dd93edf3bf06b4aa46c274eba0cb5baaa23de83c00c232d94daa745dc027fbfb

Analysis

max time kernel
36s
max time network
38s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Orcus RAT 1.9.1.7z
Size

15.2MB
MD5

fa7496d6e59567530020af15ac03591e
SHA1

0e9b1506c1ce1a9135fdba62067223b945dc8256
SHA256

dd93edf3bf06b4aa46c274eba0cb5baaa23de83c00c232d94daa745dc027fbfb
SHA512

2615e0cbbbfc95a9f9889a6f7f3bfd98530baa67df2670fe5fb237c324aff05e03dd7cc48eb048b104100760b88778eb3ab4c37eb46c93461255dfcea65d30be
SSDEEP

393216:+n6G+PwoEnB9413374+ldButFYoAFMlSxZcHqUvW:bDo9+33c+lyDeMo0q2W

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4904	Orcus.Administration.exe
2924	Orcus.Administration.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3724	4904	WerFault.exe	97
1824	2924	WerFault.exe	102

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.Administration.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.Administration.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5172	7zFM.exe
5172	7zFM.exe
5172	7zFM.exe
5172	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5172	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	5172	7zFM.exe
Token: 35	5172	7zFM.exe
Token: SeSecurityPrivilege	5172	7zFM.exe
Token: SeSecurityPrivilege	5172	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5172	7zFM.exe
5172	7zFM.exe
5172	7zFM.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5172 wrote to memory of 4904	5172	7zFM.exe	97
PID 5172 wrote to memory of 4904	5172	7zFM.exe	97
PID 5172 wrote to memory of 4904	5172	7zFM.exe	97
PID 5172 wrote to memory of 2924	5172	7zFM.exe	102
PID 5172 wrote to memory of 2924	5172	7zFM.exe	102
PID 5172 wrote to memory of 2924	5172	7zFM.exe	102

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Orcus RAT 1.9.1.7z"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5172
- C:\Users\Admin\AppData\Local\Temp\7zO434DE897\Orcus.Administration.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO434DE897\Orcus.Administration.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 864
    3⤵
    - Program crash
    PID:3724
- C:\Users\Admin\AppData\Local\Temp\7zO434EB6D7\Orcus.Administration.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO434EB6D7\Orcus.Administration.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 872
    3⤵
    - Program crash
    PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4904 -ip 4904
1⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2924 -ip 2924
1⤵
PID:5472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO434DE897\Orcus.Administration.exe

Filesize
3.9MB

MD5
37349777df1cc9c8d3d62eb733f7cd45

SHA1
456233fa947ab155dbe5636eda0a77346197bb4c

SHA256
0121f2d7ddc074ffa05619dbb2a4b555a4b550168a765b57fa8bd9298a7e4b52

SHA512
ca4e1a39dbb0fa0c6bbef7142cf457856cc2db14c03b5b9ea5c28811a3a70cc05505320f50e133e166aad25d779ac043b0f29b09bb34a342f5111603cc5dd074

Download Submit
memory/2924-26-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/2924-27-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/4904-12-0x0000000074D7E000-0x0000000074D7F000-memory.dmp

Filesize
4KB

Download
memory/4904-13-0x0000000000D10000-0x0000000001106000-memory.dmp

Filesize
4.0MB

Download