Malware Analysis Report

2025-03-15 06:52

Sample ID 231221-b3dnvahfh9
Target 29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f
SHA256 29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f
Tags
orcus
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f

Threat Level: Known bad

The file 29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f was found to be: Known bad.

Malicious Activity Summary

orcus

Orcurs Rat Executable

Orcus family

Orcus main payload

Drops desktop.ini file(s)

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-21 01:41

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-21 01:39

Reported

2023-12-21 01:44

Platform

win7-20231129-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f.exe

"C:\Users\Admin\AppData\Local\Temp\29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1259.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1258.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vgszjfy_.cmdline"

Network

N/A

Files

memory/2364-1-0x0000000000590000-0x000000000059E000-memory.dmp

memory/2364-0-0x0000000002430000-0x000000000248C000-memory.dmp

memory/2364-3-0x00000000020A0000-0x0000000002120000-memory.dmp

memory/2364-2-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\vgszjfy_.0.cs

MD5 2b14ae8b54d216abf4d228493ceca44a
SHA1 d134351498e4273e9d6391153e35416bc743adef
SHA256 4e1cc3da1f7bf92773aae6cffa6d61bfc3e25aead3ad947f6215f93a053f346c
SHA512 5761b605add10ae3ef80f3b8706c8241b4e8abe4ac3ce36b7be8a97d08b08da5a72fedd5e976b3c9e1c463613a943ebb5d323e6a075ef6c7c3b1abdc0d53ac05

memory/2224-10-0x0000000002010000-0x0000000002090000-memory.dmp

memory/2364-18-0x0000000002080000-0x0000000002096000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vgszjfy_.dll

MD5 474daa4255af102d7506c999289ebcd2
SHA1 6f5a039a9619a088f579625493cb1849ed9da2cd
SHA256 475710fe8625f24eb67982fbb51d414fb05ba0debf8c5274c1a34a1ea4d52527
SHA512 dfc349d95a6585b5cea34932761c988b2b2d0096aa1ca2eb2b1a209c0592760228505577e5222b8ccc6c7091695ffb484e28ab2dc28f44fd4f4aba1088ce1ef2

C:\Users\Admin\AppData\Local\Temp\RES1259.tmp

MD5 c66dba4078446cd540b3c775ed95fd58
SHA1 f7118153637385c7a08b28170f292cd42ffda614
SHA256 b38c16ee9501cf86f4720cd9fb84d3bb5a58a6af28b1abaa61372fd1cf894066
SHA512 fd47547f979a6271a76dc3e149ded1f14bdaf3c8538abe1fd076c79775da7a76a8fb63945a54a485d19b611b9e24aac3162ce74be6b3c439d9dce5d5e34b24c5

\??\c:\Users\Admin\AppData\Local\Temp\CSC1258.tmp

MD5 d07c0fd1c94bda77072ca64a1f022641
SHA1 9cf34a4f366a83ed1396864cd6cd814314ca7a36
SHA256 a8cebcd14c5560651df5d81b69affab013c7d7e7d587787ac157711592d965c4
SHA512 c8dd98c1b4a8481c696cd436c3ec2536bfe069cb6a785e4de86b557d6b2784f359b726f221f5b20b31716c09583ab33e705687b0c88d3350f568d0961a2d14b4

memory/2364-22-0x0000000002490000-0x0000000002498000-memory.dmp

memory/2364-21-0x0000000002050000-0x0000000002058000-memory.dmp

memory/2364-20-0x00000000005C0000-0x00000000005D2000-memory.dmp

memory/2364-23-0x00000000020A0000-0x0000000002120000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\vgszjfy_.cmdline

MD5 c4f2672f769687357e480aeeccaed6d5
SHA1 aed96767aaf5dc5b04255ea9c0ca789090c3e886
SHA256 713f6accaa51bbe8ff5e524ac11ccf58d197d0778cfb9273223ef0ed95e81a2f
SHA512 74db278be16431d310a99d320a762b42c13520ba7633700cae25e04bf5635fafbe3f2f9a222822ab6c9e0070aea346f0a43f96dd61046c629fb51469c277b96b

memory/2364-4-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

memory/2364-25-0x00000000020A0000-0x0000000002120000-memory.dmp

memory/2364-26-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-21 01:39

Reported

2023-12-21 01:44

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f.exe"

Signatures

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f.exe

"C:\Users\Admin\AppData\Local\Temp\29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v1eouood.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES924E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC924D.tmp"

