Malware Analysis Report

2025-01-22 15:05

Sample ID 240208-bnfjwsbg39
Target 9f0112d3238fea7397c5641f9e4bda829257030638d12e6c7568f79988e8cc16
SHA256 9f0112d3238fea7397c5641f9e4bda829257030638d12e6c7568f79988e8cc16
Tags
orcus
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f0112d3238fea7397c5641f9e4bda829257030638d12e6c7568f79988e8cc16

Threat Level: Known bad

The file 9f0112d3238fea7397c5641f9e4bda829257030638d12e6c7568f79988e8cc16 was found to be: Known bad.

Malicious Activity Summary

orcus

Orcus family

Orcus main payload

Orcurs Rat Executable

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-08 01:17

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-08 01:17

Reported

2024-02-08 01:19

Platform

win7-20231215-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f0112d3238fea7397c5641f9e4bda829257030638d12e6c7568f79988e8cc16.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\9f0112d3238fea7397c5641f9e4bda829257030638d12e6c7568f79988e8cc16.exe

"C:\Users\Admin\AppData\Local\Temp\9f0112d3238fea7397c5641f9e4bda829257030638d12e6c7568f79988e8cc16.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wzp3zi35.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50CF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC50CE.tmp"

Network

N/A

Files

memory/2288-0-0x000000001AEB0000-0x000000001AF0C000-memory.dmp

memory/2288-1-0x00000000005B0000-0x00000000005BE000-memory.dmp

memory/2288-2-0x000007FEF5A10000-0x000007FEF63AD000-memory.dmp

memory/2288-3-0x000007FEF5A10000-0x000007FEF63AD000-memory.dmp

memory/2288-4-0x0000000002080000-0x0000000002100000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\wzp3zi35.cmdline

MD5 5501784f9d129c6ea19346e71c4ce741
SHA1 687d80c0adcfbd22a48b6bdd0c1cfa613c0c5f9f
SHA256 205214420ad4ff2b7a4557bca09610e32cfd7d662282f52a5ad2c4dfe087e70d
SHA512 dbd3a93908762e1bc54601bee6d1075ddc9873939d7d8895064b8aa160af1d93c79a591dc8e9b2f49f2080582b61c913662c7d1e8dffa43cae8d6a20b23775d6

\??\c:\Users\Admin\AppData\Local\Temp\wzp3zi35.0.cs

MD5 250321226bbc2a616d91e1c82cb4ab2b
SHA1 7cffd0b2e9c842865d8961386ab8fcfac8d04173
SHA256 ef2707f83a0c0927cfd46b115641b9cae52a41123e4826515b9eeb561785218d
SHA512 bda59ca04cdf254f837f2cec6da55eff5c3d2af00da66537b9ebaa3601c502ae63772f082fd12663b63d537d2e03efe87a3b5746ef25e842aaf1c7d88245b4e1

\??\c:\Users\Admin\AppData\Local\Temp\CSC50CE.tmp

MD5 c942ef5e94872f168daca1eaf09d2551
SHA1 f173d36350d9e94f52cc09bfdd5042987191cad7
SHA256 b91af778274a42ab9de1f778511729babaf8c87145422651e60d359e29e9c0af
SHA512 c94f32a36514c41d8f1a0c84329c4e17602caa8d2d4b61ce5bdc70a18602cd0e71fe0ef3bbd9da7b14069af1c3003a8c4431b46e4a8b7d56aab480716d06a966

C:\Users\Admin\AppData\Local\Temp\RES50CF.tmp

MD5 881b68fe84619f5bb0927eccf1b3d7c0
SHA1 10ba44092a37b623773168ce799e5daf3241b293
SHA256 9fd596d38c4b0ad83138339132df981715c6eb8290adfaf8891a2ab86193d364
SHA512 65dba202160643043a80ab93a4976d9d16d99093965595b867705239e9ab9bd229c044b67319ee29cb2ff8e764da057eceb0a694663c13f6d336cb346c2165f7

C:\Users\Admin\AppData\Local\Temp\wzp3zi35.dll

MD5 38024dd88ba38de8fe73af47024c3e82
SHA1 f7658aea9c73fff6281e7812dcf2890525f92cce
SHA256 751cc146ae351309dc1fe89fc9f05d3b5c0a2b1f7dcb3143892f4bda022211eb
SHA512 550a4f0b5f60b5dde416bc029186a18b592a5f130db9ce855645545d9b4317d5baf829c5eadefe5800786f389ffc776680e579000c92dcc9cb65f8a4900edae5

memory/2288-17-0x0000000002310000-0x0000000002326000-memory.dmp

memory/2288-19-0x00000000005E0000-0x00000000005F2000-memory.dmp

memory/2288-20-0x0000000001F40000-0x0000000001F48000-memory.dmp

memory/2288-21-0x0000000001F50000-0x0000000001F58000-memory.dmp

memory/2288-22-0x0000000002080000-0x0000000002100000-memory.dmp

memory/2288-23-0x000007FEF5A10000-0x000007FEF63AD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-08 01:17

Reported

2024-02-08 01:19

Platform

win10v2004-20231215-en

Max time kernel

93s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f0112d3238fea7397c5641f9e4bda829257030638d12e6c7568f79988e8cc16.exe"

