Malware Analysis Report

2025-03-15 06:51

Sample ID 240104-h122zsddh8
Target 403990c6cbb042f7c1f5e57177272f81
SHA256 42af92e5be37c1daddda7672372a39ccebb24d31d2ea65bec2a74dfbc3a4e82c
Tags
audio orcus
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

42af92e5be37c1daddda7672372a39ccebb24d31d2ea65bec2a74dfbc3a4e82c

Threat Level: Known bad

The file 403990c6cbb042f7c1f5e57177272f81 was found to be: Known bad.

Malicious Activity Summary

audio orcus

Orcus main payload

Orcurs Rat Executable

Orcus family

Loads dropped DLL

Drops desktop.ini file(s)

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-04 07:13

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-04 07:13

Reported

2024-01-04 07:15

Platform

win7-20231215-en

Max time kernel

122s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\403990c6cbb042f7c1f5e57177272f81.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\403990c6cbb042f7c1f5e57177272f81.exe

"C:\Users\Admin\AppData\Local\Temp\403990c6cbb042f7c1f5e57177272f81.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\viix2i0u.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES693F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC693E.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 hanakita.ddns.net udp
VN 1.54.172.244:4444 hanakita.ddns.net tcp
VN 1.54.172.244:4444 hanakita.ddns.net tcp

Files

memory/2088-0-0x0000000000590000-0x000000000059C000-memory.dmp

memory/2088-1-0x000007FEF6230000-0x000007FEF6BCD000-memory.dmp

memory/2088-2-0x0000000000630000-0x00000000006B0000-memory.dmp

memory/2088-3-0x000007FEF6230000-0x000007FEF6BCD000-memory.dmp

\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll

MD5 d80d1b6d9a6d5986fa47f6f8487030e1
SHA1 8f5773bf9eca43b079c1766b2e9f44cc90bd9215
SHA256 446128f1712da8064d0197376184315cb529ed26ed9122f7b171bb208e22c0c3
SHA512 9fcf0105c2c9ee81c526d41633d93579bb8e2837989d77fb4a6523440415ec2d7fa46ac9ae4e55ecebd99126837817ac308cc079475de02667b21727a43d74cc

memory/2088-14-0x0000000000630000-0x00000000006B0000-memory.dmp

memory/2088-15-0x00000000004E0000-0x00000000004EE000-memory.dmp

memory/2088-16-0x000000001B200000-0x000000001B25C000-memory.dmp

memory/2088-17-0x00000000012B0000-0x00000000012FE000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\viix2i0u.cmdline

MD5 e812b334c2cba2a0ad9240e7b647c50d
SHA1 03530f5276de50144b8f79b91a833af6a3055e8b
SHA256 3bb6890329216be1d35bdcf9ecc3e9df74931b3468fe69b3dc3d786586827d14
SHA512 57524bdc2be2522e3899b74da770fde6d55a301d4672348ddf90e04e6d56a3546dc99dd961ad1bed95080cfeda293e8f61649a0cdf7e8e72fbe55776e0552676

\??\c:\Users\Admin\AppData\Local\Temp\viix2i0u.0.cs

MD5 2fcb165ed62080a094dc317178fcc368
SHA1 ede1e71260bd57616388c192aec684498453af97
SHA256 937d2d4a2b9e43fb0f5ad3b3c0a6baf79039417575c4e861c497a69ea283e565
SHA512 203b177127da112964e4bec9f6cb7dcccc573366a67e344015bb72d13311322c52eb294ee6057d0e978d925373a39366dd95e320c0b2f31b945fae431de6ebe9

memory/2924-23-0x00000000020E0000-0x0000000002160000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC693E.tmp

MD5 44aa3ec5305aada3f5f0ef67f1c6adaa
SHA1 5f7d67230ffe2ce924457268a4e258e1fd76125f
SHA256 25e088d7e38cb9a169c13d87659e261a18083c9b492a0597b651735946f61ecf
SHA512 7b5e64a649d1045a7434a95670da97f5f42bf3eaeb5d5e897411ec31cda5bf8c31e895b8850c01d2a8e2267f90640c17d564db8250c43fac563b95ad3a0c1d4f

C:\Users\Admin\AppData\Local\Temp\RES693F.tmp

MD5 4258bd858d83677a09b2e8b8ddcbc812
SHA1 3f35ecf509b10009872cae87e5961f704b2b29a3
SHA256 6e78e1f8dd3ebd779bc807eb7d4c8c1a20cde22c44b9380c2acec6b815f6b032
SHA512 045639838823a768674ff7c4f5fb79c1f230bef9a61d1af165c3850012057960d4e0b22b765626d849cc02db1021b2c1f9cafc9d2a3d3175bb0d0a6c597b105b

