Malware Analysis Report

2025-03-15 06:54

Sample ID 231219-zknyvsggbp
Target 9992991f54a15fc3e0daf8de84e35eef
SHA256 15f9190e9c25f38ff2be49c72427e1a08e79a612f6d2b288a56a621cd6ff91d0
Tags
orcus persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15f9190e9c25f38ff2be49c72427e1a08e79a612f6d2b288a56a621cd6ff91d0

Threat Level: Known bad

The file 9992991f54a15fc3e0daf8de84e35eef was found to be: Known bad.

Malicious Activity Summary

orcus persistence rat spyware stealer

Orcus

Orcurs Rat Executable

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Drops desktop.ini file(s)

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-19 20:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-19 20:46

Reported

2023-12-20 03:20

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsInput.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsInput.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files (x86)\\Orcus\\Orcus.exe\"" C:\Program Files (x86)\Orcus\Orcus.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe N/A
File opened for modification C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe N/A
File created C:\Program Files (x86)\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2384 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2384 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 4492 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4492 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4492 wrote to memory of 2784 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2384 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2384 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2384 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 2384 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 2384 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe C:\Program Files (x86)\Orcus\Orcus.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe

"C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wagenvtb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES511E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC511D.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
NL 74.118.139.67:10134 tcp
NL 74.118.139.67:10134 tcp
NL 74.118.139.67:10134 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
NL 74.118.139.67:10134 tcp
NL 74.118.139.67:10134 tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
NL 74.118.139.67:10134 tcp
NL 74.118.139.67:10134 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
NL 74.118.139.67:10134 tcp
NL 74.118.139.67:10134 tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
NL 74.118.139.67:10134 tcp
NL 74.118.139.67:10134 tcp
NL 74.118.139.67:10134 tcp

Files

memory/2384-0-0x0000000000BD0000-0x000000000157C000-memory.dmp

memory/2384-1-0x000000007F850000-0x000000007FC21000-memory.dmp

memory/2384-2-0x0000000074620000-0x0000000074BD1000-memory.dmp

memory/2384-3-0x0000000074620000-0x0000000074BD1000-memory.dmp

memory/2384-4-0x0000000004030000-0x0000000004040000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\wagenvtb.cmdline

MD5 e0481a9ee36fc269a8b5cab630105c33
SHA1 114ca380a5df82412ae0326dbba0df63df71f9b7
SHA256 176f992814e25bc3283152b67c015e8afab857c98d4d70d0bb75dffaef8e0e06
SHA512 adcde7bc21e85d0ff8b67501e971f6ab466e640534b3bb51a25f38354ee39d28fd3c28a1699292ad992dab06ed8c4a15add42dc22d2edab1825907b5b426d136

memory/4492-12-0x00000000005F0000-0x0000000000600000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wagenvtb.dll

MD5 2bf5a4f2904385d9fde1764ff7dc0819
SHA1 439cbaf5d2a9829db3439647dacf0dd3443ed9d2
SHA256 cc860282f72c92d24de576fdb3c48dc6669f75786277307e2517b2c558223584
SHA512 04d07c6c6d564b9bef552c48633905091c5a9b7548c94b09a47d33a4d223ea37f7a6780eb1b5154ed26c7e243dee1727cde41a840297994b000f40932d4c0cec

C:\Users\Admin\AppData\Local\Temp\RES511E.tmp

MD5 c13df434928108cfbb69c32b68c573f0
SHA1 9a501efdc267d0c965815ce21e6cc4953faaa648
SHA256 025466ef14da6191cfd73ef46b61631510b72e116ead3dbc08b345c7dd757ed8
SHA512 94710b7f8954cdd6babc31365ef4671275a2e010443edaf9bf809c690ccbcda7d4aa136eef59be898633b336f1cf7f5a361f4474f1e3738fd9cc5a6a565b3b98

\??\c:\Users\Admin\AppData\Local\Temp\CSC511D.tmp

MD5 0e3ac26632cde6546c47916d0be0e43e
SHA1 575636e811eea29b8f090f9916716704efbe1a95
SHA256 b293b8d083dd5027a6b5cd1a45fa630e02732464eb3ecdb26d86dd776ded2918
SHA512 19bae0a90b8fc07c544ee3b973243183aacb633d9d6266924f3af4042480890993cb17887998bc3cd1e5ba9659c2e736b48e1b5bb9cb62052f2dfa2fce548715

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/3096-34-0x0000000000B20000-0x0000000000B2C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\wagenvtb.0.cs