Signatures

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9f0112d3238fea7397c5641f9e4bda829257030638d12e6c7568f79988e8cc16.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9f0112d3238fea7397c5641f9e4bda829257030638d12e6c7568f79988e8cc16.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Boot\err_bff5c852ae7b4868a2aa18ea8de24aa3.dat C:\Users\Admin\AppData\Local\Temp\9f0112d3238fea7397c5641f9e4bda829257030638d12e6c7568f79988e8cc16.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9f0112d3238fea7397c5641f9e4bda829257030638d12e6c7568f79988e8cc16.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9f0112d3238fea7397c5641f9e4bda829257030638d12e6c7568f79988e8cc16.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\9f0112d3238fea7397c5641f9e4bda829257030638d12e6c7568f79988e8cc16.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9f0112d3238fea7397c5641f9e4bda829257030638d12e6c7568f79988e8cc16.exe

"C:\Users\Admin\AppData\Local\Temp\9f0112d3238fea7397c5641f9e4bda829257030638d12e6c7568f79988e8cc16.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fvkekqh-.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88D8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC88C7.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 188.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp

Files

memory/1632-0-0x00007FFD2CE90000-0x00007FFD2D831000-memory.dmp

memory/1632-1-0x0000000001170000-0x0000000001180000-memory.dmp

memory/1632-2-0x000000001B820000-0x000000001B87C000-memory.dmp

memory/1632-5-0x000000001BA00000-0x000000001BA0E000-memory.dmp

memory/1632-6-0x00007FFD2CE90000-0x00007FFD2D831000-memory.dmp

memory/1632-7-0x000000001BF50000-0x000000001C41E000-memory.dmp

memory/1632-8-0x000000001C4C0000-0x000000001C55C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\fvkekqh-.cmdline

MD5 59469f8b91afa32d9312365f23cb3e33
SHA1 ba2832760c8e9cc12783a0d5f0cd83de5dab5dd0
SHA256 7cc778b390919acef1945a7544b14f49607e1e109c0d29328423d13fe383fb41
SHA512 457f68f09fbf2c80cf6bc634c679519f4e2bb7de81172bb70ab6abbc1da42f0983038fb380052e8d3d5f0a9dbffc0930c8c05dd6741ef2296442439aa97f798b

\??\c:\Users\Admin\AppData\Local\Temp\fvkekqh-.0.cs

MD5 01fab3e8f12e859e450512e784682bb7
SHA1 397b5bad305a19c3e6311905ebf6fcd00063d8b8
SHA256 bbd4e7ce8fd591746910b8e6ab05a7875a1e382938db0afa5a0d2dc47c477076
SHA512 35ec42bce68b3041eff542c96b11952c1b1496a6f3322b23ab72c56751d14f79c17d29ea0b85a7674fe596b8c4ab5a40eef5186d7528d360eee814731549faf1

memory/4148-14-0x0000000000970000-0x0000000000980000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC88C7.tmp

MD5 fde0d9304947025e996ecf013c9e2fa5
SHA1 52e4aadbc64ee23b416551b33f89582d6a118986
SHA256 9f924061cc4e12e4a594a2b8e5baa30f8a59016856e80d0fc496802f62b33c29
SHA512 eb88a4f9c2fd3767b48dfea920b0214c82cd5b7050bcc4fa442f647e4257a7282028e9c0cc19749e22752e68c4e641831983ef57d89e42bbcf340d796ec3cf16

C:\Users\Admin\AppData\Local\Temp\RES88D8.tmp

MD5 19ec5637f1301865193199fbeb0a421c
SHA1 d0456bb5d5c7c7c5bc87e2b4caa8d4929ccb77e1
SHA256 1ff7b40bf1b6ea332956a702edf8e31d1dffebce4ed975519a1b753b9c154408
SHA512 28fb4e206c6a8250b84caf29f9901aa25b05f478ebec66f113586e91e14186aa9d3838ba48a3e27c05326008fc1e5d5aaeae1c149653117d9dce83602ef8b26b

memory/1632-22-0x000000001BA40000-0x000000001BA56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fvkekqh-.dll

MD5 d21d2deddc8f1725114427feb571f419
SHA1 8a5765d41a113ae1db556ffac221c352892d8157
SHA256 c3592a3a3f3c804b4c8a3959eb6819a044dfd9d86109ba45be8791bc038ab7cf
SHA512 8364f3506ee738cd36bd6b21546787b089d43cafea695aad595a5a55624f748afc2043051d6870fbd7c2b68bf150280231161b4c53dc294417db8507706c797d

memory/1632-24-0x000000001B780000-0x000000001B792000-memory.dmp

memory/1632-25-0x000000001B700000-0x000000001B708000-memory.dmp

memory/1632-26-0x000000001B810000-0x000000001B818000-memory.dmp

memory/1632-27-0x000000001CF10000-0x000000001CF72000-memory.dmp

memory/1632-28-0x000000001D870000-0x000000001DE2A000-memory.dmp

memory/1632-29-0x000000001DE30000-0x000000001DF20000-memory.dmp

memory/1632-30-0x000000001D070000-0x000000001D08E000-memory.dmp

memory/1632-31-0x000000001DF30000-0x000000001DF79000-memory.dmp

memory/1632-32-0x0000000001170000-0x0000000001180000-memory.dmp

memory/1632-33-0x000000001E010000-0x000000001E080000-memory.dmp

memory/1632-34-0x0000000001170000-0x0000000001180000-memory.dmp

memory/1632-36-0x00007FFD2CE90000-0x00007FFD2D831000-memory.dmp