C:\Users\Admin\AppData\Local\Temp\viix2i0u.dll

MD5 f4fe079e8aaa36dd94497170a4ad757b
SHA1 bbc5b3f6d450a2240ee2128be4c8f17863c3380f
SHA256 dd8f7d80273e77297347ba38a57d996bf2c3dbf125ed4250eaa2e1161e287729
SHA512 ce386d930781aef5c7811ea03fb9f1770e99be407a8a5a6ff4d7c94302c08431d35c899152237d48cb61713fd639c49e8cd42d051b1ffbd589230d97fcddb10e

memory/2088-31-0x000000001AF30000-0x000000001AF46000-memory.dmp

memory/2088-33-0x0000000000550000-0x0000000000562000-memory.dmp

memory/2088-34-0x0000000001280000-0x0000000001298000-memory.dmp

memory/2088-36-0x0000000000630000-0x00000000006B0000-memory.dmp

memory/2088-35-0x0000000000570000-0x0000000000580000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab8393.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2088-53-0x000007FEF6230000-0x000007FEF6BCD000-memory.dmp

memory/2088-54-0x0000000000630000-0x00000000006B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarF04D.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/2088-73-0x0000000000630000-0x00000000006B0000-memory.dmp

memory/2088-74-0x0000000000630000-0x00000000006B0000-memory.dmp

memory/2088-75-0x0000000000630000-0x00000000006B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-04 07:13

Reported

2024-01-04 07:15

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\403990c6cbb042f7c1f5e57177272f81.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\403990c6cbb042f7c1f5e57177272f81.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\403990c6cbb042f7c1f5e57177272f81.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\403990c6cbb042f7c1f5e57177272f81.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\403990c6cbb042f7c1f5e57177272f81.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\403990c6cbb042f7c1f5e57177272f81.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\403990c6cbb042f7c1f5e57177272f81.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\403990c6cbb042f7c1f5e57177272f81.exe

"C:\Users\Admin\AppData\Local\Temp\403990c6cbb042f7c1f5e57177272f81.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 876

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 udp
GB 88.221.134.32:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 tse1.mm.bing.net udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 g.bing.com tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 88.221.134.18:80 tcp
GB 88.221.134.18:80 tcp
GB 88.221.134.18:80 tcp
GB 88.221.134.18:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 87.248.205.0:80 tcp
GB 87.248.205.0:80 tcp
GB 87.248.205.0:80 tcp
GB 87.248.205.0:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 88.221.134.18:80 tcp
GB 88.221.134.18:80 tcp
GB 87.248.205.0:80 tcp
GB 87.248.205.0:80 tcp
US 8.8.8.8:53 udp
GB 88.221.134.18:80 tcp
GB 87.248.205.0:80 tcp
GB 87.248.205.0:80 tcp
GB 87.248.205.0:80 tcp
US 8.8.8.8:53 udp
N/A 20.189.173.5:443 tcp
US 192.229.221.95:80 tcp
US 8.8.8.8:53 udp

Files

memory/3976-0-0x00007FF958DF0000-0x00007FF959791000-memory.dmp

memory/3976-3-0x0000000000FF0000-0x0000000001000000-memory.dmp

memory/3976-2-0x00007FF958DF0000-0x00007FF959791000-memory.dmp

memory/3976-1-0x000000001B780000-0x000000001B78C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll

MD5 d80d1b6d9a6d5986fa47f6f8487030e1
SHA1 8f5773bf9eca43b079c1766b2e9f44cc90bd9215
SHA256 446128f1712da8064d0197376184315cb529ed26ed9122f7b171bb208e22c0c3
SHA512 9fcf0105c2c9ee81c526d41633d93579bb8e2837989d77fb4a6523440415ec2d7fa46ac9ae4e55ecebd99126837817ac308cc079475de02667b21727a43d74cc

C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\NativePRo.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3976-14-0x0000000000FF0000-0x0000000001000000-memory.dmp

memory/3976-18-0x000000001BA30000-0x000000001BA8C000-memory.dmp

memory/3976-19-0x000000001C010000-0x000000001C4DE000-memory.dmp

memory/3976-21-0x000000001B8E0000-0x000000001B92E000-memory.dmp

memory/3976-20-0x000000001C4E0000-0x000000001C57C000-memory.dmp

memory/3976-15-0x0000000001170000-0x000000000117E000-memory.dmp

memory/3976-28-0x00007FF958DF0000-0x00007FF959791000-memory.dmp