Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/03/2025, 19:12
Behavioral task
behavioral1
Sample
test.exe
Resource
win7-20240903-en
General
-
Target
test.exe
-
Size
913KB
-
MD5
3ec4232085e107853eb6787e80848efa
-
SHA1
3cc6617af32cd1da1b7ffc0996a1a32e1a171bf1
-
SHA256
2c79679727444f53ecabaa6c6d588cefb54b9c118ef858bc7e1fdc913440086a
-
SHA512
9b7f0d5f9d18b3c54d3c65eb7df0f95a799eaeccd383ef9aae44372896bac2e629d6a26c30c47d6ef839c91559a024a1083bd5f39a3187e63e817638f3d2a999
-
SSDEEP
24576:7Eqr4MROxnF25bHKTlQjrZlI0AilFEvxHiON:7EjMiwjrZlI0AilFEvxHi
Malware Config
Extracted
orcus
23.160.168.165:7058
eb4cdf8f2fdf48e2948ba799aa59ebe5
-
autostart_method
Disable
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcus family
-
Orcus main payload 1 IoCs
resource yara_rule behavioral1/files/0x000700000001932a-30.dat family_orcus -
Orcurs Rat Executable 2 IoCs
resource yara_rule behavioral1/files/0x000700000001932a-30.dat orcus behavioral1/memory/2780-35-0x0000000000DD0000-0x0000000000EBA000-memory.dmp orcus -
Executes dropped EXE 1 IoCs
pid Process 2780 Orcus.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Orcus\Orcus.exe.config test.exe File created C:\Program Files\Orcus\Orcus.exe test.exe File opened for modification C:\Program Files\Orcus\Orcus.exe test.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2780 Orcus.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2780 Orcus.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2780 Orcus.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2468 2364 test.exe 30 PID 2364 wrote to memory of 2468 2364 test.exe 30 PID 2364 wrote to memory of 2468 2364 test.exe 30 PID 2468 wrote to memory of 348 2468 csc.exe 32 PID 2468 wrote to memory of 348 2468 csc.exe 32 PID 2468 wrote to memory of 348 2468 csc.exe 32 PID 2364 wrote to memory of 2780 2364 test.exe 34 PID 2364 wrote to memory of 2780 2364 test.exe 34 PID 2364 wrote to memory of 2780 2364 test.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ejhopnwk.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA89F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA89E.tmp"3⤵PID:348
-
-
-
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2780
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
913KB
MD53ec4232085e107853eb6787e80848efa
SHA13cc6617af32cd1da1b7ffc0996a1a32e1a171bf1
SHA2562c79679727444f53ecabaa6c6d588cefb54b9c118ef858bc7e1fdc913440086a
SHA5129b7f0d5f9d18b3c54d3c65eb7df0f95a799eaeccd383ef9aae44372896bac2e629d6a26c30c47d6ef839c91559a024a1083bd5f39a3187e63e817638f3d2a999
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
1KB
MD5332b4c0c44cbd67ac533c9d08e55985d
SHA16c21c50a7eca775d75d7283fc5cae491b1b0f629
SHA256f6b25fbe2bb4dc213c3cbce1b4acf2b80f82b69add0e45a82f3083882cd82dcd
SHA512a60ad133dd6f33a39e62e5971aaa46f48247138c8251bc4198322318e67d368ec072f8e753bf63232ecc19595f16f17bc335ff31108747f56e4545fc06b75677
-
Filesize
76KB
MD5c5574eabd7b470852062ac3c37bdb02f
SHA1dfab31723ceaebc5b5b60ade4b81fdf0f3eae271
SHA2562a9f1a735907b5dcb8aef5e414f4bdc658b1de3b83dffbb8dc9872010011a3cd
SHA512f24b471da090e4b715dc42e0d1569184bc6628a4db62f9f18c3c619ee62ebe680a00fed4a97da82bae12dfd072251439d4ae9ab62aff1bc1cf4de8611a99f976
-
Filesize
1KB
MD52f3c99016c35f40240ba262e3cd21ab3
SHA178dd480a235453739a2b29339cd5105ea329bffd
SHA25621157bec912de43e3971e0d84ac673f708adc364c6c4fafecb17e2978cdf9624
SHA512141229837a82ec026a762b494c11736e1148eeeb18113f42be2477d596c51eca577efad0654579688b236064ae31d4a296923efaeed146d2ee20fcc73712499d
-
Filesize
676B
MD53dfc81f80b6b58cbc51c3dd15780e622
SHA10edd59760346297c721971290583cb17efde71fb
SHA256db8b74568411f4e9ae59e603aaa7eb2eab251646d3beef01d2308c693aece449
SHA512b6b6d2d40777428c99d88c2e95e34e247a7d8470cf236f833ddf7fc34cd7577320b97c8041a7542d5c6a1716b3e7605f89a893e860ae6235d6391a64bd0a37ce
-
Filesize
208KB
MD56011503497b1b9250a05debf9690e52c
SHA1897aea61e9bffc82d7031f1b3da12fb83efc6d82
SHA25608f42b8d57bb61bc8f9628c8a80953b06ca4149d50108083fca6dc26bdd49434
SHA512604c33e82e8b5bb5c54389c2899c81e5482a06e69db08268173a5b4574327ee5de656d312011d07e50a2e398a4c9b0cd79029013f76e05e18cf67ce5a916ffd9
-
Filesize
349B
MD518333d6c196a5f6b1eaea032747bc3a9
SHA1caea7b25c4e0111629c383b264286cf67891621e
SHA256043d65a131a8d9d5d4278306af173590d99f24cc1b65490bdc6eab28e1cdfee7
SHA512bcac9b6dd598aa01851b68cb75de1ec35e3b866188f78d202ee67cdd20416aa2a423a83bd320dd8344f5dd2ff9135e8cf3dce6064c0803f2b7ef70a6412ecdee