Analysis Overview
SHA256
29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f
Threat Level: Known bad
The file 29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f was found to be: Known bad.
Malicious Activity Summary
Orcurs Rat Executable
Orcus family
Orcus main payload
Drops desktop.ini file(s)
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-12-21 01:41
Signatures
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-21 01:39
Reported
2023-12-21 01:44
Platform
win7-20231129-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f.exe
"C:\Users\Admin\AppData\Local\Temp\29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1259.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1258.tmp"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vgszjfy_.cmdline"
Network
Files
memory/2364-1-0x0000000000590000-0x000000000059E000-memory.dmp
memory/2364-0-0x0000000002430000-0x000000000248C000-memory.dmp
memory/2364-3-0x00000000020A0000-0x0000000002120000-memory.dmp
memory/2364-2-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\vgszjfy_.0.cs
| MD5 | 2b14ae8b54d216abf4d228493ceca44a |
| SHA1 | d134351498e4273e9d6391153e35416bc743adef |
| SHA256 | 4e1cc3da1f7bf92773aae6cffa6d61bfc3e25aead3ad947f6215f93a053f346c |
| SHA512 | 5761b605add10ae3ef80f3b8706c8241b4e8abe4ac3ce36b7be8a97d08b08da5a72fedd5e976b3c9e1c463613a943ebb5d323e6a075ef6c7c3b1abdc0d53ac05 |
memory/2224-10-0x0000000002010000-0x0000000002090000-memory.dmp
memory/2364-18-0x0000000002080000-0x0000000002096000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vgszjfy_.dll
| MD5 | 474daa4255af102d7506c999289ebcd2 |
| SHA1 | 6f5a039a9619a088f579625493cb1849ed9da2cd |
| SHA256 | 475710fe8625f24eb67982fbb51d414fb05ba0debf8c5274c1a34a1ea4d52527 |
| SHA512 | dfc349d95a6585b5cea34932761c988b2b2d0096aa1ca2eb2b1a209c0592760228505577e5222b8ccc6c7091695ffb484e28ab2dc28f44fd4f4aba1088ce1ef2 |
C:\Users\Admin\AppData\Local\Temp\RES1259.tmp
| MD5 | c66dba4078446cd540b3c775ed95fd58 |
| SHA1 | f7118153637385c7a08b28170f292cd42ffda614 |
| SHA256 | b38c16ee9501cf86f4720cd9fb84d3bb5a58a6af28b1abaa61372fd1cf894066 |
| SHA512 | fd47547f979a6271a76dc3e149ded1f14bdaf3c8538abe1fd076c79775da7a76a8fb63945a54a485d19b611b9e24aac3162ce74be6b3c439d9dce5d5e34b24c5 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC1258.tmp
| MD5 | d07c0fd1c94bda77072ca64a1f022641 |
| SHA1 | 9cf34a4f366a83ed1396864cd6cd814314ca7a36 |
| SHA256 | a8cebcd14c5560651df5d81b69affab013c7d7e7d587787ac157711592d965c4 |
| SHA512 | c8dd98c1b4a8481c696cd436c3ec2536bfe069cb6a785e4de86b557d6b2784f359b726f221f5b20b31716c09583ab33e705687b0c88d3350f568d0961a2d14b4 |
memory/2364-22-0x0000000002490000-0x0000000002498000-memory.dmp
memory/2364-21-0x0000000002050000-0x0000000002058000-memory.dmp
memory/2364-20-0x00000000005C0000-0x00000000005D2000-memory.dmp
memory/2364-23-0x00000000020A0000-0x0000000002120000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\vgszjfy_.cmdline
| MD5 | c4f2672f769687357e480aeeccaed6d5 |
| SHA1 | aed96767aaf5dc5b04255ea9c0ca789090c3e886 |
| SHA256 | 713f6accaa51bbe8ff5e524ac11ccf58d197d0778cfb9273223ef0ed95e81a2f |
| SHA512 | 74db278be16431d310a99d320a762b42c13520ba7633700cae25e04bf5635fafbe3f2f9a222822ab6c9e0070aea346f0a43f96dd61046c629fb51469c277b96b |
memory/2364-4-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp
memory/2364-25-0x00000000020A0000-0x0000000002120000-memory.dmp
memory/2364-26-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-21 01:39
Reported
2023-12-21 01:44
Platform
win10v2004-20231215-en
Max time kernel
142s
Max time network
158s
Command Line
Signatures
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3868 wrote to memory of 3132 | N/A | C:\Users\Admin\AppData\Local\Temp\29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe |
| PID 3868 wrote to memory of 3132 | N/A | C:\Users\Admin\AppData\Local\Temp\29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe |
| PID 3132 wrote to memory of 3496 | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe |
