Malware Analysis Report

2025-03-15 06:51

Sample ID 240101-ytnh1shbdq
Target 3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe
SHA256 3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac
Tags
orcus
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac

Threat Level: Known bad

The file 3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe was found to be: Known bad.

Malicious Activity Summary

orcus

Orcus family

Orcurs Rat Executable

Orcus main payload

Drops desktop.ini file(s)

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-01 20:04

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-01 20:04

Reported

2024-01-01 20:08

Platform

win7-20231215-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe

"C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sskaii2y.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C6C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4C6B.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 openport.io udp
NL 95.85.25.182:20910 openport.io tcp
NL 95.85.25.182:20910 openport.io tcp
NL 95.85.25.182:20910 openport.io tcp
NL 95.85.25.182:20910 openport.io tcp
NL 95.85.25.182:20910 openport.io tcp
NL 95.85.25.182:20910 openport.io tcp
NL 95.85.25.182:20910 openport.io tcp
NL 95.85.25.182:20910 openport.io tcp
NL 95.85.25.182:20910 openport.io tcp
NL 95.85.25.182:20910 openport.io tcp
NL 95.85.25.182:20910 openport.io tcp
NL 95.85.25.182:20910 openport.io tcp

Files

memory/2088-0-0x0000000002280000-0x00000000022DC000-memory.dmp

memory/2088-1-0x0000000000190000-0x000000000019E000-memory.dmp

memory/2088-2-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

memory/2088-3-0x0000000002100000-0x0000000002180000-memory.dmp

memory/2088-4-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\sskaii2y.cmdline

MD5 cc111fc66a323ce1481e4e714a8a7ef5
SHA1 fd859cb0268fb069c7e2250357acab9a71a7dc23
SHA256 0209f07c3a8b67b6c51e68f2d3afbba50d1a66e7d863968a1c203c84bcab8609
SHA512 20f5e3d28091391dc8ebaf00399dad5fc030661b4f5e5bc9fa0e154a788392bdda6f1717ea9ed5dfff02082d8bfa8a42f7c96bfdcd5c82c81f89116a6e4cc47a

\??\c:\Users\Admin\AppData\Local\Temp\sskaii2y.0.cs

MD5 250321226bbc2a616d91e1c82cb4ab2b
SHA1 7cffd0b2e9c842865d8961386ab8fcfac8d04173
SHA256 ef2707f83a0c0927cfd46b115641b9cae52a41123e4826515b9eeb561785218d
SHA512 bda59ca04cdf254f837f2cec6da55eff5c3d2af00da66537b9ebaa3601c502ae63772f082fd12663b63d537d2e03efe87a3b5746ef25e842aaf1c7d88245b4e1

C:\Users\Admin\AppData\Local\Temp\RES4C6C.tmp

MD5 3f60e051933039a27b5d955c95f364f3
SHA1 3aa4033176119a90ad11aed7f33ff1628f376b03
SHA256 db16b5c8d25e652438e85bc2caa4e019ff00f9e3605db0ce7f3f6de3cee1217b
SHA512 5eeb08ae525d9ee1051f7a641bafa039284f2af9c9b0198536475332f8f5516a6b3ff3ecf7bdac0a790dcc17835ec73d91d7d8931dc929762dfac38257ee89e4

memory/2088-17-0x00000000022E0000-0x00000000022F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sskaii2y.dll

MD5 5dbe7a4bc03081c5db603196f87d21f6
SHA1 9db2ef5c9da93a59760b5fa543bd82a2bb9d0792
SHA256 8b49a76a1d62d1dfcf73ca41b0197d1c0bd30fc7ac270ef84fabe68ac2d8438d
SHA512 6917d25d369b5ce5e358140b0e857724b07f28fe9edb05c7727a02ba776318d498d55c4fc8fda2a9e8ff0c061768264e0e04254f0c609dc4cdb20c019677e4cf

\??\c:\Users\Admin\AppData\Local\Temp\CSC4C6B.tmp

MD5 7d3bc847293b70fc2992bf687ebe227f
SHA1 648476b97c3222656c7a572454d654541eb44bcf
SHA256 4950af8469c8567a404859ee994bf6930d6d1f0207ec59f218ce2ece4317ac9c
SHA512 bf168a0a8afc3b29c4583726c440e881af969df078ef60eb1f68021f8e063fa5eacf1ee3a0e4f45463afb6340c4402b35d8cc5935ef3a3ed8b6b96efcb935662

memory/2088-20-0x00000000020E0000-0x00000000020E8000-memory.dmp

memory/2088-21-0x00000000020F0000-0x00000000020F8000-memory.dmp

memory/2088-19-0x00000000001C0000-0x00000000001D2000-memory.dmp

memory/2088-22-0x0000000002100000-0x0000000002180000-memory.dmp

memory/2088-25-0x0000000002370000-0x0000000002388000-memory.dmp

memory/2088-24-0x0000000002100000-0x0000000002180000-memory.dmp

memory/2088-27-0x0000000002100000-0x0000000002180000-memory.dmp

memory/2088-26-0x00000000001B0000-0x00000000001C0000-memory.dmp

memory/2088-28-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

memory/2088-29-0x0000000002100000-0x0000000002180000-memory.dmp

memory/2088-30-0x0000000002100000-0x0000000002180000-memory.dmp

memory/2088-31-0x0000000002100000-0x0000000002180000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-01 20:04

