Malware Analysis Report

2025-01-22 15:04

Sample ID 240211-bc8rascg87
Target ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b
SHA256 ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b
Tags
orcus
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b

Threat Level: Known bad

The file ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b was found to be: Known bad.

Malicious Activity Summary

orcus

Orcus main payload

Orcurs Rat Executable

Orcus family

Drops desktop.ini file(s)

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-11 01:01

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-11 01:01

Reported

2024-02-11 01:03

Platform

win7-20231215-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b.exe

"C:\Users\Admin\AppData\Local\Temp\ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jlhcqdaf.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E89.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1E88.tmp"

Network

N/A

Files

memory/2372-1-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

memory/2372-0-0x000000001AF10000-0x000000001AF6C000-memory.dmp

memory/2372-2-0x0000000002240000-0x00000000022C0000-memory.dmp

memory/2372-4-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

memory/2372-3-0x0000000000520000-0x000000000052E000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\jlhcqdaf.cmdline

MD5 5b4b67e6f40e3f7c4ec93d7c11c88496
SHA1 557793894684b190fcd35c6ac03d1bd8fd9174f0
SHA256 15983d41eac4812f8d71d2385bf1f9d171b0b15da4dc6931524981255bb2c349
SHA512 5ea30c5030b6cc5a972262163753ee2ace55d6a9a89640a5563f98ed4caf86109def32f091f0e6a1bda0d41918cefaefe15ee8c863cd5abf5c05f9036321a243

\??\c:\Users\Admin\AppData\Local\Temp\jlhcqdaf.0.cs

MD5 c555d9796194c1d9a1310a05a2264e08
SHA1 82641fc4938680519c3b2e925e05e1001cbd71d7
SHA256 ccbb8fd27ab2f27fbbd871793886ff52ff1fbd9117c98b8d190c1a96b67e498a
SHA512 0b85ca22878998c7697c589739905b218f9b264a32c8f99a9f9dd73d0687a5de46cc7e851697ee16424baf94d301e411648aa2d061ac149a6d2e06b085e07090

C:\Users\Admin\AppData\Local\Temp\RES1E89.tmp

MD5 20a355b4686dc33dece7f88c0c6a098e
SHA1 c888480e5674e7bddfd7ab8e5efa501778ecfade
SHA256 45acdba2280ea9b403c53d6d776219399aed6e94b861b4b74df5b96c175dec2c
SHA512 c00f5da509ad213e837af82301c5886e547260275a3545d2bf898a67d308ffaccd25d1d2b7518d730cbb4eccf9bae881a1318bfbf1e1e2f424772702dc5b1b38

C:\Users\Admin\AppData\Local\Temp\jlhcqdaf.dll

MD5 6ba3978bbd31808510693e3e2a14b38f
SHA1 20c76fd4538a20517d6bf82e4c8a597a2c8b8d0c
SHA256 60273dc50f72a8b866bc471e81121100dd5e9c7089e8731e7bfb818325aafdc2
SHA512 85db3a05fe8fcd966459c58df792f1691ff42e06c7ba1d731dd6c65b013db603c4611c9218d041c569257c229969001a52b6e2ac5cedca247761c16b57e6e42f

memory/2372-17-0x0000000002310000-0x0000000002326000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC1E88.tmp

MD5 5223971e52517b370679596fc84a5885
SHA1 414f27dc3ffc870afaa3321ed01a9b29c28ed495
SHA256 a616c8d085e0868b790e86301add57bfb626718d2b6f05458a23c80f541f7f65
SHA512 994de5494a5fcea3ade20b4a04602975e55930ff7abe6c3bc52eb3bab2fb75dec81475695cc6b3421debbbf06bf02519f35c8c2b1e7f46080e1e8e0c5023e365

memory/2372-19-0x00000000008F0000-0x0000000000902000-memory.dmp

memory/2372-20-0x0000000002330000-0x0000000002338000-memory.dmp

memory/2372-21-0x0000000002340000-0x0000000002348000-memory.dmp

memory/2372-22-0x0000000002240000-0x00000000022C0000-memory.dmp

memory/2372-24-0x0000000002240000-0x00000000022C0000-memory.dmp

memory/2372-25-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-11 01:01

Reported

2024-02-11 01:03

Platform

win10v2004-20231215-en

Max time kernel

90s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b.exe"

