Overview

overview

10

Static

static

10

1806529b17...2f.exe

windows7-x64

10

1806529b17...2f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    02-07-2024 01:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1806529b170be4bbe19aff809a669b9ee1ca761cbfc82bb113ca591ad0da7e2f.exe

  • Size

    907KB

  • MD5

    b2e4362b9f96ec4188f662819fd0ed95

  • SHA1

    f8bfd2340039c904f459136c6b6abc4bcfa68e93

  • SHA256

    1806529b170be4bbe19aff809a669b9ee1ca761cbfc82bb113ca591ad0da7e2f

  • SHA512

    0315b4b5fc6351615a20cb80cb61ebd3aaeeac562c89fac53fe44f7d6757eb1a9a04c2bd90a7682ad6105c7c9802efe44aeea22d4522f384c1f886a239463359

  • SSDEEP

    24576:i554MROxnFMptJSvrrcI0AilFEvxHP7ooI:iQMiqTSvrrcI0AilFEvxHP

Score
10/10
orcuspersistenceratspywarestealer

Malware Config

Extracted

Family

orcus

C2

10.9.164.122:9999

Mutex

c3d53f9fe37146cb9de31d6e16e18ac2

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus main payload 1 IoCs
  • Orcurs Rat Executable 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1806529b170be4bbe19aff809a669b9ee1ca761cbfc82bb113ca591ad0da7e2f.exe
    "C:\Users\Admin\AppData\Local\Temp\1806529b170be4bbe19aff809a669b9ee1ca761cbfc82bb113ca591ad0da7e2f.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Program Files (x86)\Orcus\Orcus.exe
      "C:\Program Files (x86)\Orcus\Orcus.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:1896

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Orcus\Orcus.exe.config
    Filesize

    357B

    MD5

    a2b76cea3a59fa9af5ea21ff68139c98

    SHA1

    35d76475e6a54c168f536e30206578babff58274

    SHA256

    f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

    SHA512

    b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

    Download Submit
  • \Program Files (x86)\Orcus\Orcus.exe
    Filesize

    907KB

    MD5

    b2e4362b9f96ec4188f662819fd0ed95

    SHA1

    f8bfd2340039c904f459136c6b6abc4bcfa68e93

    SHA256

    1806529b170be4bbe19aff809a669b9ee1ca761cbfc82bb113ca591ad0da7e2f

    SHA512

    0315b4b5fc6351615a20cb80cb61ebd3aaeeac562c89fac53fe44f7d6757eb1a9a04c2bd90a7682ad6105c7c9802efe44aeea22d4522f384c1f886a239463359

    Download Submit
  • memory/1896-20-0x00000000020E0000-0x000000000212E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/1896-19-0x0000000074120000-0x000000007480E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1896-23-0x0000000074120000-0x000000007480E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1896-22-0x0000000001F90000-0x0000000001FA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1896-21-0x00000000009E0000-0x00000000009F8000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1896-17-0x0000000074120000-0x000000007480E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1896-18-0x0000000000A20000-0x0000000000B08000-memory.dmp
    Filesize

    928KB

    Download
  • memory/2552-14-0x0000000074120000-0x000000007480E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2552-3-0x0000000000550000-0x00000000005AC000-memory.dmp
    Filesize

    368KB

    Download
  • memory/2552-1-0x0000000000140000-0x0000000000228000-memory.dmp
    Filesize

    928KB

    Download
  • memory/2552-0-0x000000007412E000-0x000000007412F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2552-2-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/2552-5-0x0000000001E70000-0x0000000001E82000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2552-4-0x0000000074120000-0x000000007480E000-memory.dmp
    Filesize

    6.9MB

    Download