| File name: | Scriptware_protected.exe |
| Full analysis: | https://app.any.run/tasks/43eb057c-30ce-4513-b9d1-1983cb4c0c06 |
| Verdict: | Malicious activity |
| Threats: | Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class. |
| Analysis date: | May 26, 2023, 22:02:12 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 82A10F282AD38DF97046EDF8717348FA |
| SHA1: | 8831189C1FBCC8AC85C982F3FEE43032E1D03084 |
| SHA256: | 0FDC4E6CC88A99F2B0871C2720B06EAA6F64E2D0DF56E21F7C241D46DC3B993B |
| SSDEEP: | 98304:xwafcOVwv4sMeNIJGnOLuvV51IHD8pKyrnX7i03DDHN:hcOVwA9w8VsH1eyXtDDHN |
| .dll | | | Win32 Dynamic Link Library (generic) (43.5) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (29.8) |
| .exe | | | Generic Win/DOS Executable (13.2) |
| .exe | | | DOS Executable Generic (13.2) |
| AssemblyVersion: | 1.0.0.0 |
|---|---|
| ProductVersion: | 1.0.0.0 |
| ProductName: | - |
| OriginalFileName: | Scriptware.exe |
| LegalTrademarks: | - |
| LegalCopyright: | - |
| InternalName: | Scriptware.exe |
| FileVersion: | 1.0.0.0 |
| FileDescription: | - |
| CompanyName: | - |
| Comments: | - |
| CharacterSet: | Unicode |
| LanguageCode: | Neutral |
| FileSubtype: | - |
| ObjectFileType: | Executable application |
| FileOS: | Win32 |
| FileFlags: | (none) |
| FileFlagsMask: | 0x003f |
| ProductVersionNumber: | 1.0.0.0 |
| FileVersionNumber: | 1.0.0.0 |
| Subsystem: | Windows GUI |
| SubsystemVersion: | 4 |
| ImageVersion: | - |
| OSVersion: | 4 |
| EntryPoint: | 0x63e058 |
| UninitializedDataSize: | - |
| InitializedDataSize: | 128512 |
| CodeSize: | 933376 |
| LinkerVersion: | 8 |
| PEType: | PE32 |
| ImageFileCharacteristics: | Executable, 32-bit |
| TimeStamp: | 2023:05:26 21:27:54+00:00 |
| MachineType: | Intel 386 or later, and compatibles |
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 26-May-2023 21:27:54 |
| Detected languages: |
|
| Comments: | - |
| CompanyName: | - |
| FileDescription: | - |
| FileVersion: | 1.0.0.0 |
| InternalName: | Scriptware.exe |
| LegalCopyright: | - |
| LegalTrademarks: | - |
| OriginalFilename: | Scriptware.exe |
| ProductName: | - |
| ProductVersion: | 1.0.0.0 |
| Assembly Version: | 1.0.0.0 |
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0090 |
| Pages in file: | 0x0003 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x0000 |
| Max extra paragraphs: | 0xFFFF |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x00B8 |
| Checksum: | 0x0000 |
| Initial IP value: | 0x0000 |
| Initial CS value: | 0x0000 |
| Overlay number: | 0x0000 |
| OEM identifier: | 0x0000 |
| OEM information: | 0x0000 |
| Address of NE header: | 0x00000080 |
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 7 |
| Time date stamp: | 26-May-2023 21:27:54 |
| Pointer to Symbol Table: | 0x00000000 |
| Number of symbols: | 0 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
0x00002000 | 0x000E4000 | 0x0009CA56 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.96304 | |
K\xf3\x01 | 0x000E6000 | 0x0001F34B | 0x0000A998 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.97169 |
\x0c | 0x00106000 | 0x0000000C | 0x0000000F | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 3.90689 |
.imports | 0x00108000 | 0x00002000 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.14055 |
.rsrc | 0x0010A000 | 0x0001F400 | 0x0001F400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.8964 |
.themida | 0x0012A000 | 0x00514000 | 0x00000000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.boot | 0x0063E000 | 0x002FD000 | 0x002FCF45 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.95928 |
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 5.28751 | 831 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 1.9013 | 67624 | UNKNOWN | UNKNOWN | RT_ICON |
