Malware Analysis Report

2025-03-15 06:51

Sample ID 240101-ytc3aahbcr
Target 3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe
SHA256 3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac
Tags
orcus
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac

Threat Level: Known bad

The file 3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe was found to be: Known bad.

Malicious Activity Summary

orcus

Orcurs Rat Executable

Orcus family

Orcus main payload

Drops desktop.ini file(s)

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-01 20:04

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-01 20:04

Reported

2024-01-01 20:07

Platform

win7-20231215-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe

"C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0v9qafiv.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES424F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC424E.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 openport.io udp
NL 95.85.25.182:20910 openport.io tcp
NL 95.85.25.182:20910 openport.io tcp
NL 95.85.25.182:20910 openport.io tcp
NL 95.85.25.182:20910 openport.io tcp
NL 95.85.25.182:20910 openport.io tcp
NL 95.85.25.182:20910 openport.io tcp
NL 95.85.25.182:20910 openport.io tcp
NL 95.85.25.182:20910 openport.io tcp
NL 95.85.25.182:20910 openport.io tcp
NL 95.85.25.182:20910 openport.io tcp
NL 95.85.25.182:20910 openport.io tcp
NL 95.85.25.182:20910 openport.io tcp

Files

memory/2968-1-0x0000000000940000-0x000000000094E000-memory.dmp

memory/2968-0-0x000000001AFB0000-0x000000001B00C000-memory.dmp

memory/2968-3-0x0000000000510000-0x0000000000590000-memory.dmp

memory/2968-2-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

memory/2968-4-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

memory/2968-17-0x000000001B020000-0x000000001B036000-memory.dmp

memory/2968-21-0x000000001B010000-0x000000001B018000-memory.dmp

memory/2968-20-0x00000000020B0000-0x00000000020B8000-memory.dmp

memory/2968-19-0x00000000009F0000-0x0000000000A02000-memory.dmp

memory/2968-22-0x0000000000510000-0x0000000000590000-memory.dmp

memory/2968-24-0x0000000000510000-0x0000000000590000-memory.dmp

memory/2968-25-0x000000001B0A0000-0x000000001B0B8000-memory.dmp

memory/2968-27-0x0000000000510000-0x0000000000590000-memory.dmp

memory/2968-26-0x0000000002050000-0x0000000002060000-memory.dmp

memory/2968-29-0x0000000000510000-0x0000000000590000-memory.dmp

memory/2968-28-0x000007FEF57A0000-0x000007FEF613D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-01 20:04

Reported

2024-01-01 20:07

Platform

win10v2004-20231215-en

Max time kernel

172s

Max time network

186s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe"

Signatures

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe

"C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7yg1tqru.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC43.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFC42.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 49.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 openport.io udp
NL 95.85.25.182:20910 openport.io tcp
NL 95.85.25.182:20910 openport.io tcp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
NL 95.85.25.182:20910 openport.io tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
NL 95.85.25.182:20910 openport.io tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
NL 95.85.25.182:20910 openport.io tcp
NL 95.85.25.182:20910 openport.io tcp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
NL 95.85.25.182:20910 openport.io tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 68.179.17.96.in-addr.arpa udp
NL 95.85.25.182:20910 openport.io tcp
US 8.8.8.8:53 150.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp
NL 95.85.25.182:20910 openport.io tcp
NL 95.85.25.182:20910 openport.io tcp
NL 95.85.25.182:20910 openport.io tcp

Files

memory/3952-0-0x00007FF8BCC30000-0x00007FF8BD5D1000-memory.dmp

memory/3952-1-0x00007FF8BCC30000-0x00007FF8BD5D1000-memory.dmp

memory/3952-2-0x0000000000EE0000-0x0000000000EF0000-memory.dmp

memory/3952-3-0x000000001B410000-0x000000001B46C000-memory.dmp

memory/3952-6-0x000000001B500000-0x000000001B50E000-memory.dmp

memory/3952-7-0x000000001BAF0000-0x000000001BFBE000-memory.dmp

memory/3952-8-0x000000001C060000-0x000000001C0FC000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\7yg1tqru.cmdline

