Analysis Overview
SHA256
b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c
Threat Level: Known bad
The file b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c was found to be: Known bad.
Malicious Activity Summary
Orcus
Orcus main payload
Orcurs Rat Executable
Orcus family
Orcurs Rat Executable
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-06 01:07
Signatures
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-06 01:07
Reported
2024-02-06 01:11
Platform
win7-20231215-en
Max time kernel
0s
Max time network
120s
Command Line
Signatures
Orcus
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe
"C:\Users\Admin\AppData\Local\Temp\b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {8DDE8B7B-4EF7-4DF1-8509-BE2675C88193} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe
"C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe"
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58576.client.sudorat.top | udp |
| RU | 31.44.184.52:58576 | 58576.client.sudorat.top | tcp |
Files
memory/2572-1-0x00000000741E0000-0x00000000748CE000-memory.dmp
memory/2572-0-0x0000000000F40000-0x000000000123E000-memory.dmp
memory/2572-2-0x0000000000E80000-0x0000000000EC0000-memory.dmp
memory/2572-4-0x0000000000BF0000-0x0000000000C4C000-memory.dmp
memory/2572-3-0x00000000002F0000-0x00000000002FE000-memory.dmp
memory/2572-5-0x00000000003C0000-0x00000000003D2000-memory.dmp
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe
| MD5 | 2794dea72b9f3133d95c7b85ead090a7 |
| SHA1 | 9857270851b6e0659fa5721a720a5cfac88eb46e |
| SHA256 | 5300e25aa5b4a5f50db8edd222d6ece5de4033d62f5e6d6849ea0024676475a1 |
| SHA512 | 370ce42f427d7017eb3407247d5f18bd2cad299fc21326014d07c7130ba38d5cb7625eb6ebe6c2b6d397dd9902547fd8aa9e7b8798da0e2fa1a6afd60ffd0ff5 |
memory/2572-16-0x00000000741E0000-0x00000000748CE000-memory.dmp
memory/1548-19-0x0000000000460000-0x00000000004A0000-memory.dmp
memory/1548-18-0x0000000000C10000-0x0000000000F0E000-memory.dmp
memory/1548-21-0x0000000002370000-0x00000000023BE000-memory.dmp
memory/1548-20-0x0000000000720000-0x0000000000732000-memory.dmp
memory/1548-17-0x00000000741E0000-0x00000000748CE000-memory.dmp
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe
| MD5 | 65696ae7f9f46b859b8569b43999d07f |
| SHA1 | bd221e65e2a3deaf259894d503dc523bc5fc37c1 |
| SHA256 | a1ec055137a4f5b42fdf16b95c6859bb2bd4fbd6a931347f0fa13b9ec5c92845 |
| SHA512 | 7b1bd9823ad0effb965c32f6fb90c788c07223c936edaeca6585c6a67c9b69176e773193b8aecb1b6b0be0dc6ff98753ca70c68e81d41a91618780399ecf802b |
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe.config
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe
| MD5 | 19f3cdec267ffcb022a8b6aa43ce2e17 |
| SHA1 | 166c3ce0546f191dc4ff70d79ed633d6e0d9062c |
| SHA256 | 9c9deb62e9e20ec30dad4a6d493643b47c25fef0de90740936921dc6095ac6eb |
| SHA512 | d6897fffefc936d28f18c76a5c71dca325b73f4d161473e86fbd821214d50b1d6920af9228c52bc63d83c9cd3e48af6c99d488fee841710c0a6ad8d75026e9f4 |
\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe
| MD5 | ee7052356bbd3afa1ee3c21a4222b55f |
| SHA1 | 9e3ecff8b9394c8b3786ad231a08dedc059df354 |
| SHA256 | 1e6742f6f742d68a6d0fb6647643e6e26058762cc54ef9573f059fd3eb2add30 |
| SHA512 | 225c2de3ab31ff8927ddf14562222cdaeae26cb6b17545067e3bda305879ab4974c653c8a27dae77b77dcdbe8cf95b6964a745522ecd8110a8ebfa9c648ab620 |
memory/2884-23-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/2884-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2884-31-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/2848-36-0x00000000011D0000-0x00000000014CE000-memory.dmp