MD5 9db0bb94a2379f06600d303609896397
SHA1 b6fccf69540d7671e16d73aaf8ea418f793ac15c
SHA256 8db0a6108ed3236c27fd157562baa803c6674715106fc26bd69eb0e18ec28560
SHA512 572c979c52c1e5c2cfaef757de123e8d160286fa95804dde478a8d17552e966c704434eaf542928b6fd1ed6ccafef904714361e2e6456997ce2847056cd94ac9

memory/3096-38-0x000000001B8A0000-0x000000001B8B0000-memory.dmp

memory/3096-37-0x0000000002C10000-0x0000000002C4C000-memory.dmp

memory/3096-35-0x0000000002BB0000-0x0000000002BC2000-memory.dmp

memory/3096-36-0x00007FFBE8E90000-0x00007FFBE9951000-memory.dmp

memory/3096-42-0x00007FFBE8E90000-0x00007FFBE9951000-memory.dmp

memory/4760-44-0x00007FFBE8E90000-0x00007FFBE9951000-memory.dmp

memory/4760-45-0x0000000000D90000-0x0000000000DA0000-memory.dmp

memory/4760-46-0x000000001A220000-0x000000001A32A000-memory.dmp

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 7cb552ff0a0717b7a4745f32fc705bf6
SHA1 03d3c4d5577a6e0bb1ef01e0366f03e6d0074d60
SHA256 0e31960ffb872243faeb750d7ad4a1f3d320493ca818986283551d8d15eaba07
SHA512 0e40d5d1d4b9741f0d02d4b1162f7bcd571c3f9dfa7e29ad75e5e5475209df44f0249c7fe0fc18c9171466000da9601e72e0de749ba88d8fcbf6595ff75f8d22

memory/4504-58-0x0000000000B60000-0x000000000150C000-memory.dmp

memory/2384-57-0x0000000000BD0000-0x000000000157C000-memory.dmp

memory/2384-62-0x0000000074620000-0x0000000074BD1000-memory.dmp

memory/2384-61-0x000000007F850000-0x000000007FC21000-memory.dmp

\??\c:\program files (x86)\orcus\orcus.exe

MD5 3ccdb088d0675ca147666aa5471996b3
SHA1 88228a117978c84fedf2d8baa84eed306895f57c
SHA256 53db1ef93170770c7113c3e0a5e04164af2a297eb2f20545e6815ca9d9b9b93d
SHA512 5db4120deded0368b1add480a3a068d286f60d36a005d14988c00e382cab3b25f48480043985dac2d407bd8cc16d1819f2a048cc09b789aaffdd834ba11a8030

memory/4504-64-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/4504-65-0x0000000000B60000-0x000000000150C000-memory.dmp

memory/4504-59-0x000000007ECE0000-0x000000007F0B1000-memory.dmp

memory/4504-66-0x00000000067A0000-0x00000000067B0000-memory.dmp

memory/4504-68-0x00000000066F0000-0x000000000674C000-memory.dmp

memory/4504-69-0x0000000006D60000-0x0000000007304000-memory.dmp

memory/4504-70-0x0000000006850000-0x00000000068E2000-memory.dmp

memory/4504-67-0x00000000039F0000-0x00000000039FE000-memory.dmp

C:\Program Files (x86)\Orcus\Orcus.exe

MD5 a8613d7b039f7ef48427b7c3c603912b
SHA1 0e5058bea6b5d249410be9066903197c5405be50
SHA256 fe11f1adfe9f7f98fd19f671ec842db2e96ae5cb357ba62031a63a40a993eece
SHA512 c26cb1c47b60e499ab6843fd944086f80813f5740688fe0ed9ae2d97f34030fe248a306d7591f32e9d76003534e1f36bc5512c8787226c8ab14072188142a19f

memory/4504-74-0x0000000007570000-0x0000000007588000-memory.dmp

memory/4504-75-0x0000000007840000-0x0000000007850000-memory.dmp

memory/4504-73-0x00000000075A0000-0x00000000075C2000-memory.dmp

memory/4504-76-0x0000000007B30000-0x0000000007B3A000-memory.dmp

memory/4504-72-0x0000000007510000-0x000000000755E000-memory.dmp

memory/4504-71-0x0000000006D30000-0x0000000006D42000-memory.dmp

memory/4760-77-0x00007FFBE8E90000-0x00007FFBE9951000-memory.dmp

memory/4504-78-0x0000000000B60000-0x000000000150C000-memory.dmp

memory/4760-79-0x0000000000D90000-0x0000000000DA0000-memory.dmp

memory/4504-80-0x0000000000B60000-0x000000000150C000-memory.dmp

memory/4504-81-0x000000007ECE0000-0x000000007F0B1000-memory.dmp

memory/4504-82-0x0000000000B60000-0x000000000150C000-memory.dmp

memory/4504-83-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/4504-84-0x00000000067A0000-0x00000000067B0000-memory.dmp

