Malware Analysis Report

2025-03-15 06:53

Sample ID 231208-ct5lmsgg25
Target b00129319feaa8f96585b492645dce0c1a454f39ba8de6b54edeb816e529d1e4
SHA256 b00129319feaa8f96585b492645dce0c1a454f39ba8de6b54edeb816e529d1e4
Tags
orcus
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b00129319feaa8f96585b492645dce0c1a454f39ba8de6b54edeb816e529d1e4

Threat Level: Known bad

The file b00129319feaa8f96585b492645dce0c1a454f39ba8de6b54edeb816e529d1e4 was found to be: Known bad.

Malicious Activity Summary

orcus

Orcurs Rat Executable

Orcus family

Orcus main payload

Drops desktop.ini file(s)

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-08 02:23

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-08 02:23

Reported

2023-12-08 02:25

Platform

win7-20231023-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b00129319feaa8f96585b492645dce0c1a454f39ba8de6b54edeb816e529d1e4.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\b00129319feaa8f96585b492645dce0c1a454f39ba8de6b54edeb816e529d1e4.exe

"C:\Users\Admin\AppData\Local\Temp\b00129319feaa8f96585b492645dce0c1a454f39ba8de6b54edeb816e529d1e4.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cspxp0db.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES43F4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC43F3.tmp"

Network

N/A

Files

memory/2580-0-0x0000000000CD0000-0x0000000000D2C000-memory.dmp

memory/2580-1-0x0000000000280000-0x000000000028E000-memory.dmp

memory/2580-2-0x000007FEF5BA0000-0x000007FEF653D000-memory.dmp

memory/2580-3-0x0000000000B50000-0x0000000000BD0000-memory.dmp

memory/2580-4-0x000007FEF5BA0000-0x000007FEF653D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\cspxp0db.cmdline

MD5 bb018212f5c99c26e63fd1c312de08ff
SHA1 03627483e677f84d398981d5bf7815675f2aade7
SHA256 8018c137be52002dd9acfc4b7c50424402b59d645d6beaa94154c24f246b8d94
SHA512 e540a3091f8a722de8f4704829fd783f37973b1a6a2ea682383ed3452cee6aa1a6943f003c74de48c6a37902c7abf694ff9c76d8228c1f6928d0be5b73d956d5

\??\c:\Users\Admin\AppData\Local\Temp\cspxp0db.0.cs

MD5 250321226bbc2a616d91e1c82cb4ab2b
SHA1 7cffd0b2e9c842865d8961386ab8fcfac8d04173
SHA256 ef2707f83a0c0927cfd46b115641b9cae52a41123e4826515b9eeb561785218d
SHA512 bda59ca04cdf254f837f2cec6da55eff5c3d2af00da66537b9ebaa3601c502ae63772f082fd12663b63d537d2e03efe87a3b5746ef25e842aaf1c7d88245b4e1

C:\Users\Admin\AppData\Local\Temp\RES43F4.tmp

MD5 acc7baab20125903483bf033c0d3b5d8
SHA1 63bcbe73243dfcebad2d71c85e87d039fcdf2652
SHA256 3c9384ac89a1a99ef148f2a161c3d9842f421c70cb64bce65c4d19f545a04bf0
SHA512 c9a20e6e6c925cbab5e5a6711f678e3aa1c4418803f7822830a9ffa64500bef8ddc6c0f25a630096b0fb335af94f281828ab177497de6e1b64d5799aac997ff9

memory/2580-17-0x0000000001030000-0x0000000001046000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cspxp0db.dll

MD5 13e48cbbc99ecd216989ee199add48ce
SHA1 087d9e2ecb0be81e273d3cda5c0f6153ba6969e0
SHA256 15cafa6239cb97219c2e57ecb32d6389a736cfe0c1ee26fd3d43a4243b759de6
SHA512 e106a96dfc7418fd87fd2b30e80b578e97abd4a2b32781a71d9bfa4b37237dec6d78ad7ad503b4e3247554f83bd9163481886fbe217b8a8d1d7fb2628aad96df

\??\c:\Users\Admin\AppData\Local\Temp\CSC43F3.tmp

MD5 3745bd343e1866bf5ab0b9fa883f601c
SHA1 c83e485074463124c223d1f1654148c9953219e7
SHA256 8027bdd42e9d04c30ac3c43e60a2e22e0145f236261c7a40764724457b04115e
SHA512 ef1724356be9b71badea98d131ea99764d5ea9fb677bc23c716f3dba2d28d87f33850069342b7250da4f3840db599869bfad80698ca083d85418716dfe0d3fa7

memory/2580-19-0x00000000002A0000-0x00000000002B2000-memory.dmp

memory/2580-20-0x0000000000B50000-0x0000000000BD0000-memory.dmp

memory/2580-21-0x000007FEF5BA0000-0x000007FEF653D000-memory.dmp

memory/2580-22-0x0000000000B50000-0x0000000000BD0000-memory.dmp

memory/2580-23-0x0000000000B50000-0x0000000000BD0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-08 02:23