| PID 3132 wrote to memory of 3496 | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f.exe
"C:\Users\Admin\AppData\Local\Temp\29b0d3061b63ff8a4076312152229dbcbad0edb6436c61675fd56d3d1f341c6f.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v1eouood.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES924E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC924D.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 1.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
memory/3868-0-0x00007FFCCF530000-0x00007FFCCFED1000-memory.dmp
memory/3868-1-0x00007FFCCF530000-0x00007FFCCFED1000-memory.dmp
memory/3868-2-0x0000000001020000-0x0000000001030000-memory.dmp
memory/3868-3-0x000000001B630000-0x000000001B68C000-memory.dmp
memory/3868-6-0x000000001B820000-0x000000001B82E000-memory.dmp
memory/3868-7-0x000000001BD00000-0x000000001C1CE000-memory.dmp
memory/3868-8-0x000000001C270000-0x000000001C30C000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\v1eouood.cmdline
| MD5 | b4ca297f848bb9667972d51c0c4a4fa8 |
| SHA1 | a127eb123f838395f950dfbbf6253b0653b0ff10 |
| SHA256 | c04b8dc6a3a5f98470aa2428ae1fb276355d8cc4347cb4b2288f4322193056d2 |
| SHA512 | 5b44c23c9913e437084454105ea91df0f281e98983beb44b5f2f9b1a3ee5779fa076656aeaad42915728291c0f0907931a46b15df1815876e7046089b8104077 |
\??\c:\Users\Admin\AppData\Local\Temp\v1eouood.0.cs
| MD5 | 2ac151fe9ab8b0621be93f17e28e6119 |
| SHA1 | ccc16f4aeb3fe8ead22d34e6e44c741db2d57326 |
| SHA256 | b36d9e966fbba94a11a49ba1a5771eff768d80998e363d26772116734b38a6f1 |
| SHA512 | 4f322773d76eaab87bff0db3e559332ef8b7d15fdb6b0e19a3a29eace623c404f0a15d3510082ade993144a9312c2897255befdb6bd2b8d59807b8932318cad0 |
memory/3132-14-0x0000000000990000-0x00000000009A0000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC924D.tmp
| MD5 | d6c658f83fbb1c64a404fe073c07e4f3 |
| SHA1 | fc20d6a2f747683afe2d5b50d6c6170c3caf2de0 |
| SHA256 | 1d48ea191d38a8b3f160b009c0229e06a9512fce424e30261d1d9966298b1eeb |
| SHA512 | 38b1773ac3363288e55697f9b9850cf1579f5dacce1aa9731ac8728e19bc64dd113562b8f9b714436241bcbb0f29ef8231bda3c386c2cdf89527bfa5764e1e8b |
C:\Users\Admin\AppData\Local\Temp\RES924E.tmp
| MD5 | 11dd445a830b8b4328e6ece1450a4f12 |
| SHA1 | 7d5c6155420c8e1169fca539ec91a7c8207ad27f |
| SHA256 | db2151da9026bae171743f20ac39420d65ee6071fe648d1b58d599d2c527f4ba |
| SHA512 | 64083ed369a727f991e4c48843a25cb8f2ea9bc57dc1f73b19e8d967be506336a2dbc6ca3e556fc0b0cbf3d1dab9f2270ed200896c4a9cdcfd1db758a5e17270 |
memory/3868-22-0x000000001C930000-0x000000001C946000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\v1eouood.dll
| MD5 | 22ce387f7ac3f675674f3151e12193f1 |
| SHA1 | 4aa5379e2049b67e8487af87a106974c59535140 |
| SHA256 | 16ea919a00fd395a1ab050eaa453628729c4815d9e557a83f1366eb332ed4b13 |
| SHA512 | 8f43640d639f832ee3dd826497355040ddd4af35253cc5409cd474f997f5d909545f2e1c6afb98eb18857df2f100536645559c1ea0aa7f6b7052f11fd70f9e50 |
memory/3868-24-0x000000001B590000-0x000000001B5A2000-memory.dmp
memory/3868-26-0x000000001B620000-0x000000001B628000-memory.dmp
memory/3868-25-0x000000001B500000-0x000000001B508000-memory.dmp
memory/3868-27-0x000000001CD20000-0x000000001CD82000-memory.dmp
memory/3868-28-0x000000001D680000-0x000000001DC3A000-memory.dmp
memory/3868-29-0x000000001DC40000-0x000000001DD30000-memory.dmp
memory/3868-30-0x000000001CE80000-0x000000001CE9E000-memory.dmp
memory/3868-31-0x000000001DD40000-0x000000001DD89000-memory.dmp
memory/3868-32-0x0000000001020000-0x0000000001030000-memory.dmp
memory/3868-33-0x000000001DE20000-0x000000001DE90000-memory.dmp
memory/3868-34-0x0000000001020000-0x0000000001030000-memory.dmp
memory/3868-36-0x000000001C3B0000-0x000000001C3B8000-memory.dmp
memory/3868-37-0x00007FFCCF530000-0x00007FFCCFED1000-memory.dmp
memory/3868-38-0x0000000001020000-0x0000000001030000-memory.dmp
memory/3868-39-0x0000000001020000-0x0000000001030000-memory.dmp
memory/3868-40-0x0000000001020000-0x0000000001030000-memory.dmp