Signatures

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b.exe

"C:\Users\Admin\AppData\Local\Temp\ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\astvhheo.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C9A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4C99.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/880-1-0x0000000001270000-0x0000000001280000-memory.dmp

memory/880-0-0x00007FF95D260000-0x00007FF95DC01000-memory.dmp

memory/880-2-0x00007FF95D260000-0x00007FF95DC01000-memory.dmp

memory/880-3-0x000000001B8D0000-0x000000001B92C000-memory.dmp

memory/880-6-0x000000001BAB0000-0x000000001BABE000-memory.dmp

memory/880-7-0x000000001C000000-0x000000001C4CE000-memory.dmp

memory/880-8-0x000000001C570000-0x000000001C60C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\astvhheo.cmdline

MD5 fb72900db5c73fa2acf94983cc32e927
SHA1 cf361d210a9db760b81d661a25ec5095aa5d8391
SHA256 2afc0d7f9e23e74806056b7dd801d234327290deb8c85d5c2efd5148139e9f2a
SHA512 883d6479b08a86690ac57cc3973f28d72b62f9b4233193d33bdd9ceaa55cedca1ec91854505cfcb2a5a4497cca231d79ac236f633939f05ab10f47cb0bf5d50b

\??\c:\Users\Admin\AppData\Local\Temp\astvhheo.0.cs

MD5 e722a80377b57eb45d1f2c126e811b77
SHA1 0ce8c2997ff0c621b603b25a6e15ddc27adf4a52
SHA256 020689fd04080ee98a4149f5d39a64ddbcbe59fe0c9ca50e873c556886dc14d2
SHA512 3914a21cf103053dddbe9645983f94dd5b84f799285951e7eaf45f2dd5b9eb08addb561984c74077f08fcafed82ba1219ee263dcdf805fd40ad39fa1b57f4457

memory/4828-14-0x0000000002360000-0x0000000002370000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC4C99.tmp

MD5 d27943ee6e76024f8416ed4f2b018da0
SHA1 81d9d16e842cc142a2901d0d1cecb13908fc6160
SHA256 8f439d65b55e31b8a23b70e3151215df96b8f92a92b96dc96ef5607825ffb276
SHA512 50d3f37da19dc65883c146a5c8676b9888f6fd47c733778d67fdb1a11f2c82b30d27a7ac2a145e82770ac1a15a41b8d6077915376dcbc86df9485b15bf002030

C:\Users\Admin\AppData\Local\Temp\RES4C9A.tmp

MD5 0a547e21718e2abf2332f4696830db48
SHA1 895990924ae1b774e6875585d8d550667b0ada2f
SHA256 65ced3884329ba322ace12f0d506d8227caad4a68b56a7fa5df595afd43b6229
SHA512 695b3e694ef5644c3d2e998a2f6bfcdb7494383b8d029fbfc8db4e5f5401c74a29c996f94aa7b0d29a7b05fa67f47ac29d2c41b3cca21e7d07a5a85305898fb5

memory/880-22-0x000000001BAF0000-0x000000001BB06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\astvhheo.dll

MD5 947869f9df6dc27d130e448b51a0dcf0
SHA1 d12e7350a6ea8026705e93a433bac76bf58bd2c8
SHA256 771d20b749799014d1b44252161032230ff2fa23f65976694f12e3a634b988f9
SHA512 1c83908766267709c561eccdc265ba468692bfbd3fe371ae069a677f0e5f88d36f355605a51edebda08857ce8e3178ce632ea8f3d18a297fabec6e6073b6fe1b

memory/880-24-0x0000000001300000-0x0000000001312000-memory.dmp

memory/880-25-0x00000000012D0000-0x00000000012D8000-memory.dmp

memory/880-26-0x000000001B8C0000-0x000000001B8C8000-memory.dmp

memory/880-27-0x000000001CFC0000-0x000000001D022000-memory.dmp

memory/880-28-0x000000001D920000-0x000000001DEDA000-memory.dmp

memory/880-29-0x000000001DEE0000-0x000000001DFD0000-memory.dmp

memory/880-30-0x000000001D120000-0x000000001D13E000-memory.dmp

memory/880-31-0x000000001DFE0000-0x000000001E029000-memory.dmp

memory/880-32-0x0000000001270000-0x0000000001280000-memory.dmp

memory/880-33-0x000000001E0C0000-0x000000001E130000-memory.dmp

memory/880-34-0x0000000001270000-0x0000000001280000-memory.dmp

memory/880-36-0x000000001BB10000-0x000000001BB18000-memory.dmp

memory/880-37-0x00007FF95D260000-0x00007FF95DC01000-memory.dmp

memory/880-38-0x0000000001270000-0x0000000001280000-memory.dmp

memory/880-39-0x0000000001270000-0x0000000001280000-memory.dmp