memory/2848-39-0x00000000741E0000-0x00000000748CE000-memory.dmp
memory/2848-38-0x0000000004CC0000-0x0000000004D00000-memory.dmp
memory/2884-40-0x0000000000CD0000-0x0000000000CE8000-memory.dmp
memory/2884-41-0x0000000000F20000-0x0000000000F30000-memory.dmp
memory/2884-37-0x0000000004CB0000-0x0000000004CF0000-memory.dmp
memory/2884-35-0x00000000741E0000-0x00000000748CE000-memory.dmp
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe
| MD5 | 4e7e9a42a051bd0def8039d32d0242de |
| SHA1 | bbcbd0399ae7c403c8a864f5504cf96be9dd06a1 |
| SHA256 | cf169c95539b74ea038c48ccfb75e538a97bc54d1dd16a48fcfa40c0e1045a18 |
| SHA512 | ff5a2999ec0a0223fce9ede4577dbda09d82495f539d7e9f1cf1dddc165e0a5b943e7a591970db1bdf4a25cd479a835f8693678a74f9af947c560bb1b390d6fe |
memory/2884-33-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/1548-30-0x00000000741E0000-0x00000000748CE000-memory.dmp
memory/2884-28-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/2884-25-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/2884-24-0x0000000000400000-0x00000000006FE000-memory.dmp
memory/2884-22-0x0000000000400000-0x00000000006FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab1A94.tmp
| MD5 | 922ce20009f9d164ce954487d373527c |
| SHA1 | 8a1942db234c4c8eec8f30f955a9e3ac2f8c58f2 |
| SHA256 | d42dd4c42aa9feaa2e2649936e08d954fe57e9d1e75cca2adb0c1e0e19fe147c |
| SHA512 | a35eef341dd309c58a8236298b0ebb845294a13dbbd91d6085b469866bb91bf242858454fd0b2301755faf208e6819796484c49d575b1ec961ba209e23f4d89f |
memory/2848-58-0x00000000741E0000-0x00000000748CE000-memory.dmp
memory/2884-59-0x00000000741E0000-0x00000000748CE000-memory.dmp
memory/2884-60-0x0000000004CB0000-0x0000000004CF0000-memory.dmp
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe
| MD5 | 59b4ef1defad2968fb0d9366566daecf |
| SHA1 | 081326ac42537f6f10088cbe03fe84d4c9877f5c |
| SHA256 | 054c3323fa6e538f57544206961a5f6f4d937822e4b70d522173fd29ff652314 |
| SHA512 | 10a6582e7c11b17ce789ebb10d33dc5e47fc38d1b3e902eccb69b46641da7887f24bf08d7c161683b81db32fa2206ff878c2234ffa60122627a4025a4a0b44ca |
memory/2800-62-0x00000000741E0000-0x00000000748CE000-memory.dmp
memory/2800-63-0x00000000741E0000-0x00000000748CE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-06 01:07
Reported
2024-02-06 01:11
Platform
win10v2004-20231215-en
Max time kernel
0s
Max time network
121s
Command Line
Signatures
Orcus
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe
"C:\Users\Admin\AppData\Local\Temp\b4af3126655823c6b45c2584feccf38dd74fc661e6274fb5001c3d68e39afb4c.exe"
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe
"C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58576.client.sudorat.top | udp |
| RU | 31.44.184.52:58576 | 58576.client.sudorat.top | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.184.44.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/4744-1-0x0000000000D40000-0x000000000103E000-memory.dmp
memory/4744-2-0x00000000059A0000-0x00000000059B0000-memory.dmp
memory/4744-3-0x0000000005990000-0x000000000599E000-memory.dmp
memory/4744-4-0x0000000005C00000-0x0000000005C5C000-memory.dmp
memory/4744-6-0x0000000005DF0000-0x0000000005E82000-memory.dmp
memory/4744-5-0x0000000006300000-0x00000000068A4000-memory.dmp
memory/4744-0-0x0000000074CA0000-0x0000000075450000-memory.dmp
memory/4744-7-0x0000000005DE0000-0x0000000005DF2000-memory.dmp
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe
| MD5 | 7efee619e783d06d8d526cc763ccb994 |
| SHA1 | 38f32a260d01d1c0a8b0840dea4c7c7404784137 |
