Analysis Overview
SHA256
75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a
Threat Level: Known bad
The file 75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a was found to be: Known bad.
Malicious Activity Summary
Orcus family
Orcus main payload
Orcurs Rat Executable
Drops desktop.ini file(s)
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-11 01:15
Signatures
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-11 01:15
Reported
2024-02-11 01:18
Platform
win10v2004-20231215-en
Max time kernel
93s
Max time network
149s
Command Line
Signatures
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 644 wrote to memory of 4380 | N/A | C:\Users\Admin\AppData\Local\Temp\75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe |
| PID 644 wrote to memory of 4380 | N/A | C:\Users\Admin\AppData\Local\Temp\75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe |
| PID 4380 wrote to memory of 4968 | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe |
| PID 4380 wrote to memory of 4968 | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a.exe
"C:\Users\Admin\AppData\Local\Temp\75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\16xa9ily.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES443E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC443D.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
Files
memory/644-0-0x00007FFE59FB0000-0x00007FFE5A951000-memory.dmp
memory/644-1-0x0000000001670000-0x0000000001680000-memory.dmp
memory/644-2-0x000000001BB50000-0x000000001BBAC000-memory.dmp
memory/644-5-0x000000001BC40000-0x000000001BC4E000-memory.dmp
memory/644-6-0x00007FFE59FB0000-0x00007FFE5A951000-memory.dmp
memory/644-7-0x000000001C280000-0x000000001C74E000-memory.dmp
memory/644-8-0x000000001C7F0000-0x000000001C88C000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\16xa9ily.cmdline
| MD5 | fcf74b7cc4843ccfbd9ed050167de4b5 |
| SHA1 | f4e18e467d34560f55f03e8a1157402df7d20e41 |
| SHA256 | e684c27f64f90fe015ba02c7066136597e48da1e44fd5a634c519fbc64baa71e |
| SHA512 | 0131508f25654fd27acec9afdf28f5b23ac115df2ad5299f18000c762242b8a2e5018422efe3e60c5efd47bfcbc112968093e3e30faac9787e6136ebfc0bf0cf |
\??\c:\Users\Admin\AppData\Local\Temp\16xa9ily.0.cs
| MD5 | 12126621038e5ee0ef7a338c71bf7861 |
| SHA1 | 1115bccaed3d0cbb07d95a61b447b5afade6604a |
| SHA256 | c5e02d8904367133374ec544f9bf06ef093c973a0e7b9620f33c074df7fb7b67 |
| SHA512 | 169f09db9f82930d7a6040263aae3b08a16beeb3aa5c38e1808230a327436e383b0d83e1cfc2d36e2d36068b170772de1c0df8c721252211a1d4e51a2131c956 |
memory/4380-14-0x0000000002300000-0x0000000002310000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC443D.tmp
| MD5 | b7bcc0f43b9c0d8a9d5f1b8e64eb6fe2 |
| SHA1 | a1f7806f551e738564c44375ddb1066b639555ef |
| SHA256 | d6145fe5e38f2fab634daa220c5164bb91df2dab7a8d6d8d82b68fe0272dbf97 |
| SHA512 | db85b4e2eca29d4a731d4132f8bdac7c6e8afdbe922276037bce5c1e5b67b11b6603541769f476e9f3ce2c6ba15202ddc95cc004bab8d23254af5976298590b9 |
C:\Users\Admin\AppData\Local\Temp\RES443E.tmp
| MD5 | 8c5c0b0b684d11bb88c6b950b29cfbd5 |
| SHA1 | 36c21e044d15c80532114aea7a95016a09ba2133 |
| SHA256 | d2401acd921304e250abbec1feecc3a5568ca39491e66e402668b404b494f9f6 |
| SHA512 | bad6f5690f7a6b6e7bc0fc399c72f3109f0b5e6948eaf741ae44d11bbbe15ecf7bf849e6bdecb501bb42eadeb423737a761ed0a915d13c9074cf008b5e804f3b |
C:\Users\Admin\AppData\Local\Temp\16xa9ily.dll
| MD5 | 561e71b14859a7eb7facf7f131a9e7c3 |
| SHA1 | 1c5ea2034dc2dbf405488381244cb2e6df64af60 |
| SHA256 | 1abb4e053d04a52cd6479127fc2326977b24eccc4e5827a68908ae280997213a |
