Analysis Overview
SHA256
acda0cdbd6a9be7cc1df40923d57c6c0eeae28b8046130cc723c3b055d881f82
Threat Level: Known bad
The file acda0cdbd6a9be7cc1df40923d57c6c0eeae28b8046130cc723c3b055d881f82 was found to be: Known bad.
Malicious Activity Summary
Orcurs Rat Executable
Orcus family
Orcus main payload
Drops desktop.ini file(s)
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-01-10 01:07
Signatures
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-10 01:07
Reported
2024-01-10 01:10
Platform
win7-20231215-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\acda0cdbd6a9be7cc1df40923d57c6c0eeae28b8046130cc723c3b055d881f82.exe
"C:\Users\Admin\AppData\Local\Temp\acda0cdbd6a9be7cc1df40923d57c6c0eeae28b8046130cc723c3b055d881f82.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hdvnvllu.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6134.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6133.tmp"
Network
Files
memory/1728-0-0x000000001AD40000-0x000000001AD9C000-memory.dmp
memory/1728-1-0x0000000000610000-0x000000000061E000-memory.dmp
memory/1728-2-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp
memory/1728-3-0x0000000001F20000-0x0000000001FA0000-memory.dmp
memory/1728-4-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\hdvnvllu.cmdline
| MD5 | 690dee68d76905b049f9b9c12c3dd715 |
| SHA1 | ba0aaa6bb28f52c844f464590f3e8de2001f41f0 |
| SHA256 | 8eeb75ed075272b378cae09631c0830686f1ad5f25d45106eac2992805e7c264 |
| SHA512 | b602ef386610113af3907a026556c44fca9fd1fc5fc1c25b272e4bf4aae72ada4364577802a5a1c84f573dfb45cee75518aabc5dbf49c9bc3a9c019140188f13 |
\??\c:\Users\Admin\AppData\Local\Temp\hdvnvllu.0.cs
| MD5 | 2b14ae8b54d216abf4d228493ceca44a |
| SHA1 | d134351498e4273e9d6391153e35416bc743adef |
| SHA256 | 4e1cc3da1f7bf92773aae6cffa6d61bfc3e25aead3ad947f6215f93a053f346c |
| SHA512 | 5761b605add10ae3ef80f3b8706c8241b4e8abe4ac3ce36b7be8a97d08b08da5a72fedd5e976b3c9e1c463613a943ebb5d323e6a075ef6c7c3b1abdc0d53ac05 |
memory/2968-10-0x0000000000790000-0x0000000000810000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC6133.tmp
| MD5 | b4ea7080d30d38f5d01dfa8ac006538c |
| SHA1 | 2b29b16b6a7fd7a2e004c99cc15fcfc5a7efbc8e |
| SHA256 | dfe611851e10c33b90ddaa7663053ba4926082dc5583c0bf65d9e3977a2376a6 |
| SHA512 | d4c42693078a490856505b4452f014ac07ae5ecbc57febfd5663ace25eb45ce6d9026c6dcdb4a894d009a7c333ad9cd0a542920a4ae64b0cab4ea5250d60815e |
C:\Users\Admin\AppData\Local\Temp\RES6134.tmp
| MD5 | ba1526f4d76049a0d2b3e6db84cd16c9 |
| SHA1 | 19b985ed4519118dc09cfa3cb6fd95c9ab462110 |
| SHA256 | 28a8df41085e7bd8871dad87ce61503b2ff73353fd2dce9357acb17f4be0e59c |
| SHA512 | c5c2cc2efbf061cd3ae3d9f56541cc4621c4f857f8e53bbd16365aa9d4abf82a09e87650aed5e4d70bc98732ae8a920553dd0bcf1d7e7656359f3611c3627912 |
memory/1728-18-0x000000001AEC0000-0x000000001AED6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hdvnvllu.dll
| MD5 | 29a96e2fe64dfa6ff1bbc2889fb96943 |
| SHA1 | 2e484f1a18682efacfb692ce63380a29b079e054 |
| SHA256 | c3804a38bba60d0061785118f0c0ba5080930ab89c6d4de2abeff65508a18a07 |
| SHA512 | 3d984538d084cf02204680d0b8adfff5630792910da38c15ce6b77420d69a28167ab5b47aa2880f8b5bfcc4b5b4e20a3ba5d3776a3fa3e096a53694751554397 |
memory/1728-20-0x0000000000630000-0x0000000000642000-memory.dmp
memory/1728-21-0x0000000001F20000-0x0000000001FA0000-memory.dmp
memory/1728-22-0x000007FEF53E0000-0x000007FEF5D7D000-memory.dmp
memory/1728-23-0x0000000001F20000-0x0000000001FA0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-10 01:07
Reported
2024-01-10 01:10
Platform
win10v2004-20231215-en
Max time kernel
136s
Max time network
156s
Command Line
Signatures
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\acda0cdbd6a9be7cc1df40923d57c6c0eeae28b8046130cc723c3b055d881f82.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\acda0cdbd6a9be7cc1df40923d57c6c0eeae28b8046130cc723c3b055d881f82.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\acda0cdbd6a9be7cc1df40923d57c6c0eeae28b8046130cc723c3b055d881f82.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\acda0cdbd6a9be7cc1df40923d57c6c0eeae28b8046130cc723c3b055d881f82.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\acda0cdbd6a9be7cc1df40923d57c6c0eeae28b8046130cc723c3b055d881f82.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4428 wrote to memory of 1896 | N/A | C:\Users\Admin\AppData\Local\Temp\acda0cdbd6a9be7cc1df40923d57c6c0eeae28b8046130cc723c3b055d881f82.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe |
