Malware Analysis Report

2025-03-15 06:52

Sample ID 231203-b6pwaagh34
Target 49147ecaa6fb80734284257327e1f47f18914d5db04487f7c83490872a8e34e3
SHA256 49147ecaa6fb80734284257327e1f47f18914d5db04487f7c83490872a8e34e3
Tags
orcus
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

49147ecaa6fb80734284257327e1f47f18914d5db04487f7c83490872a8e34e3

Threat Level: Known bad

The file 49147ecaa6fb80734284257327e1f47f18914d5db04487f7c83490872a8e34e3 was found to be: Known bad.

Malicious Activity Summary

orcus

Orcus family

Orcus main payload

Orcurs Rat Executable

Drops desktop.ini file(s)

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-03 01:45

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-03 01:45

Reported

2023-12-03 01:48

Platform

win7-20231023-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49147ecaa6fb80734284257327e1f47f18914d5db04487f7c83490872a8e34e3.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\49147ecaa6fb80734284257327e1f47f18914d5db04487f7c83490872a8e34e3.exe

"C:\Users\Admin\AppData\Local\Temp\49147ecaa6fb80734284257327e1f47f18914d5db04487f7c83490872a8e34e3.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rh6zujh1.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5265.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5264.tmp"

Network

N/A

Files

memory/1648-0-0x0000000001180000-0x00000000011DC000-memory.dmp

memory/1648-1-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

memory/1648-3-0x0000000000950000-0x00000000009D0000-memory.dmp

memory/1648-2-0x0000000000580000-0x000000000058E000-memory.dmp

memory/1648-4-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\rh6zujh1.cmdline

MD5 30cdd85f8b74109a85c335d4c8aa1c26
SHA1 93f8e6d41bb98bbb123dfbe8d9e0a1cb3d39958e
SHA256 5591d04f129be9e9d6147c6a2c4eb303e2afdc329bebc2b7a87ae492be042537
SHA512 fc560218f644ada2ccd3719160ae6219a6cbf578efa57f6aeb4739096b0c9a6ace2a65965d6166c111081b1b18f2df1e5be7d817aadd6d962b89a11bc880f1d8

\??\c:\Users\Admin\AppData\Local\Temp\rh6zujh1.0.cs

MD5 2b14ae8b54d216abf4d228493ceca44a
SHA1 d134351498e4273e9d6391153e35416bc743adef
SHA256 4e1cc3da1f7bf92773aae6cffa6d61bfc3e25aead3ad947f6215f93a053f346c
SHA512 5761b605add10ae3ef80f3b8706c8241b4e8abe4ac3ce36b7be8a97d08b08da5a72fedd5e976b3c9e1c463613a943ebb5d323e6a075ef6c7c3b1abdc0d53ac05

memory/2412-10-0x0000000000730000-0x00000000007B0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC5264.tmp

MD5 16f4ae6d954c5be38e45ec8da15eff7f
SHA1 1cf345c11711463211e80f981230541310011dcd
SHA256 64aff604d9ac9de61f90feec7199ba6db38faea0df4cf15ef34860da7e7f95c9
SHA512 8ace4c51c439e339ff35a0f9d7d52fdb465ab7bf7e29659f61cd89a4155950e4dc363a3b252290bc47f1c57a77061645bafce21f43c17d325f893ef8958420a6

C:\Users\Admin\AppData\Local\Temp\rh6zujh1.dll

MD5 a5808a09865866df5c1d17b096514a53
SHA1 fcae5b835b0214a9e4c7de55482d67c5e6df4a3f
SHA256 76dace6745b37da8195b027512addde6edf37485fdb26e20c3b769df0f34a56f
SHA512 c2c3ea7a53c4e352a9b304423adf4aaed49e4aa031983c91655c6f9d571f19c53efe395f7d87e9602374f20817fbfd24c4a384c2fb681cdf21587fa8d8bc5dac

C:\Users\Admin\AppData\Local\Temp\RES5265.tmp

MD5 08ee454471ea721c84ed2cbbfcbbb71e
SHA1 5ba28794d9e667f85f89a2580a4c0332b205a3eb
SHA256 6d11d70a9749385a198ca0a4c3abc11a61417e36fb0af06dbae4ed7a75a0048d
SHA512 0c43658342db738c91ac0db9dfe59b3931fa7f128e4858ddfd158fb4325ed878ebcab4f0e3399bd08166a03359a0e571c15f436880b4c6e4d6d6a12f15ff9f93

memory/1648-18-0x00000000011E0000-0x00000000011F6000-memory.dmp

memory/1648-20-0x00000000005A0000-0x00000000005B2000-memory.dmp

memory/1648-21-0x0000000000950000-0x00000000009D0000-memory.dmp

memory/1648-22-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

memory/1648-23-0x0000000000950000-0x00000000009D0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-03 01:45

Reported

2023-12-03 01:48

Platform

win10v2004-20231201-en

Max time kernel

125s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49147ecaa6fb80734284257327e1f47f18914d5db04487f7c83490872a8e34e3.exe"

