Analysis Overview
SHA256
1cd1f7fff33ed742cd3e44b5db696c9081f0452405f2ab33850e0a953e1e5f0e
Threat Level: Known bad
The file BE6A2EB19719C11F1AAC7A06FC5301DF.exe was found to be: Known bad.
Malicious Activity Summary
Orcus
Orcurs Rat Executable
Unsigned PE
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-12-25 11:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-25 11:21
Reported
2023-12-25 11:23
Platform
win7-20231215-en
Max time network
133s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| HK | 45.204.82.103:6606 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-25 11:21
Reported
2023-12-25 11:23
Platform
win10v2004-20231215-en
Max time kernel
60s
Command Line
Signatures
Orcus
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BE6A2EB19719C11F1AAC7A06FC5301DF.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\BE6A2EB19719C11F1AAC7A06FC5301DF.exe
"C:\Users\Admin\AppData\Local\Temp\BE6A2EB19719C11F1AAC7A06FC5301DF.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 20.73.194.208:443 | tcp | |
| N/A | 20.190.177.147:443 | tcp | |
| N/A | 20.190.177.147:443 | tcp | |
| N/A | 20.190.177.147:443 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 192.229.221.95:80 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 96.17.178.180:80 | tcp | |
| N/A | 192.229.221.95:80 | tcp | |
| N/A | 192.229.221.95:80 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 20.82.154.241:443 | tcp | |
| N/A | 20.190.177.147:443 | tcp | |
| N/A | 20.73.194.208:443 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 20.199.58.43:443 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 192.229.221.95:80 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 20.190.177.147:443 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 20.123.104.105:443 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 40.68.123.157:443 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 96.16.110.41:443 | tcp | |
| N/A | 192.229.221.95:80 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 20.123.104.105:443 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 20.82.154.241:443 | tcp | |
| N/A | 96.16.110.114:80 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 138.91.171.81:80 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 4.231.128.59:443 | tcp | |
| N/A | 20.190.177.147:443 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 40.68.123.157:443 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 4.231.128.59:443 | tcp | |
| N/A | 4.231.128.59:443 | tcp | |
| N/A | 40.68.123.157:443 | tcp | |
| N/A | 20.190.177.147:443 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 13.95.31.18:443 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 40.68.123.157:443 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 13.95.31.18:443 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 40.68.123.157:443 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 96.16.110.114:80 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 20.231.121.79:80 | tcp | |
| N/A | 40.68.123.157:443 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 87.248.205.0:80 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 2.17.5.100:80 | tcp | |
| N/A | 2.17.5.100:80 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 20.123.104.105:443 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 20.54.110.119:443 | tcp | |
| N/A | 13.95.31.18:443 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 96.16.110.114:80 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 138.91.171.81:80 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 88.221.135.217:80 | tcp | |
| N/A | 88.221.135.217:80 | tcp | |
| N/A | 88.221.135.217:80 | tcp | |
| N/A | 88.221.135.217:80 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 88.221.135.217:80 | tcp | |
| N/A | 45.204.82.103:6606 | tcp | |
| N/A | 88.221.134.32:80 | tcp | |
| N/A | 88.221.135.217:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 88.221.134.32:80 | tcp | |
| N/A | 88.221.135.217:80 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 88.221.135.217:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp |
Files
memory/3536-1-0x0000000000C70000-0x0000000000D6C000-memory.dmp
memory/3536-0-0x0000000074DC0000-0x0000000075570000-memory.dmp
memory/3536-2-0x0000000074DC0000-0x0000000075570000-memory.dmp
memory/3536-3-0x00000000778C1000-0x00000000778C2000-memory.dmp
memory/3536-4-0x0000000005A20000-0x0000000005ABC000-memory.dmp
memory/3536-6-0x0000000005760000-0x0000000005770000-memory.dmp
memory/3536-8-0x0000000005980000-0x00000000059DC000-memory.dmp
memory/3536-7-0x0000000005750000-0x000000000575E000-memory.dmp
memory/3536-10-0x0000000005CA0000-0x0000000005D32000-memory.dmp
memory/3536-9-0x0000000006160000-0x0000000006704000-memory.dmp
memory/3536-5-0x0000000005AC0000-0x0000000005BA8000-memory.dmp
memory/3536-11-0x0000000005C80000-0x0000000005C92000-memory.dmp
memory/3536-12-0x0000000005E40000-0x0000000005E58000-memory.dmp
memory/3536-13-0x00000000060E0000-0x00000000060F0000-memory.dmp
memory/3536-14-0x0000000006150000-0x000000000615A000-memory.dmp
memory/3536-17-0x0000000007630000-0x0000000007696000-memory.dmp
memory/3536-19-0x0000000006F50000-0x0000000006F62000-memory.dmp
memory/3536-20-0x00000000076E0000-0x000000000771C000-memory.dmp
memory/3536-21-0x0000000007720000-0x000000000776C000-memory.dmp
memory/3536-18-0x0000000007CC0000-0x00000000082D8000-memory.dmp
memory/3536-22-0x0000000007880000-0x000000000798A000-memory.dmp
memory/3536-23-0x00000000082E0000-0x00000000084A2000-memory.dmp
memory/3536-24-0x0000000005760000-0x0000000005770000-memory.dmp