| PID 4428 wrote to memory of 1896 | N/A | C:\Users\Admin\AppData\Local\Temp\acda0cdbd6a9be7cc1df40923d57c6c0eeae28b8046130cc723c3b055d881f82.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe |
| PID 1896 wrote to memory of 3236 | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe |
| PID 1896 wrote to memory of 3236 | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\acda0cdbd6a9be7cc1df40923d57c6c0eeae28b8046130cc723c3b055d881f82.exe
"C:\Users\Admin\AppData\Local\Temp\acda0cdbd6a9be7cc1df40923d57c6c0eeae28b8046130cc723c3b055d881f82.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d9zx_4ao.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC724.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC723.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
memory/4428-0-0x00007FFC39930000-0x00007FFC3A2D1000-memory.dmp
memory/4428-1-0x00007FFC39930000-0x00007FFC3A2D1000-memory.dmp
memory/4428-2-0x0000000001680000-0x0000000001690000-memory.dmp
memory/4428-3-0x000000001BDB0000-0x000000001BE0C000-memory.dmp
memory/4428-6-0x000000001BFA0000-0x000000001BFAE000-memory.dmp
memory/4428-7-0x000000001C530000-0x000000001C9FE000-memory.dmp
memory/4428-8-0x000000001CA00000-0x000000001CA9C000-memory.dmp
memory/4428-9-0x00007FFC39930000-0x00007FFC3A2D1000-memory.dmp
memory/4428-10-0x00007FFC39930000-0x00007FFC3A2D1000-memory.dmp
memory/4428-11-0x0000000001680000-0x0000000001690000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\d9zx_4ao.cmdline
| MD5 | 7ee6dcc3daf25780b6d60a20818fd8bd |
| SHA1 | d58c64f65b9624e3fca6707957d2eb763009991d |
| SHA256 | 13a573b026d22dda19093973223e0380cb192ac02d87465ed63987d0237b82a9 |
| SHA512 | 853c64371ee88d65d77b4a5c0a6610fc41e523fac82936ad53ec4d3b9d4725ce81f27b14c8015cd6c68aee453db9e5a5127fe8cf3df0a23130217e09cb0add86 |
\??\c:\Users\Admin\AppData\Local\Temp\d9zx_4ao.0.cs
| MD5 | bfeb0e4c88d02808cc08ffc2280ca4fa |
| SHA1 | 87350936973d17b3cdfb72ce6a2d1a80edeb0291 |
| SHA256 | 524e493e21a0dc2c7df06f9860e604e98794e07e4d305cb786f490533566e3a4 |
| SHA512 | a4479568e3f9f97e6f3aece234a18b2e04e0ac6bba803214bffa99f5d8a81fbeb79f1577fe175ec2a37a924637c11394fdf0f3a29c3472b7c45570db6453aa8f |
memory/1896-17-0x00000000023E0000-0x00000000023F0000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSCC723.tmp
| MD5 | 8cc40ec0256e511b00724e55dcc85a82 |
| SHA1 | fd8ad6cbee7bc7213431f4368467f9f35d372a9c |
| SHA256 | 06d25ca2e6c7f05d55a0b256ba7005f3bc5518e77433b234b8f614f55ba62f96 |
| SHA512 | 194d6d7f365a1fc5596582485976d4035ea94056edcc7b6d63d723843cd6b3baa41d9c8d58c423d7d16af8eb5fc73f739f41ed3cb31f0c25130ed358580234c2 |
C:\Users\Admin\AppData\Local\Temp\RESC724.tmp
| MD5 | 2b266464b0f48b4bb9aed682c47824cf |
| SHA1 | a20e68b0865c56ab103bd41c057fc8caf405d0ff |
| SHA256 | 29a3c59f59850019a86ec6ab6cc03cf6a430317867a5d64d2d2d8fd28d09d540 |
| SHA512 | 35645df2658e224bd189e7ceb64e42f9bf313c10cbcaa78d89fac198a5b7758b82b9a55800cb49cdf006a3c310c258173f1d47ba0c07f2bffdd5c54d3317c3fb |
C:\Users\Admin\AppData\Local\Temp\d9zx_4ao.dll
| MD5 | 48fbbcc100138dca8afc40435740f517 |
| SHA1 | 495cb2e16cad1e092d5c472bd743b6a2a89ed7c0 |
| SHA256 | de3482d95d2658ca40732a92085188f3490d3486ee7a1643f6d26a195afab646 |
| SHA512 | 18fbb6cc844cd4ee916ebec987498e877b0a76ff47a71e40ea84d24c916de1288763d721c3da7e07caaa68b82fe9df80e8ba66cb989283a35112b74d284d80bc |
memory/4428-25-0x0000000001410000-0x0000000001426000-memory.dmp
memory/4428-27-0x0000000001480000-0x0000000001492000-memory.dmp
memory/4428-28-0x0000000001450000-0x0000000001458000-memory.dmp
memory/4428-29-0x0000000001680000-0x0000000001690000-memory.dmp
memory/4428-30-0x0000000001680000-0x0000000001690000-memory.dmp