Signatures

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\49147ecaa6fb80734284257327e1f47f18914d5db04487f7c83490872a8e34e3.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\49147ecaa6fb80734284257327e1f47f18914d5db04487f7c83490872a8e34e3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\49147ecaa6fb80734284257327e1f47f18914d5db04487f7c83490872a8e34e3.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\49147ecaa6fb80734284257327e1f47f18914d5db04487f7c83490872a8e34e3.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\49147ecaa6fb80734284257327e1f47f18914d5db04487f7c83490872a8e34e3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\49147ecaa6fb80734284257327e1f47f18914d5db04487f7c83490872a8e34e3.exe

"C:\Users\Admin\AppData\Local\Temp\49147ecaa6fb80734284257327e1f47f18914d5db04487f7c83490872a8e34e3.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\smqpn4nb.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES472C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC472B.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/612-0-0x00007FFB66530000-0x00007FFB66ED1000-memory.dmp

memory/612-1-0x00000000017F0000-0x0000000001800000-memory.dmp

memory/612-2-0x000000001BD90000-0x000000001BDEC000-memory.dmp

memory/612-3-0x00007FFB66530000-0x00007FFB66ED1000-memory.dmp

memory/612-6-0x000000001BF70000-0x000000001BF7E000-memory.dmp

memory/612-7-0x000000001C450000-0x000000001C91E000-memory.dmp

memory/612-8-0x000000001C9C0000-0x000000001CA5C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\smqpn4nb.cmdline

MD5 0d7e551e7ac61c0720be05ab98b1922e
SHA1 82856a204b0c3cbd8b92606a5cb1d51073f54ed1
SHA256 454d586c983fdf48b88eee9eaac5be6428ae4987c4e25535cff25b84e157cabf
SHA512 f5c1dcd1341c402c931ece3b282905d45006fc1465e9ae4f69e2d288a3d2532a00fbb940d3412920633032e133e31e3e27859a9cabf9f9ca33fc160cac5fe1ef

\??\c:\Users\Admin\AppData\Local\Temp\smqpn4nb.0.cs

MD5 ba117d63a3bf320357cf8abea2cb56b9
SHA1 97d6df9ab0ddde6e876959fe6d0c82bad734b5d3
SHA256 0747faa411d2398307705f3d746fab81ec4e7c3245db4f225256f7a93cd77de4
SHA512 d4057734d9a427dd74eb073c030bb27b9f2545b2323cff4281cdf8453fcb07603af7afc107ed66c307298c05720b3178bedfc6554ebf85567da4563e1994c608

memory/3156-14-0x0000000000A70000-0x0000000000A80000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC472B.tmp

MD5 98b83e5d477de7108d38a0bb6b967f98
SHA1 a99f96b4d2b0d246ad82b138beae7c3b72268a83
SHA256 551427bec4bb717fcd0a335ad721c24497342027c012896c5f1adcde6fa6b2de
SHA512 c55d7ea75f2c8d06d11f5c7c0089ed1c4c4577226adddcdd6ccee7c8c6fcc53ac5d3c9ad6e7c7c37ebf798b5cf189e3c6ddf949c0937dd9d44d214aa25075175

C:\Users\Admin\AppData\Local\Temp\RES472C.tmp

MD5 0f607b834bf97c26cfdd65a27c34d7db
SHA1 4081f1f985a40c743acdc0dadac8f6efb00f008a
SHA256 3b8b0fdd694a0bcf9d809761c8e5ed3c91d908918cbf082aa32f937de059ee43
SHA512 c46d0080f002f768855d5524dae92e0cb7d9f63c5e9df45b65b1a9f27a625d56a7b644b78197290d9f4e70f8892581c6be61fdd9da53137091a9cc03c9cf2a05

C:\Users\Admin\AppData\Local\Temp\smqpn4nb.dll

MD5 43ca772ec50b60e47fdafbcad80e8178
SHA1 6779e3dfce0a69a9f390360e7a055af0faf779f5
SHA256 4a5b68f2c20ab5936987d358c37d30f5629fb47cc93e7367da1be09eca3b9099
SHA512 ce7adfbd9d31731f7adb96052ea9af5d63172a1baa28e9bfdb6e528316ce130f1e0341239fe9144faba3ff04e90a5625ce08c3586f352e93f6cc0eba596a13b2

memory/612-22-0x000000001D080000-0x000000001D096000-memory.dmp

memory/612-24-0x000000001BCD0000-0x000000001BCE2000-memory.dmp

memory/612-25-0x000000001BC40000-0x000000001BC48000-memory.dmp

memory/612-26-0x00000000017F0000-0x0000000001800000-memory.dmp

memory/612-27-0x00007FFB66530000-0x00007FFB66ED1000-memory.dmp

memory/612-28-0x00000000017F0000-0x0000000001800000-memory.dmp

memory/612-29-0x00000000017F0000-0x0000000001800000-memory.dmp