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/3868-0-0x00007FFCCF530000-0x00007FFCCFED1000-memory.dmp

memory/3868-1-0x00007FFCCF530000-0x00007FFCCFED1000-memory.dmp

memory/3868-2-0x0000000001020000-0x0000000001030000-memory.dmp

memory/3868-3-0x000000001B630000-0x000000001B68C000-memory.dmp

memory/3868-6-0x000000001B820000-0x000000001B82E000-memory.dmp

memory/3868-7-0x000000001BD00000-0x000000001C1CE000-memory.dmp

memory/3868-8-0x000000001C270000-0x000000001C30C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\v1eouood.cmdline

MD5 b4ca297f848bb9667972d51c0c4a4fa8
SHA1 a127eb123f838395f950dfbbf6253b0653b0ff10
SHA256 c04b8dc6a3a5f98470aa2428ae1fb276355d8cc4347cb4b2288f4322193056d2
SHA512 5b44c23c9913e437084454105ea91df0f281e98983beb44b5f2f9b1a3ee5779fa076656aeaad42915728291c0f0907931a46b15df1815876e7046089b8104077

\??\c:\Users\Admin\AppData\Local\Temp\v1eouood.0.cs

MD5 2ac151fe9ab8b0621be93f17e28e6119
SHA1 ccc16f4aeb3fe8ead22d34e6e44c741db2d57326
SHA256 b36d9e966fbba94a11a49ba1a5771eff768d80998e363d26772116734b38a6f1
SHA512 4f322773d76eaab87bff0db3e559332ef8b7d15fdb6b0e19a3a29eace623c404f0a15d3510082ade993144a9312c2897255befdb6bd2b8d59807b8932318cad0

memory/3132-14-0x0000000000990000-0x00000000009A0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC924D.tmp

MD5 d6c658f83fbb1c64a404fe073c07e4f3
SHA1 fc20d6a2f747683afe2d5b50d6c6170c3caf2de0
SHA256 1d48ea191d38a8b3f160b009c0229e06a9512fce424e30261d1d9966298b1eeb
SHA512 38b1773ac3363288e55697f9b9850cf1579f5dacce1aa9731ac8728e19bc64dd113562b8f9b714436241bcbb0f29ef8231bda3c386c2cdf89527bfa5764e1e8b

C:\Users\Admin\AppData\Local\Temp\RES924E.tmp

MD5 11dd445a830b8b4328e6ece1450a4f12
SHA1 7d5c6155420c8e1169fca539ec91a7c8207ad27f
SHA256 db2151da9026bae171743f20ac39420d65ee6071fe648d1b58d599d2c527f4ba
SHA512 64083ed369a727f991e4c48843a25cb8f2ea9bc57dc1f73b19e8d967be506336a2dbc6ca3e556fc0b0cbf3d1dab9f2270ed200896c4a9cdcfd1db758a5e17270

memory/3868-22-0x000000001C930000-0x000000001C946000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\v1eouood.dll

MD5 22ce387f7ac3f675674f3151e12193f1
SHA1 4aa5379e2049b67e8487af87a106974c59535140
SHA256 16ea919a00fd395a1ab050eaa453628729c4815d9e557a83f1366eb332ed4b13
SHA512 8f43640d639f832ee3dd826497355040ddd4af35253cc5409cd474f997f5d909545f2e1c6afb98eb18857df2f100536645559c1ea0aa7f6b7052f11fd70f9e50

memory/3868-24-0x000000001B590000-0x000000001B5A2000-memory.dmp

memory/3868-26-0x000000001B620000-0x000000001B628000-memory.dmp

memory/3868-25-0x000000001B500000-0x000000001B508000-memory.dmp

memory/3868-27-0x000000001CD20000-0x000000001CD82000-memory.dmp

memory/3868-28-0x000000001D680000-0x000000001DC3A000-memory.dmp

memory/3868-29-0x000000001DC40000-0x000000001DD30000-memory.dmp

memory/3868-30-0x000000001CE80000-0x000000001CE9E000-memory.dmp

memory/3868-31-0x000000001DD40000-0x000000001DD89000-memory.dmp

memory/3868-32-0x0000000001020000-0x0000000001030000-memory.dmp

memory/3868-33-0x000000001DE20000-0x000000001DE90000-memory.dmp

memory/3868-34-0x0000000001020000-0x0000000001030000-memory.dmp

memory/3868-36-0x000000001C3B0000-0x000000001C3B8000-memory.dmp

memory/3868-37-0x00007FFCCF530000-0x00007FFCCFED1000-memory.dmp

memory/3868-38-0x0000000001020000-0x0000000001030000-memory.dmp

memory/3868-39-0x0000000001020000-0x0000000001030000-memory.dmp

memory/3868-40-0x0000000001020000-0x0000000001030000-memory.dmp