3 | 2.44053 | 16936 | UNKNOWN | UNKNOWN | RT_ICON |
4 | 2.86094 | 9640 | UNKNOWN | UNKNOWN | RT_ICON |
5 | 3.3069 | 4264 | UNKNOWN | UNKNOWN | RT_ICON |
6 | 3.91202 | 1128 | UNKNOWN | UNKNOWN | RT_ICON |
WHITE-SHADOW.503A8492-REMOVEBG-PREVIEW | 2.79908 | 90 | UNKNOWN | UNKNOWN | RT_GROUP_ICON |
kernel32.dll |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 596 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 748 | "C:\Users\admin\AppData\Local\Temp\Scriptware_protected.exe" | C:\Users\admin\AppData\Local\Temp\Scriptware_protected.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Version: 1.0.0.0 Modules
| |||||||||||||||
| 924 | "C:\Program Files\Microsoft\svchost.exe" | C:\Program Files\Microsoft\svchost.exe | taskeng.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 1004 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\hvly4nvo.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | Scriptware_protected.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.5483 (Win7SP1GDR.050727-5400) Modules
| |||||||||||||||
| 1840 | "C:\Users\admin\AppData\Local\Temp\Scriptware_protected.exe" | C:\Users\admin\AppData\Local\Temp\Scriptware_protected.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 2100 | "C:\Windows\system32\WindowsInput.exe" --install | C:\Windows\System32\WindowsInput.exe | — | Scriptware_protected.exe | |||||||||||
User: admin Company: Microsoft Integrity Level: HIGH Description: Windows Input Exit code: 0 Version: 0.1.0 Modules
| |||||||||||||||
| 2116 | "C:\Program Files\Microsoft\svchost.exe" | C:\Program Files\Microsoft\svchost.exe | Scriptware_protected.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.0.0.0 Modules
Orcus(PID) Process(2116) svchost.exe C2 (2)0.0.0.0:10134 194.26.192.209:1920 Keys AES0dde8f777b4262089ee8bc480d9fe72c9b04dd11e8aef4044b7461350f1f9a7f Salt Options AutostartBuilderProperty AutostartMethodRegistry TaskSchedulerTaskNamedllhost TaskHighestPrivilegestrue RegistryHiddenStarttrue RegistryKeyNamesvchost TryAllAutostartMethodsOnFailtrue ChangeAssemblyInformationBuilderProperty ChangeAssemblyInformationfalse AssemblyTitlenull AssemblyDescriptionnull AssemblyCompanyNamenull AssemblyProductNamenull AssemblyCopyrightnull AssemblyTrademarksnull AssemblyProductVersion1.0.0.0 AssemblyFileVersion1.0.0.0 ChangeCreationDateBuilderProperty IsEnabledtrue NewCreationDate2019-03-23T18:02:02 ChangeIconBuilderProperty ChangeIconfalse IconPathnull ClientTagBuilderProperty ClientTagpacov DataFolderBuilderProperty Path%appdata%\EasyAntiCheat DefaultPrivilegesBuilderProperty RequireAdministratorRightstrue DisableInstallationPromptBuilderProperty IsDisabledtrue FrameworkVersionBuilderProperty FrameworkVersionNET35 HideFileBuilderProperty HideFiletrue InstallationLocationBuilderProperty Path%programfiles%\Microsoft\svchost.exe InstallBuilderProperty Installtrue KeyloggerBuilderProperty IsEnabledtrue MutexBuilderProperty Mutexeb4259216d7440f19b9a508156fd6925 ProxyBuilderProperty ProxyOptionNone ProxyAddressnull ProxyPort1080 ProxyType2 ReconnectDelayProperty Delay10000 RequireAdministratorPrivilegesInstallerBuilderProperty RequireAdministratorPrivilegestrue RespawnTaskBuilderProperty IsEnabledtrue TaskNamesvchost ServiceBuilderProperty Installtrue SetRunProgramAsAdminFlagBuilderProperty SetFlagtrue WatchdogBuilderProperty IsEnabledtrue Namesvchost.exe WatchdogLocationAppData PreventFileDeletiontrue Plugins (0) | |||||||||||||||
| 2236 | "C:\Users\admin\AppData\Roaming\svchost (1).exe" /launchSelfAndExit "C:\Program Files\Microsoft\svchost.exe" 2116 /protectFile | C:\Users\admin\AppData\Roaming\svchost (1).exe | svchost.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 2724 Version: 1.0.0.0 Modules
| |||||||||||||||