memory/4504-85-0x0000000000B60000-0x000000000150C000-memory.dmp

memory/4504-86-0x0000000000B60000-0x000000000150C000-memory.dmp

memory/4504-87-0x0000000000B60000-0x000000000150C000-memory.dmp

memory/4504-88-0x0000000000B60000-0x000000000150C000-memory.dmp

memory/4504-89-0x0000000000B60000-0x000000000150C000-memory.dmp

memory/4504-90-0x0000000000B60000-0x000000000150C000-memory.dmp

memory/4504-91-0x0000000000B60000-0x000000000150C000-memory.dmp

memory/4504-92-0x0000000000B60000-0x000000000150C000-memory.dmp

memory/4504-93-0x0000000000B60000-0x000000000150C000-memory.dmp

memory/4504-94-0x0000000000B60000-0x000000000150C000-memory.dmp

memory/4504-95-0x0000000000B60000-0x000000000150C000-memory.dmp

memory/4504-96-0x0000000000B60000-0x000000000150C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-19 20:46

Reported

2023-12-20 03:21

Platform

win7-20231215-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsInput.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsInput.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files (x86)\\Orcus\\Orcus.exe\"" C:\Program Files (x86)\Orcus\Orcus.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Orcus\Orcus.exe.config C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe N/A
File created C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe N/A
File opened for modification C:\Program Files (x86)\Orcus\Orcus.exe C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe N/A
N/A N/A C:\Program Files (x86)\Orcus\Orcus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1700 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1700 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1700 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2292 wrote to memory of 2824 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2292 wrote to memory of 2824 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2292 wrote to memory of 2824 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2292 wrote to memory of 2824 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1700 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1700 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1700 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1700 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1700 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 1700 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 1700 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe C:\Program Files (x86)\Orcus\Orcus.exe
PID 1700 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe C:\Program Files (x86)\Orcus\Orcus.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe

"C:\Users\Admin\AppData\Local\Temp\9992991f54a15fc3e0daf8de84e35eef.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hbgbpe7o.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6884.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6883.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Program Files (x86)\Orcus\Orcus.exe

"C:\Program Files (x86)\Orcus\Orcus.exe"

Network

Country Destination Domain Proto
NL 74.118.139.67:10134 tcp
NL 74.118.139.67:10134 tcp
NL 74.118.139.67:10134 tcp
NL 74.118.139.67:10134 tcp
NL 74.118.139.67:10134 tcp
NL 74.118.139.67:10134 tcp
NL 74.118.139.67:10134 tcp
NL 74.118.139.67:10134 tcp
NL 74.118.139.67:10134 tcp
NL 74.118.139.67:10134 tcp
NL 74.118.139.67:10134 tcp

Files

memory/1700-0-0x0000000000BA0000-0x000000000154C000-memory.dmp

memory/1700-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/1700-2-0x0000000074790000-0x0000000074D3B000-memory.dmp

memory/1700-3-0x0000000074790000-0x0000000074D3B000-memory.dmp

memory/1700-4-0x0000000003070000-0x00000000030B0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\hbgbpe7o.cmdline

MD5 28202fb3e4b1689d89573d5a66275bbe
SHA1 d0c278dc84696fd1783c930d82305c6fd216d4db
SHA256 800348015f7c33914e074c9e1e89e562ca0ce9543a963919b0ec8a79d6595607
SHA512 62ffb7aee70208a76dc5582e090b1a219c3d89667c9f8a985bc53aaf56f394c515a892e08bee38dfe2ab374e3c6e8a6ab1728834cb5a989f54d2ff8e192d6ed5

\??\c:\Users\Admin\AppData\Local\Temp\hbgbpe7o.0.cs

MD5 5419e7090f36e546edcfff8b0694aa9e
SHA1 b20403cd135a3f3b23cbe23e7d02d01c44a6c35e
SHA256 beb95ac3efb50bbcaa0e7332ec7e032e0059c59e94e4859ca88406fc0ce2a28d
SHA512 e9a3e5af22d30242c6cc302ee71ab0237601f02b38f4d12c3b24214c555a287b1d7ca0508010dfdf92f528d578820aa5191b08d20024836821d13c03a4a42a16

memory/2292-10-0x00000000005D0000-0x0000000000610000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RES6884.tmp

MD5 cd30f3e60b3e8ca9c7fc3083866af745
SHA1 a86cf770d09bd288ca16b14fa733512a2bf5759b
SHA256 931488891b65eca52ce4bcbe0c2b9d264e1204c3db628870005716d6358a8d04
SHA512 3647afe9b8d18a8810572baf981a3820bed446174b624f310941eef4da0f281bd3aac050b990e093a47e63d15ff176556a83e07c6d75246eaed9f4bed6c5d9f8