MD5 bc12ecd53fc0136bd27eeccfd2209480
SHA1 54b0dae07ea7e500ac21e093aa69bde802497c1c
SHA256 827ce107c126e8c10348c01bce7c3d36bfdb27ed8587a977c4d9aca2ebf3f424
SHA512 ce759e1390b666cfb0a0749ee15da6bddf6a8fc257e8d5e2c19197eed3f22cf52973a092adcc8caa865df68a99ae3be2d20feb4d9f115ad7f8391cf82a084637

\??\c:\Users\Admin\AppData\Local\Temp\7yg1tqru.0.cs

MD5 dea383b3c8a377d743512736f9f4b9d1
SHA1 c6df4eb9698e8fa0173f1226459b2efb56928d13
SHA256 4f262123b5433f5389f86282c41c5932ef897dffdbb033616954bee77aeae03a
SHA512 43166c19d2fdf29cc2656289f6835224c085d570d119a5359002bb924edac25a2957e68a236da0fdb09dd3917d4c57dbbb040b2cd07b3dc848fb3fde95c8fbc4

memory/1232-14-0x0000000002380000-0x0000000002390000-memory.dmp

memory/3952-22-0x000000001C710000-0x000000001C726000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7yg1tqru.dll

MD5 1e7af68aa0ab176a0962074eb83259b2
SHA1 7bf984ff0856ecd4ce7e905a964580ece2dc700b
SHA256 1f510f3d02fe467785e8c12c4786b9e62a1079194da2de558bef11e2e070ab03
SHA512 7ca8b4f3e0c7c53d488aab5cb42e88fa92c98f07c2c10f9849853cd5322f1fcf402a13283ddd8752486127a6526e10a67b1d531f64ef7f03f7e03e4213970386

C:\Users\Admin\AppData\Local\Temp\RESFC43.tmp

MD5 b574f85dafe903e030eb76e13360edd5
SHA1 cccf987b6ed36fd33650f80aff9bcdd1a4c7b0a8
SHA256 7ffd8fb6bce005914bf3218c4543706ec6e325935c028f1b39b1f73deebb24c2
SHA512 a0a69c382acbe95997ffab887a31b82cff4e676ef8cc5b56b7e68d1da034d6c3b3515b64d4f1579626dc3a6e6277f3dec21a66d25ef0678b8435ba5f3847c837

\??\c:\Users\Admin\AppData\Local\Temp\CSCFC42.tmp

MD5 6bde3e6306b0fa8c9f81789346d09f67
SHA1 7bc81e285b22339d118826931e26b0fce2acedfe
SHA256 30a3425948788875e33f1cf5297c6810d53a5e471d06e4e51905e15e229e6cbb
SHA512 e003864524182d14724558dd34d49e19190c82ffcfab3e3a711af123bf502634d63875a762047cdedcc0f0b33d9fa5d6a853c14bd9d9700ab13196e9352b6152

memory/3952-24-0x0000000000E30000-0x0000000000E42000-memory.dmp

memory/3952-26-0x000000001B400000-0x000000001B408000-memory.dmp

memory/3952-27-0x000000001CB00000-0x000000001CB62000-memory.dmp

memory/3952-25-0x0000000000E10000-0x0000000000E18000-memory.dmp

memory/3952-28-0x000000001D460000-0x000000001DA1A000-memory.dmp

memory/3952-30-0x000000001CC60000-0x000000001CC7E000-memory.dmp

memory/3952-29-0x000000001DA20000-0x000000001DB10000-memory.dmp

memory/3952-31-0x000000001DB20000-0x000000001DB69000-memory.dmp

memory/3952-32-0x0000000000EE0000-0x0000000000EF0000-memory.dmp

memory/3952-33-0x000000001DC00000-0x000000001DC70000-memory.dmp

memory/3952-34-0x0000000000EE0000-0x0000000000EF0000-memory.dmp

memory/3952-36-0x000000001DEB0000-0x000000001DEC8000-memory.dmp

memory/3952-37-0x0000000000DF0000-0x0000000000E00000-memory.dmp

memory/3952-38-0x000000001CC90000-0x000000001CC98000-memory.dmp

memory/3952-39-0x00007FF8BCC30000-0x00007FF8BD5D1000-memory.dmp

memory/3952-40-0x00007FF8BCC30000-0x00007FF8BD5D1000-memory.dmp

memory/3952-41-0x0000000000EE0000-0x0000000000EF0000-memory.dmp

memory/3952-42-0x0000000000EE0000-0x0000000000EF0000-memory.dmp