 2908 cmd.exe 103 PID 2908 wrote to memory of 3924 2908 cmd.exe 104 PID 2908 wrote to memory of 3924 2908 cmd.exe 104 PID 2908 wrote to memory of 3172 2908 cmd.exe 105 PID 2908 wrote to memory of 3172 2908 cmd.exe 105 PID 2908 wrote to memory of 5244 2908 cmd.exe 106 PID 2908 wrote to memory of 5244 2908 cmd.exe 106 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-yjk8y6r.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:5788 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES569D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC569C.tmp"3⤵PID:5428
-
-
-
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\{087877d5-e852-4a30-b3ef-d5d722eea722}.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\system32\PING.EXEping 127.0.0.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3576
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo j "4⤵PID:5256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del "C:\Program Files\Orcus\Orcus.exe""4⤵PID:3924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo j "4⤵PID:3172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del C:\Users\Admin\AppData\Local\Temp\{087877d5-e852-4a30-b3ef-d5d722eea722}.bat"4⤵PID:5244
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
913KB
MD53ec4232085e107853eb6787e80848efa
SHA13cc6617af32cd1da1b7ffc0996a1a32e1a171bf1
SHA2562c79679727444f53ecabaa6c6d588cefb54b9c118ef858bc7e1fdc913440086a
SHA5129b7f0d5f9d18b3c54d3c65eb7df0f95a799eaeccd383ef9aae44372896bac2e629d6a26c30c47d6ef839c91559a024a1083bd5f39a3187e63e817638f3d2a999
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
76KB
MD5a57525e74c09bc9e4da48aaffc53a844
SHA12ef4c45a6d9704b89cc5045da5ce7d4d681562a4
SHA256dc1c434e3131987360ec9739bde15bb7170f08aa7945380e237e0719e3a6ef4a
SHA5127407d7389ef7b0e5f162300aa24bae0be65e9c1a7656cb76d80f191eeece007d1448f0f64f3c79401a0373331b3c72c78a87a7d92f860210a0aee51e866958d0
-
Filesize
1KB
MD59eb89e2a6595a9dbcd75058f7e9c4365
SHA1b013dbd6807e22c8a72cd81f68c19eae44f165ef
SHA2568848ab1d784294f86e0a506dfd8a60e7f07838dde7e648a78455645fb17327a0
SHA5123916173f6906695f41bafd5aeeace1e0fa62bd3cc49892406c6dc23be2d5f167b71312584382ce28af55f4db2b23d961ccefb5ae7f9b478c4a12c09336d3a4e5
-
Filesize
171B
MD560b8414e9a1d5e780b54bd8a627d9941
SHA16fd8346a8e87a79f370441fdb03e9f3aabb20cb1
SHA256b6937a6a1e4e6b9fc27660cdd707478256468024d896396b687eddbfaa249940
SHA5127e41366bd7da483f8737f5f23d31844b83db87e6bb111e7585e48347188fe2db296079bb422d355e76676fb6c78f98932c801ad821bd93a71588f48b2643faec
-
Filesize
1KB
MD53bed3841183cbd9f04548eb0d6db3628
SHA151f6fac9a64b62ae4fbde2bf79e538ab85a4b059
SHA2567317f98aa7bb9d535d0345289d35701a3e0eabadd088274184f0f1af399480bd
SHA512e61054a6a5c2622cc70fedb3e7f320eae679536ad2b9b9eff9860aebceeec845b7cb29e1e957f4e7170e358e5f0948544407b86815a2c0d3bceba949757edb03
-
Filesize
208KB
MD514966372b7019dec4e6aa73e83cec804
SHA19f7b8bdeb48f4cd03f484b675370ae942ff593c3
SHA25692d9ea0d1dd909a00ad7d05193079c52bee44e22fac3c994fb32334c7f080e67
SHA5124638b06662313327a86ba3a9c25fdf38c25da1b62f19d0cd037e04b460c3cf37d4f9dc904227a4d8c90194ad2d02baf94a0f40e26b2ff08b698c1149b43b62dd
-
Filesize
349B
MD5163c31e423339c4a548d7adb7e55e787
SHA14cd2684c72e25f59100b547f9feb38b8bf2b31ca
SHA25674a855b6e7223998fd113d893510870199e6d2fd92af54dc4de29b6c7403fe93
SHA5127e9d5b0d1f06f17ee97a41cbd3e5e1745dd333e77c87aca9794d78140d6a8026e0c8d2daaa95792a64d2dfa66b816deb63df289a941d251e89936eefc5394711
-
Filesize
676B
MD556608f95915b648e9585d9ce643df033
SHA169a9b94876624a85f3ab649b9edb53e8ad53ff54
SHA2566955073dbcd850b9e05c96b0a795928aceb78dd51846362d9d2c1e537a2944e5
SHA512ddc4c0d78e241a7dfafd7cc5d5914aa6985555a394499f2f957402993202a6cec2749d0de205ed4f00b10ff8ce40b0a7552d47dc88d61f59edf7f007734c378b