Reported

2023-12-08 02:25

Platform

win10v2004-20231127-en

Max time kernel

139s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b00129319feaa8f96585b492645dce0c1a454f39ba8de6b54edeb816e529d1e4.exe"

Signatures

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b00129319feaa8f96585b492645dce0c1a454f39ba8de6b54edeb816e529d1e4.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b00129319feaa8f96585b492645dce0c1a454f39ba8de6b54edeb816e529d1e4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b00129319feaa8f96585b492645dce0c1a454f39ba8de6b54edeb816e529d1e4.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b00129319feaa8f96585b492645dce0c1a454f39ba8de6b54edeb816e529d1e4.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\b00129319feaa8f96585b492645dce0c1a454f39ba8de6b54edeb816e529d1e4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b00129319feaa8f96585b492645dce0c1a454f39ba8de6b54edeb816e529d1e4.exe

"C:\Users\Admin\AppData\Local\Temp\b00129319feaa8f96585b492645dce0c1a454f39ba8de6b54edeb816e529d1e4.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\no00bq6b.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A1C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1A1B.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 226.145.62.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 49.86.100.95.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 49.192.11.51.in-addr.arpa udp

Files

memory/4904-0-0x00007FF8F36B0000-0x00007FF8F4051000-memory.dmp

memory/4904-1-0x00007FF8F36B0000-0x00007FF8F4051000-memory.dmp

memory/4904-2-0x0000000001700000-0x0000000001710000-memory.dmp

memory/4904-3-0x000000001BD50000-0x000000001BDAC000-memory.dmp

memory/4904-6-0x000000001BF40000-0x000000001BF4E000-memory.dmp

memory/4904-7-0x000000001C420000-0x000000001C8EE000-memory.dmp

memory/4904-8-0x000000001C990000-0x000000001CA2C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\no00bq6b.cmdline

MD5 592969598f72e9c37e75186bf47763f1
SHA1 682a7259e5cb6d9c6186064173cd734faab136c2
SHA256 f50db4edff5018768cb6da061d70c09e27f3854705502182856797245709086d
SHA512 4737e4b03a4b39d6fd9f38032ed21a9395a38730c2a5f08e58fca62df5aaa69a2513c5b074b1a5face7db9d79fa50c840c0998e47b36dc0e34ea6078b29977b4

\??\c:\Users\Admin\AppData\Local\Temp\no00bq6b.0.cs

MD5 efcf6b91b1437bd6181ff0f908f493e2
SHA1 98f36fb1bd89e15233c455d1bc43b04a14208efd
SHA256 955ec9c67f6f28999cca26269ea6678ed4c8591998b1f184656a92eed151e43c
SHA512 5d28014dba5caedd91ff1b98cf0bc46485061eb974a77985b10a70e63f73cf215ecf9c93b772f6763f01052dec9e9264db5676b750108ada8a20ef3665b8e315

memory/4568-14-0x00000000009F0000-0x0000000000A00000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC1A1B.tmp

MD5 3084b92b6411449fcc69a03a76d37a42
SHA1 63888f96134efd4764e068dbbf68659cb40114a2
SHA256 dd2ec0fcb32d80086c2b80ca326e2afd959faa63728192b19ef2fa66af11d4b8
SHA512 ba4f02306560ec3db257ff5395a9917e8102ce49777a6bb4506c47088636c7ccbf2c710c9bf87b55b92a8aedf31cd2f5114ec197a9318377869708d04ce89537

C:\Users\Admin\AppData\Local\Temp\no00bq6b.dll

MD5 895bc5065491b08a8dc49170ed63c058
SHA1 fcc0a53986383a538f3b92fa1d54542f4c8e3a6b
SHA256 0388820770392f185604dec335b23cc07e59c9a7e0833e9e9470e9bdf18563b2
SHA512 2773b52612ea50ffc922a4150c1426831b129374429168c16c7451750425fffdd2144e479f0434341232856b2679abb2b184ee439db5e58459a68d86de66e6ca

memory/4904-22-0x000000001D050000-0x000000001D066000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RES1A1C.tmp

MD5 ac1513352a0b8e2e818c6def4e2e25cc
SHA1 80228faac95e583d0b58385f461ff637afde9e89
SHA256 eeb8ae9395782d9965d94a67851c9a5668ab82917ec3c207761caebfe66a87c7
SHA512 7413cb030a3672f3d6b514ac2f97b0e26f73d70fc593d82d185341b0c8ab0ede861d1293a918116cf8e8ba3a2c2179be3492b3ee7e38cef760dcdf09c8e35b1d

memory/4904-24-0x00000000017E0000-0x00000000017F2000-memory.dmp

memory/4904-25-0x0000000001740000-0x0000000001748000-memory.dmp

memory/4904-26-0x0000000001700000-0x0000000001710000-memory.dmp

memory/4904-27-0x00007FF8F36B0000-0x00007FF8F4051000-memory.dmp

memory/4904-28-0x0000000001700000-0x0000000001710000-memory.dmp

memory/4904-29-0x0000000001700000-0x0000000001710000-memory.dmp