| SHA512 | dbfcafc6e66c2e84b7fe9fff1a0864cd7f5d48173b14eaf140fe8469c333acf1a24fdce770aa5c0911d4dda0c1c208e35d8780121f2bd41fafaf7687e7965b45 |
memory/644-22-0x000000001BC90000-0x000000001BCA6000-memory.dmp
memory/644-24-0x00000000015E0000-0x00000000015F2000-memory.dmp
memory/644-25-0x0000000001440000-0x0000000001448000-memory.dmp
memory/644-26-0x0000000001670000-0x0000000001680000-memory.dmp
memory/644-27-0x00007FFE59FB0000-0x00007FFE5A951000-memory.dmp
memory/644-28-0x0000000001670000-0x0000000001680000-memory.dmp
memory/644-29-0x0000000001670000-0x0000000001680000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-11 01:15
Reported
2024-02-11 01:18
Platform
win7-20231215-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a.exe
"C:\Users\Admin\AppData\Local\Temp\75adc1b60a73e4006a31f578792521dcf9b6f3f6febb46a473cb671b12c2e99a.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nhjpa22k.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES534F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC534E.tmp"
Network
Files
memory/1672-0-0x000007FEF5170000-0x000007FEF5B0D000-memory.dmp
memory/1672-1-0x0000000000DC0000-0x0000000000E1C000-memory.dmp
memory/1672-2-0x0000000000510000-0x000000000051E000-memory.dmp
memory/1672-3-0x0000000000970000-0x00000000009F0000-memory.dmp
memory/1672-4-0x000007FEF5170000-0x000007FEF5B0D000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\nhjpa22k.cmdline
| MD5 | 2d1726cd2c2794ff5962e9cbcbf18e74 |
| SHA1 | ad71fe965bc2d41851dd5aae4ebc04356ec66d0e |
| SHA256 | 3abc83ef59dd95c6cd32d137b215db716663c0e81e596d716a562a7d71829b65 |
| SHA512 | 150d22e54a327308238136667bba5081d79fef6722899f69b1b25eb38b4bbaca2ab0e0fc00bda8a2d2ab93ecfe1b257b42d568a2309f96a327904fefbb3d306c |
\??\c:\Users\Admin\AppData\Local\Temp\nhjpa22k.0.cs
| MD5 | 6011503497b1b9250a05debf9690e52c |
| SHA1 | 897aea61e9bffc82d7031f1b3da12fb83efc6d82 |
| SHA256 | 08f42b8d57bb61bc8f9628c8a80953b06ca4149d50108083fca6dc26bdd49434 |
| SHA512 | 604c33e82e8b5bb5c54389c2899c81e5482a06e69db08268173a5b4574327ee5de656d312011d07e50a2e398a4c9b0cd79029013f76e05e18cf67ce5a916ffd9 |
memory/2108-10-0x0000000002340000-0x00000000023C0000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC534E.tmp
| MD5 | 35936aa7981c93263a076f8e4650ca05 |
| SHA1 | 290cb6521b9b1be462bec7017fc4d97e8c5f43ba |
| SHA256 | 6582f61c9e5b49ae1895b3eeaa08859977f288a6ef065fe9999bb89917845fe1 |
| SHA512 | 61620776cb381d05e9110092b1e20bcf3c7501c506803caa0984dd0273ad91b8c345b16239fe99c7138fbd700bca8b1dc0b60836406ecd23a659109a03437672 |
C:\Users\Admin\AppData\Local\Temp\RES534F.tmp
| MD5 | b96d78d0b3290e35015ecf726e90c366 |
| SHA1 | b2b104cb40b685657c65a9187116346068ed9feb |
| SHA256 | 08ecf925e306eecfabe70d76ff091d46af0953fc0fc635632e3df8476103896c |
| SHA512 | 128d871e6bb34344139ac62ae39bbd8de9d9e7174bc102abb37cf309c69f5a45fe8911942139dad6be0353f5b3f74eac76586497d4bbbd3b75a1346034f42352 |
C:\Users\Admin\AppData\Local\Temp\nhjpa22k.dll
| MD5 | 2ab396ac308c99e07704f2ddfe6e4220 |
| SHA1 | 944b46a509a2648cffa0e4bee6ff3a89061ecc41 |
| SHA256 | f762b315e703288232c6f2a31f399635e3a57b739c4165db788cbb17461a2935 |
| SHA512 | 2491e13ef4fcb56228c19b6c04b9a8f463b874d86eae88b3e1e7979ed66f1ba327efba755a1b210310710d1cbf48fa8e82c575de6012abbca332c150832b6946 |
memory/1672-18-0x0000000002320000-0x0000000002336000-memory.dmp
memory/1672-20-0x0000000000530000-0x0000000000542000-memory.dmp
memory/1672-21-0x0000000000970000-0x00000000009F0000-memory.dmp
memory/1672-22-0x000007FEF5170000-0x000007FEF5B0D000-memory.dmp
memory/1672-23-0x0000000000970000-0x00000000009F0000-memory.dmp
memory/1672-24-0x0000000000970000-0x00000000009F0000-memory.dmp