Malware Analysis Report

2025-01-22 15:11

Sample ID 240211-bmntwaah31
Target 75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a
SHA256 75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a
Tags
orcus
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a

Threat Level: Known bad

The file 75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a was found to be: Known bad.

Malicious Activity Summary

orcus

Orcus family

Orcus main payload

Orcurs Rat Executable

Drops desktop.ini file(s)

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-11 01:15

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-11 01:15

Reported

2024-02-11 01:18

Platform

win10v2004-20231215-en

Max time kernel

93s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a.exe"

Signatures

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a.exe

"C:\Users\Admin\AppData\Local\Temp\75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\16xa9ily.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES443E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC443D.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp

Files

memory/644-0-0x00007FFE59FB0000-0x00007FFE5A951000-memory.dmp

memory/644-1-0x0000000001670000-0x0000000001680000-memory.dmp

memory/644-2-0x000000001BB50000-0x000000001BBAC000-memory.dmp

memory/644-5-0x000000001BC40000-0x000000001BC4E000-memory.dmp

memory/644-6-0x00007FFE59FB0000-0x00007FFE5A951000-memory.dmp

memory/644-7-0x000000001C280000-0x000000001C74E000-memory.dmp

memory/644-8-0x000000001C7F0000-0x000000001C88C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\16xa9ily.cmdline

MD5 fcf74b7cc4843ccfbd9ed050167de4b5
SHA1 f4e18e467d34560f55f03e8a1157402df7d20e41
SHA256 e684c27f64f90fe015ba02c7066136597e48da1e44fd5a634c519fbc64baa71e
SHA512 0131508f25654fd27acec9afdf28f5b23ac115df2ad5299f18000c762242b8a2e5018422efe3e60c5efd47bfcbc112968093e3e30faac9787e6136ebfc0bf0cf

\??\c:\Users\Admin\AppData\Local\Temp\16xa9ily.0.cs

MD5 12126621038e5ee0ef7a338c71bf7861
SHA1 1115bccaed3d0cbb07d95a61b447b5afade6604a
SHA256 c5e02d8904367133374ec544f9bf06ef093c973a0e7b9620f33c074df7fb7b67
SHA512 169f09db9f82930d7a6040263aae3b08a16beeb3aa5c38e1808230a327436e383b0d83e1cfc2d36e2d36068b170772de1c0df8c721252211a1d4e51a2131c956

memory/4380-14-0x0000000002300000-0x0000000002310000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC443D.tmp

MD5 b7bcc0f43b9c0d8a9d5f1b8e64eb6fe2
SHA1 a1f7806f551e738564c44375ddb1066b639555ef
SHA256 d6145fe5e38f2fab634daa220c5164bb91df2dab7a8d6d8d82b68fe0272dbf97
SHA512 db85b4e2eca29d4a731d4132f8bdac7c6e8afdbe922276037bce5c1e5b67b11b6603541769f476e9f3ce2c6ba15202ddc95cc004bab8d23254af5976298590b9

C:\Users\Admin\AppData\Local\Temp\RES443E.tmp

MD5 8c5c0b0b684d11bb88c6b950b29cfbd5
SHA1 36c21e044d15c80532114aea7a95016a09ba2133
SHA256 d2401acd921304e250abbec1feecc3a5568ca39491e66e402668b404b494f9f6
SHA512 bad6f5690f7a6b6e7bc0fc399c72f3109f0b5e6948eaf741ae44d11bbbe15ecf7bf849e6bdecb501bb42eadeb423737a761ed0a915d13c9074cf008b5e804f3b

C:\Users\Admin\AppData\Local\Temp\16xa9ily.dll

MD5 561e71b14859a7eb7facf7f131a9e7c3
SHA1 1c5ea2034dc2dbf405488381244cb2e6df64af60
SHA256 1abb4e053d04a52cd6479127fc2326977b24eccc4e5827a68908ae280997213a
SHA512 dbfcafc6e66c2e84b7fe9fff1a0864cd7f5d48173b14eaf140fe8469c333acf1a24fdce770aa5c0911d4dda0c1c208e35d8780121f2bd41fafaf7687e7965b45

memory/644-22-0x000000001BC90000-0x000000001BCA6000-memory.dmp

memory/644-24-0x00000000015E0000-0x00000000015F2000-memory.dmp

memory/644-25-0x0000000001440000-0x0000000001448000-memory.dmp

memory/644-26-0x0000000001670000-0x0000000001680000-memory.dmp

memory/644-27-0x00007FFE59FB0000-0x00007FFE5A951000-memory.dmp

memory/644-28-0x0000000001670000-0x0000000001680000-memory.dmp

memory/644-29-0x0000000001670000-0x0000000001680000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-11 01:15