\??\c:\Users\Admin\AppData\Local\Temp\CSC6883.tmp

MD5 45daee0ce993b8d9749dabd87c61ed00
SHA1 e004434d8814cf52c0f695360ef35765113245dd
SHA256 f9c7eccab8d7eedf76da66f8b0752cb8acf81917e4e70125d666a32afcaab3b0
SHA512 5cf1dde386d19e9c7685b3e8c4de226b034546f8f24be5bb4220a67abf4a8ba5d437a7f63b4a99c24db5578ab11bfe6ec214527ceb8c6963cd3b24e7adaa5c93

C:\Users\Admin\AppData\Local\Temp\hbgbpe7o.dll

MD5 dcd7f308183c3ee9029b73859a9ade71
SHA1 0f71b1674fa16a028b39fe9e10137351dd0ae6f9
SHA256 5305ce5b26a429583b6e5fd4f13f548fe7d20d250d53683ab2260fa9504f6c6b
SHA512 43ebae5d42eee4238b2da6227e81f45c2e0e87b48759fcc8c56f4da740e41c69be74f90d8cdcdeb6aa41c2f8c5f6a1c14d55fa5fdc134b4410bd118ccc7f214a

\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2080-27-0x0000000000890000-0x000000000089C000-memory.dmp

memory/2080-28-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

memory/2080-29-0x000000001B250000-0x000000001B2D0000-memory.dmp

memory/2080-32-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

memory/2552-34-0x0000000000FD0000-0x0000000000FDC000-memory.dmp

memory/2552-35-0x000007FEF4E50000-0x000007FEF583C000-memory.dmp

memory/2552-36-0x00000000197A0000-0x0000000019820000-memory.dmp

\Program Files (x86)\Orcus\Orcus.exe

MD5 9992991f54a15fc3e0daf8de84e35eef
SHA1 9391ce360dd1505375a85eab1b1d313620e921d1
SHA256 15f9190e9c25f38ff2be49c72427e1a08e79a612f6d2b288a56a621cd6ff91d0
SHA512 085702ed040a9c6b9f1d22a9d1f18af2e5da39acdf46846e30873dccd223f0b5791b933067326c55f1889534536cd0f27433d767e9563aa1305c06a037009dba

memory/1700-45-0x0000000007050000-0x00000000079FC000-memory.dmp

memory/1700-46-0x0000000000BA0000-0x000000000154C000-memory.dmp

memory/2540-48-0x00000000010C0000-0x0000000001A6C000-memory.dmp

memory/2540-49-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/1700-50-0x0000000000BA0000-0x000000000154C000-memory.dmp

memory/1700-53-0x0000000074790000-0x0000000074D3B000-memory.dmp

memory/1700-52-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/2540-55-0x00000000010C0000-0x0000000001A6C000-memory.dmp

memory/2540-54-0x0000000073F60000-0x000000007464E000-memory.dmp

memory/2540-56-0x0000000003540000-0x0000000003580000-memory.dmp

memory/2540-57-0x00000000005A0000-0x00000000005AE000-memory.dmp

memory/2540-58-0x0000000002EF0000-0x0000000002F4C000-memory.dmp

memory/2540-59-0x0000000000D00000-0x0000000000D12000-memory.dmp

memory/2540-60-0x0000000002FF0000-0x000000000303E000-memory.dmp

memory/2540-61-0x0000000002E70000-0x0000000002E88000-memory.dmp

memory/2540-62-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/2552-63-0x000007FEF4E50000-0x000007FEF583C000-memory.dmp

memory/2540-64-0x00000000010C0000-0x0000000001A6C000-memory.dmp

memory/2552-65-0x00000000197A0000-0x0000000019820000-memory.dmp

memory/2540-66-0x00000000010C0000-0x0000000001A6C000-memory.dmp

memory/2540-67-0x00000000010C0000-0x0000000001A6C000-memory.dmp

memory/2540-68-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

memory/2540-69-0x0000000073F60000-0x000000007464E000-memory.dmp

memory/2540-70-0x0000000003540000-0x0000000003580000-memory.dmp

memory/2540-71-0x00000000010C0000-0x0000000001A6C000-memory.dmp

memory/2540-72-0x00000000010C0000-0x0000000001A6C000-memory.dmp

memory/2540-73-0x00000000010C0000-0x0000000001A6C000-memory.dmp

memory/2540-74-0x00000000010C0000-0x0000000001A6C000-memory.dmp

memory/2540-75-0x00000000010C0000-0x0000000001A6C000-memory.dmp

memory/2540-76-0x00000000010C0000-0x0000000001A6C000-memory.dmp

memory/2540-78-0x00000000010C0000-0x0000000001A6C000-memory.dmp

memory/2540-79-0x00000000010C0000-0x0000000001A6C000-memory.dmp

memory/2540-80-0x00000000010C0000-0x0000000001A6C000-memory.dmp

memory/2540-81-0x00000000010C0000-0x0000000001A6C000-memory.dmp

memory/2540-82-0x00000000010C0000-0x0000000001A6C000-memory.dmp