| SHA256 | e79045493be7f0d7c9604eb49d4c15a883aa0c08cfa4ef721a1d70fe4ac89b84 |
| SHA512 | c249861f4dde01199e62126840e2481f16c6ae776e643ddbecaa9a15d048da136a6e86c5493f9c823a08cdc5f187694fd5016904f7d5cb10bf5efd69a897bbbd |
memory/4744-24-0x0000000074CA0000-0x0000000075450000-memory.dmp
memory/668-25-0x0000000005850000-0x0000000005860000-memory.dmp
memory/668-23-0x0000000074CA0000-0x0000000075450000-memory.dmp
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe
| MD5 | 2b0e9a26e54cee4ffda0c920d5fadd1c |
| SHA1 | 99b532aa4ddc76b292cf7f98fb7231d0bf21fdcc |
| SHA256 | c5d08f7fc7901991889b37de648d5b7a4db50229894fc75181c692f10414fe42 |
| SHA512 | ab50b106af07d04feb66de744765f3f4ad3da6bb85af4fa3e1140d2b8ba62e532ac1d22f999238cf811594473b27735a5cc8a7a116c18258780fcc76c73a3b04 |
memory/668-27-0x0000000006180000-0x00000000061CE000-memory.dmp
memory/668-26-0x0000000006160000-0x0000000006172000-memory.dmp
memory/4472-34-0x0000000074CA0000-0x0000000075450000-memory.dmp
memory/4472-35-0x0000000001960000-0x0000000001970000-memory.dmp
memory/668-33-0x0000000074CA0000-0x0000000075450000-memory.dmp
memory/4472-37-0x0000000006430000-0x0000000006440000-memory.dmp
memory/4472-39-0x0000000006770000-0x000000000677A000-memory.dmp
memory/3580-38-0x0000000005450000-0x0000000005460000-memory.dmp
memory/4472-36-0x0000000005610000-0x0000000005628000-memory.dmp
memory/3580-31-0x0000000074CA0000-0x0000000075450000-memory.dmp
memory/668-29-0x0000000006AE0000-0x0000000006B7C000-memory.dmp
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe
| MD5 | 0339e4143a8c2cd99acdbf7c41533a70 |
| SHA1 | 722e2e3c8fae4d1941ddee805b10d8a82540ced9 |
| SHA256 | ddcd8d53e3276b1077c1c3c225db89e48323a85733be0bc4ee79d4f4aeb86f5a |
| SHA512 | 578ff57699bc65a1ea7ae2b9bcd4ccde588733c234d28b68dbe9b60bbf7f0cb873655efe5a4c75941472ac32f1f2d180233707fc28d1129a79f0028212f57911 |
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe
| MD5 | f0b5b7471116c984a131ba59102aa893 |
| SHA1 | 8de0255b5704ff3bbd2b1c65d9deff87bbbbaf6e |
| SHA256 | 31e77bfeaad9c2591ade00a28e8a53337b789094e431521d26ab06cbe9992ed2 |
| SHA512 | 61f1938e8a457e6a3a4ea31bd23ebd5c6bc04189869ac1787fb3b6bf4cd37f91bbf44356cda90a0c5133f69735425afb45a1ab07ea2f25f8b7fda2cd15415c07 |
memory/4472-42-0x0000000006ED0000-0x0000000006F36000-memory.dmp
memory/4472-44-0x0000000006FE0000-0x0000000006FF2000-memory.dmp
memory/4472-45-0x0000000007040000-0x000000000707C000-memory.dmp
memory/4472-46-0x0000000007080000-0x00000000070CC000-memory.dmp
memory/4472-43-0x0000000007560000-0x0000000007B78000-memory.dmp
memory/4472-47-0x0000000007210000-0x000000000731A000-memory.dmp
memory/4472-48-0x0000000007B80000-0x0000000007D42000-memory.dmp
memory/3580-50-0x0000000074CA0000-0x0000000075450000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lowbase.exe.log
| MD5 | 663b8d5469caa4489d463aa9bc18124f |
| SHA1 | e57123a7d969115853ea631a3b33826335025d28 |
| SHA256 | 7b4fa505452f0b8ac74bb31f5a03b13342836318018fb18d224ae2ff11b1a7e8 |
| SHA512 | 45e373295125a629fcc0b19609608d969c9106514918bfac5d6b8e340e407434577b825741b8fa6a043c8f3f5c1a030ba8857da5f4e8ef15a551ce3c5fe03b55 |
memory/4472-51-0x0000000074CA0000-0x0000000075450000-memory.dmp
memory/4472-52-0x0000000001960000-0x0000000001970000-memory.dmp
C:\Users\Admin\AppData\Roaming\javascriptpackettemp\lowbase.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3664-54-0x0000000074CA0000-0x0000000075450000-memory.dmp
memory/3664-55-0x0000000005350000-0x0000000005360000-memory.dmp
memory/3664-56-0x0000000074CA0000-0x0000000075450000-memory.dmp