Reported

2024-02-11 01:18

Platform

win7-20231215-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a.exe

"C:\Users\Admin\AppData\Local\Temp\75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nhjpa22k.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES534F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC534E.tmp"

Network

N/A

Files

memory/1672-0-0x000007FEF5170000-0x000007FEF5B0D000-memory.dmp

memory/1672-1-0x0000000000DC0000-0x0000000000E1C000-memory.dmp

memory/1672-2-0x0000000000510000-0x000000000051E000-memory.dmp

memory/1672-3-0x0000000000970000-0x00000000009F0000-memory.dmp

memory/1672-4-0x000007FEF5170000-0x000007FEF5B0D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\nhjpa22k.cmdline

MD5 2d1726cd2c2794ff5962e9cbcbf18e74
SHA1 ad71fe965bc2d41851dd5aae4ebc04356ec66d0e
SHA256 3abc83ef59dd95c6cd32d137b215db716663c0e81e596d716a562a7d71829b65
SHA512 150d22e54a327308238136667bba5081d79fef6722899f69b1b25eb38b4bbaca2ab0e0fc00bda8a2d2ab93ecfe1b257b42d568a2309f96a327904fefbb3d306c

\??\c:\Users\Admin\AppData\Local\Temp\nhjpa22k.0.cs

MD5 6011503497b1b9250a05debf9690e52c
SHA1 897aea61e9bffc82d7031f1b3da12fb83efc6d82
SHA256 08f42b8d57bb61bc8f9628c8a80953b06ca4149d50108083fca6dc26bdd49434
SHA512 604c33e82e8b5bb5c54389c2899c81e5482a06e69db08268173a5b4574327ee5de656d312011d07e50a2e398a4c9b0cd79029013f76e05e18cf67ce5a916ffd9

memory/2108-10-0x0000000002340000-0x00000000023C0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC534E.tmp

MD5 35936aa7981c93263a076f8e4650ca05
SHA1 290cb6521b9b1be462bec7017fc4d97e8c5f43ba
SHA256 6582f61c9e5b49ae1895b3eeaa08859977f288a6ef065fe9999bb89917845fe1
SHA512 61620776cb381d05e9110092b1e20bcf3c7501c506803caa0984dd0273ad91b8c345b16239fe99c7138fbd700bca8b1dc0b60836406ecd23a659109a03437672

C:\Users\Admin\AppData\Local\Temp\RES534F.tmp

MD5 b96d78d0b3290e35015ecf726e90c366
SHA1 b2b104cb40b685657c65a9187116346068ed9feb
SHA256 08ecf925e306eecfabe70d76ff091d46af0953fc0fc635632e3df8476103896c
SHA512 128d871e6bb34344139ac62ae39bbd8de9d9e7174bc102abb37cf309c69f5a45fe8911942139dad6be0353f5b3f74eac76586497d4bbbd3b75a1346034f42352

C:\Users\Admin\AppData\Local\Temp\nhjpa22k.dll

MD5 2ab396ac308c99e07704f2ddfe6e4220
SHA1 944b46a509a2648cffa0e4bee6ff3a89061ecc41
SHA256 f762b315e703288232c6f2a31f399635e3a57b739c4165db788cbb17461a2935
SHA512 2491e13ef4fcb56228c19b6c04b9a8f463b874d86eae88b3e1e7979ed66f1ba327efba755a1b210310710d1cbf48fa8e82c575de6012abbca332c150832b6946

memory/1672-18-0x0000000002320000-0x0000000002336000-memory.dmp

memory/1672-20-0x0000000000530000-0x0000000000542000-memory.dmp

memory/1672-21-0x0000000000970000-0x00000000009F0000-memory.dmp

memory/1672-22-0x000007FEF5170000-0x000007FEF5B0D000-memory.dmp

memory/1672-23-0x0000000000970000-0x00000000009F0000-memory.dmp

memory/1672-24-0x0000000000970000-0x00000000009F0000-memory.dmp