Reported

2024-01-01 20:07

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe"

Signatures

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe

"C:\Users\Admin\AppData\Local\Temp\3fa94387a1ff3c76b7b414cfb51457e28ac0493c1de2739d6c39e37e9602deac.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\go8qepon.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF379.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF378.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 53.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
IE 20.54.110.119:443 tcp
NL 95.85.25.182:20910 tcp
US 8.8.8.8:53 udp
N/A 20.123.104.105:443 tcp
N/A 20.73.194.208:443 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
NL 95.85.25.182:20910 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp
FR 2.18.109.167:443 tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 udp
GB 104.77.160.28:80 tcp
US 52.111.229.19:443 tcp
NL 95.85.25.182:20910 tcp
FR 2.18.110.57:80 tcp
US 8.8.8.8:53 udp
N/A 20.123.104.105:443 tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
NL 95.85.25.182:20910 tcp
US 8.8.8.8:53 udp
N/A 52.165.165.26:443 tcp
US 8.8.8.8:53 udp
N/A 52.165.165.26:443 tcp
US 8.8.8.8:53 udp
N/A 52.165.165.26:443 tcp
US 8.8.8.8:53 udp
N/A 4.231.128.59:443 tcp
US 8.8.8.8:53 udp
N/A 52.165.165.26:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 52.165.165.26:443 tcp
US 8.8.8.8:53 udp
N/A 52.165.165.26:443 tcp
NL 95.85.25.182:20910 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 104.77.160.28:80 tcp
N/A 51.104.136.2:443 tcp
N/A 51.104.136.2:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
PH 23.37.1.183:80 tcp
PH 23.37.1.183:80 tcp
US 8.8.8.8:53 udp
N/A 20.123.104.105:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
FR 2.18.110.57:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.17.179.68:80 tcp
GB 96.17.179.68:80 tcp
GB 104.77.160.28:80 tcp
NL 95.85.25.182:20910 tcp
GB 104.77.160.28:80 tcp
GB 96.17.179.68:80 tcp
GB 96.17.179.68:80 tcp
GB 96.17.179.68:80 tcp
US 8.8.8.8:53 udp
GB 96.17.179.75:80 tcp
GB 96.17.179.68:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.17.179.68:80 tcp
US 8.8.8.8:53 udp
GB 96.17.179.68:80 tcp
GB 96.17.179.68:80 tcp
GB 96.17.179.68:80 tcp
GB 96.17.179.68:80 tcp
NL 95.85.25.182:20910 tcp
NL 52.142.223.178:80 tcp
NL 95.85.25.182:20910 tcp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 55.179.17.96.in-addr.arpa udp
NL 95.85.25.182:20910 tcp
NL 95.85.25.182:20910 tcp

Files

memory/2208-0-0x00007FFAD5040000-0x00007FFAD59E1000-memory.dmp

memory/2208-1-0x00007FFAD5040000-0x00007FFAD59E1000-memory.dmp

memory/2208-2-0x0000000001170000-0x0000000001180000-memory.dmp

memory/2208-3-0x000000001B7B0000-0x000000001B80C000-memory.dmp

memory/2208-6-0x000000001B9B0000-0x000000001B9BE000-memory.dmp

memory/2208-7-0x000000001BE90000-0x000000001C35E000-memory.dmp

memory/2208-8-0x000000001C400000-0x000000001C49C000-memory.dmp

memory/2920-14-0x0000000002380000-0x0000000002390000-memory.dmp

memory/2208-22-0x000000001CAC0000-0x000000001CAD6000-memory.dmp

memory/2208-24-0x00000000011D0000-0x00000000011E2000-memory.dmp

memory/2208-26-0x00000000013B0000-0x00000000013B8000-memory.dmp

memory/2208-25-0x00000000011B0000-0x00000000011B8000-memory.dmp

memory/2208-27-0x000000001CEB0000-0x000000001CF12000-memory.dmp

memory/2208-28-0x000000001D810000-0x000000001DDCA000-memory.dmp

memory/2208-30-0x000000001D010000-0x000000001D02E000-memory.dmp

memory/2208-29-0x000000001DDD0000-0x000000001DEC0000-memory.dmp

memory/2208-31-0x000000001DED0000-0x000000001DF19000-memory.dmp

memory/2208-32-0x0000000001170000-0x0000000001180000-memory.dmp

memory/2208-33-0x000000001DFB0000-0x000000001E020000-memory.dmp

memory/2208-34-0x0000000001170000-0x0000000001180000-memory.dmp

memory/2208-36-0x000000001E260000-0x000000001E278000-memory.dmp

memory/2208-37-0x000000001D030000-0x000000001D040000-memory.dmp

memory/2208-38-0x000000001C540000-0x000000001C548000-memory.dmp

memory/2208-39-0x00007FFAD5040000-0x00007FFAD59E1000-memory.dmp

memory/2208-40-0x00007FFAD5040000-0x00007FFAD59E1000-memory.dmp

memory/2208-41-0x0000000001170000-0x0000000001180000-memory.dmp

memory/2208-42-0x0000000001170000-0x0000000001180000-memory.dmp

memory/2208-43-0x0000000001170000-0x0000000001180000-memory.dmp