Analysis Overview
SHA256
ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b
Threat Level: Known bad
The file ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b was found to be: Known bad.
Malicious Activity Summary
Orcus main payload
Orcurs Rat Executable
Orcus family
Drops desktop.ini file(s)
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-11 01:01
Signatures
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-11 01:01
Reported
2024-02-11 01:03
Platform
win7-20231215-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b.exe
"C:\Users\Admin\AppData\Local\Temp\ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jlhcqdaf.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E89.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1E88.tmp"
Network
Files
memory/2372-1-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp
memory/2372-0-0x000000001AF10000-0x000000001AF6C000-memory.dmp
memory/2372-2-0x0000000002240000-0x00000000022C0000-memory.dmp
memory/2372-4-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp
memory/2372-3-0x0000000000520000-0x000000000052E000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\jlhcqdaf.cmdline
| MD5 | 5b4b67e6f40e3f7c4ec93d7c11c88496 |
| SHA1 | 557793894684b190fcd35c6ac03d1bd8fd9174f0 |
| SHA256 | 15983d41eac4812f8d71d2385bf1f9d171b0b15da4dc6931524981255bb2c349 |
| SHA512 | 5ea30c5030b6cc5a972262163753ee2ace55d6a9a89640a5563f98ed4caf86109def32f091f0e6a1bda0d41918cefaefe15ee8c863cd5abf5c05f9036321a243 |
\??\c:\Users\Admin\AppData\Local\Temp\jlhcqdaf.0.cs
| MD5 | c555d9796194c1d9a1310a05a2264e08 |
| SHA1 | 82641fc4938680519c3b2e925e05e1001cbd71d7 |
| SHA256 | ccbb8fd27ab2f27fbbd871793886ff52ff1fbd9117c98b8d190c1a96b67e498a |
| SHA512 | 0b85ca22878998c7697c589739905b218f9b264a32c8f99a9f9dd73d0687a5de46cc7e851697ee16424baf94d301e411648aa2d061ac149a6d2e06b085e07090 |
C:\Users\Admin\AppData\Local\Temp\RES1E89.tmp
| MD5 | 20a355b4686dc33dece7f88c0c6a098e |
| SHA1 | c888480e5674e7bddfd7ab8e5efa501778ecfade |
| SHA256 | 45acdba2280ea9b403c53d6d776219399aed6e94b861b4b74df5b96c175dec2c |
| SHA512 | c00f5da509ad213e837af82301c5886e547260275a3545d2bf898a67d308ffaccd25d1d2b7518d730cbb4eccf9bae881a1318bfbf1e1e2f424772702dc5b1b38 |
C:\Users\Admin\AppData\Local\Temp\jlhcqdaf.dll
| MD5 | 6ba3978bbd31808510693e3e2a14b38f |
| SHA1 | 20c76fd4538a20517d6bf82e4c8a597a2c8b8d0c |
| SHA256 | 60273dc50f72a8b866bc471e81121100dd5e9c7089e8731e7bfb818325aafdc2 |
| SHA512 | 85db3a05fe8fcd966459c58df792f1691ff42e06c7ba1d731dd6c65b013db603c4611c9218d041c569257c229969001a52b6e2ac5cedca247761c16b57e6e42f |
memory/2372-17-0x0000000002310000-0x0000000002326000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC1E88.tmp
| MD5 | 5223971e52517b370679596fc84a5885 |
| SHA1 | 414f27dc3ffc870afaa3321ed01a9b29c28ed495 |
| SHA256 | a616c8d085e0868b790e86301add57bfb626718d2b6f05458a23c80f541f7f65 |
| SHA512 | 994de5494a5fcea3ade20b4a04602975e55930ff7abe6c3bc52eb3bab2fb75dec81475695cc6b3421debbbf06bf02519f35c8c2b1e7f46080e1e8e0c5023e365 |
memory/2372-19-0x00000000008F0000-0x0000000000902000-memory.dmp
memory/2372-20-0x0000000002330000-0x0000000002338000-memory.dmp
memory/2372-21-0x0000000002340000-0x0000000002348000-memory.dmp
memory/2372-22-0x0000000002240000-0x00000000022C0000-memory.dmp
memory/2372-24-0x0000000002240000-0x00000000022C0000-memory.dmp
memory/2372-25-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-11 01:01
Reported
2024-02-11 01:03
Platform
win10v2004-20231215-en
Max time kernel
90s
Max time network
122s
Command Line
Signatures
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 880 wrote to memory of 4828 | N/A | C:\Users\Admin\AppData\Local\Temp\ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe |
| PID 880 wrote to memory of 4828 | N/A | C:\Users\Admin\AppData\Local\Temp\ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe |
| PID 4828 wrote to memory of 2204 | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe |
| PID 4828 wrote to memory of 2204 | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b.exe
"C:\Users\Admin\AppData\Local\Temp\ddd660614feb82769a58cbe68e629fb33795a5c7c7531c0c4f2cd5698a62850b.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\astvhheo.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C9A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4C99.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/880-1-0x0000000001270000-0x0000000001280000-memory.dmp
memory/880-0-0x00007FF95D260000-0x00007FF95DC01000-memory.dmp
memory/880-2-0x00007FF95D260000-0x00007FF95DC01000-memory.dmp
memory/880-3-0x000000001B8D0000-0x000000001B92C000-memory.dmp
memory/880-6-0x000000001BAB0000-0x000000001BABE000-memory.dmp
memory/880-7-0x000000001C000000-0x000000001C4CE000-memory.dmp
memory/880-8-0x000000001C570000-0x000000001C60C000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\astvhheo.cmdline
| MD5 | fb72900db5c73fa2acf94983cc32e927 |
| SHA1 | cf361d210a9db760b81d661a25ec5095aa5d8391 |
| SHA256 | 2afc0d7f9e23e74806056b7dd801d234327290deb8c85d5c2efd5148139e9f2a |
| SHA512 | 883d6479b08a86690ac57cc3973f28d72b62f9b4233193d33bdd9ceaa55cedca1ec91854505cfcb2a5a4497cca231d79ac236f633939f05ab10f47cb0bf5d50b |
\??\c:\Users\Admin\AppData\Local\Temp\astvhheo.0.cs
| MD5 | e722a80377b57eb45d1f2c126e811b77 |
| SHA1 | 0ce8c2997ff0c621b603b25a6e15ddc27adf4a52 |
| SHA256 | 020689fd04080ee98a4149f5d39a64ddbcbe59fe0c9ca50e873c556886dc14d2 |
| SHA512 | 3914a21cf103053dddbe9645983f94dd5b84f799285951e7eaf45f2dd5b9eb08addb561984c74077f08fcafed82ba1219ee263dcdf805fd40ad39fa1b57f4457 |
memory/4828-14-0x0000000002360000-0x0000000002370000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC4C99.tmp
| MD5 | d27943ee6e76024f8416ed4f2b018da0 |
| SHA1 | 81d9d16e842cc142a2901d0d1cecb13908fc6160 |
| SHA256 | 8f439d65b55e31b8a23b70e3151215df96b8f92a92b96dc96ef5607825ffb276 |
| SHA512 | 50d3f37da19dc65883c146a5c8676b9888f6fd47c733778d67fdb1a11f2c82b30d27a7ac2a145e82770ac1a15a41b8d6077915376dcbc86df9485b15bf002030 |
C:\Users\Admin\AppData\Local\Temp\RES4C9A.tmp
| MD5 | 0a547e21718e2abf2332f4696830db48 |
| SHA1 | 895990924ae1b774e6875585d8d550667b0ada2f |
| SHA256 | 65ced3884329ba322ace12f0d506d8227caad4a68b56a7fa5df595afd43b6229 |
| SHA512 | 695b3e694ef5644c3d2e998a2f6bfcdb7494383b8d029fbfc8db4e5f5401c74a29c996f94aa7b0d29a7b05fa67f47ac29d2c41b3cca21e7d07a5a85305898fb5 |
memory/880-22-0x000000001BAF0000-0x000000001BB06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\astvhheo.dll
| MD5 | 947869f9df6dc27d130e448b51a0dcf0 |
| SHA1 | d12e7350a6ea8026705e93a433bac76bf58bd2c8 |
| SHA256 | 771d20b749799014d1b44252161032230ff2fa23f65976694f12e3a634b988f9 |
| SHA512 | 1c83908766267709c561eccdc265ba468692bfbd3fe371ae069a677f0e5f88d36f355605a51edebda08857ce8e3178ce632ea8f3d18a297fabec6e6073b6fe1b |
memory/880-24-0x0000000001300000-0x0000000001312000-memory.dmp
memory/880-25-0x00000000012D0000-0x00000000012D8000-memory.dmp
memory/880-26-0x000000001B8C0000-0x000000001B8C8000-memory.dmp
memory/880-27-0x000000001CFC0000-0x000000001D022000-memory.dmp
memory/880-28-0x000000001D920000-0x000000001DEDA000-memory.dmp
memory/880-29-0x000000001DEE0000-0x000000001DFD0000-memory.dmp
memory/880-30-0x000000001D120000-0x000000001D13E000-memory.dmp
memory/880-31-0x000000001DFE0000-0x000000001E029000-memory.dmp
memory/880-32-0x0000000001270000-0x0000000001280000-memory.dmp
memory/880-33-0x000000001E0C0000-0x000000001E130000-memory.dmp
memory/880-34-0x0000000001270000-0x0000000001280000-memory.dmp
memory/880-36-0x000000001BB10000-0x000000001BB18000-memory.dmp
memory/880-37-0x00007FF95D260000-0x00007FF95DC01000-memory.dmp
memory/880-38-0x0000000001270000-0x0000000001280000-memory.dmp
memory/880-39-0x0000000001270000-0x0000000001280000-memory.dmp