| 2472 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESE6C9.tmp" "c:\Users\admin\AppData\Local\Temp\CSCE6C8.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.5003 (Win7SP1GDR.050727-5400) Modules
| |||||||||||||||
| 2724 | "C:\Users\admin\AppData\Roaming\svchost (1).exe" /watchProcess "C:\Program Files\Microsoft\svchost.exe" 2116 "/protectFile" | C:\Users\admin\AppData\Roaming\svchost (1).exe | — | svchost (1).exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| (PID) Process: | (1840) Scriptware_protected.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (1840) Scriptware_protected.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (1840) Scriptware_protected.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (1840) Scriptware_protected.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (2100) WindowsInput.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2100) WindowsInput.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2100) WindowsInput.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2100) WindowsInput.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (2116) svchost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2116) svchost.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1840 | Scriptware_protected.exe | C:\Users\admin\AppData\Local\Temp\hvly4nvo.0.cs | text | |
MD5:0F972D116AAF9B5255352449037ED345 | SHA256:CDCD271F738A4CDE9DDB3EC64F2C7439DFDB5F5661E36E632042DF86F33EA644 | |||
| 1840 | Scriptware_protected.exe | C:\Users\admin\AppData\Local\Temp\hvly4nvo.cmdline | text | |
MD5:1EF50015EFECD468D8B5AA04A55E262B | SHA256:7F16AA5066F75DC1CA1FBEECFAFA0AC9706A682C0A179326A2D867433BD8B77C | |||
| 1004 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSCE6C8.tmp | binary | |
MD5:6F87B7162972D3B2C5B96715039A03A2 | SHA256:486A9837D1635B210B195AEAEF00BD3ABA286B694B1DA093865AC55D28330DB0 | |||
| 1004 | csc.exe | C:\Users\admin\AppData\Local\Temp\hvly4nvo.dll | executable | |
MD5:679BA599C936E44AAB6DBCD62195C785 | SHA256:08DDE2288EB1E0B0E680C3B36D9F3DD254761F1A118C4B314F3ED27BC0A2CDA5 | |||
| 3200 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA560.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 1840 | Scriptware_protected.exe | C:\Windows\system32\WindowsInput.exe | executable | |
MD5:E6FCF516D8ED8D0D4427F86E08D0D435 | SHA256:8DBE814359391ED6B0B5B182039008CF1D00964DA9FBC4747F46242A95C24337 | |||
| 3172 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA7C1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2100 | WindowsInput.exe | C:\Windows\system32\WindowsInput.InstallState | xml | |
MD5:FFB29BD88BD23C639985F1D369DBD1CA | SHA256:1ADB4F9D1D152E018246A0A2762B473D910906340207F57D3F8CE1097E1DE09F | |||
| 2116 | svchost.exe | C:\Users\admin\AppData\Local\Temp\Cab1C4F.tmp | compressed | |
MD5:3AC860860707BAAF32469FA7CC7C0192 | SHA256:D015145D551ECD14916270EFAD773BBC9FD57FAD2228D2C24559F696C961D904 | |||
| 2116 | svchost.exe | C:\Users\admin\AppData\Roaming\svchost (1).exe.config | xml | |
MD5:A2B76CEA3A59FA9AF5EA21FF68139C98 | SHA256:F99EF5BF79A7C43701877F0BB0B890591885BB0A3D605762647CC8FFBF10C839 | |||
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2116 | svchost.exe | GET | 200 | 67.27.234.126:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?01c5ead56df16a6d | US | compressed | 62.3 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1076 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3704 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
2116 | svchost.exe | 67.27.234.126:80 | ctldl.windowsupdate.com | LEVEL3 | US | suspicious |
2116 | svchost.exe | 194.26.192.209:1920 | — | 1337 Services GmbH | NL | malicious |
Domain | IP | Reputation |
|---|---|---|
ctldl.windowsupdate.com |
| whitelisted |