Malware Analysis Report

2025-01-22 15:09

Sample ID 240211-bmpfeada27
Target d049c4777de2f4ec329bb33bd126c55e7bd3e2145005291e47794a34ce276c01
SHA256 d049c4777de2f4ec329bb33bd126c55e7bd3e2145005291e47794a34ce276c01
Tags
orcus
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d049c4777de2f4ec329bb33bd126c55e7bd3e2145005291e47794a34ce276c01

Threat Level: Known bad

The file d049c4777de2f4ec329bb33bd126c55e7bd3e2145005291e47794a34ce276c01 was found to be: Known bad.

Malicious Activity Summary

orcus

Orcurs Rat Executable

Orcus family

Orcus main payload

Drops desktop.ini file(s)

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-11 01:15

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-11 01:15

Reported

2024-02-11 01:18

Platform

win7-20231215-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d049c4777de2f4ec329bb33bd126c55e7bd3e2145005291e47794a34ce276c01.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\d049c4777de2f4ec329bb33bd126c55e7bd3e2145005291e47794a34ce276c01.exe

"C:\Users\Admin\AppData\Local\Temp\d049c4777de2f4ec329bb33bd126c55e7bd3e2145005291e47794a34ce276c01.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ezeboua9.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42AC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC42AB.tmp"

Network

N/A

Files

memory/2504-0-0x00000000008A0000-0x00000000008FC000-memory.dmp

memory/2504-1-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

memory/2504-3-0x0000000002100000-0x0000000002180000-memory.dmp

memory/2504-2-0x0000000000590000-0x000000000059E000-memory.dmp

memory/2504-4-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\ezeboua9.cmdline

MD5 c27c26fc982038e930fc341aefff0c88
SHA1 dddf78551cb002e9b89d8746776e39bb9d6b3ae7
SHA256 b8fd6fb80da2d2152f022c3080bfc7d7b201c2c5f9ee622e71c6286545932c0f
SHA512 c1a87f8e803af8b65a641650fbff54c1136cfd6825461b30b5e67e717c72b2626fc2af1523533d214800a0b5e21bb4861aa5c1f508237ac4dd9ff724cd677595

\??\c:\Users\Admin\AppData\Local\Temp\ezeboua9.0.cs

MD5 a75d5dd9eca5860734e2cb44439ed1b7
SHA1 31aacac3de16373ff4d21ce07f21b78cd4c859cf
SHA256 04a3772d9fc57729cb8c27bdade70801f8fdf6904bdbb8300fcf676ddb613703
SHA512 c1edff43ae32d4238fd5a39ff3447e8d0f813294a5fbb548de11dc88d97f6586d952b58e1cd9c72c803c8233b3c7c41767b8718b51654a30a52fd39ace90da79

memory/2844-10-0x0000000002070000-0x00000000020F0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC42AB.tmp

MD5 cd2caa4e81f276d9a3f635c0b3595bb1
SHA1 5d72b11c01ec4f4bba6e57ed2759c6bdff3ca487
SHA256 1676773901e9d5fd7362dd2c77750f8eaa9611d6201753812d5036d067f0ff16
SHA512 cde83f8b88b93d87e29055880d1e71ebd42733e2dfcabc92fcd386dd69ae9860173416b6edbcc9d45461ae61b86702bf5857822af62b101036ab23d3d5fd8119

C:\Users\Admin\AppData\Local\Temp\ezeboua9.dll

MD5 41bd82fb016cfec3185e904609ec499e
SHA1 26a90c53bee40d260ef73819464e05b10fe73df5
SHA256 9a45386d75b14f15cfe915e5b2ffb976ae86b00cb234bfb9cb38836856cd6f88
SHA512 0ed7b3f744fb41070529b868127a1aa9908cd1cbe96a0d2fd98e1e85e29ebdbf132bd9851e7819297c154f713f8f88bc64526de409eb36ffd4f66dc106dc8267

C:\Users\Admin\AppData\Local\Temp\RES42AC.tmp

MD5 4a6e3f5b4a474b8e5d6d887a6060dd34
SHA1 2f55f453ac590981ab164d1445870aae8282fb35
SHA256 ca71a8900661c67f94fa2df62b10ea08addbdf87b64a5b9893a5ebe29abf2103
SHA512 6517b03f684f69380e5fc19c8cab53b4d49dcc99d210712eee0bce32ec2f50f2373907641b3bfb9acc0adc523861976e0994fd59d3ec03014c45e02df75a784a

memory/2504-18-0x0000000002090000-0x00000000020A6000-memory.dmp

memory/2504-20-0x00000000005B0000-0x00000000005C2000-memory.dmp

memory/2504-21-0x0000000002100000-0x0000000002180000-memory.dmp

memory/2504-22-0x000007FEF6000000-0x000007FEF699D000-memory.dmp

memory/2504-23-0x0000000002100000-0x0000000002180000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-11 01:15

Reported

2024-02-11 01:18

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d049c4777de2f4ec329bb33bd126c55e7bd3e2145005291e47794a34ce276c01.exe"

Signatures

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d049c4777de2f4ec329bb33bd126c55e7bd3e2145005291e47794a34ce276c01.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d049c4777de2f4ec329bb33bd126c55e7bd3e2145005291e47794a34ce276c01.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\d049c4777de2f4ec329bb33bd126c55e7bd3e2145005291e47794a34ce276c01.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d049c4777de2f4ec329bb33bd126c55e7bd3e2145005291e47794a34ce276c01.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\d049c4777de2f4ec329bb33bd126c55e7bd3e2145005291e47794a34ce276c01.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d049c4777de2f4ec329bb33bd126c55e7bd3e2145005291e47794a34ce276c01.exe

"C:\Users\Admin\AppData\Local\Temp\d049c4777de2f4ec329bb33bd126c55e7bd3e2145005291e47794a34ce276c01.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t244gtzr.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80D9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC80D8.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

memory/4676-0-0x00007FF917D90000-0x00007FF918731000-memory.dmp

memory/4676-1-0x0000000001130000-0x0000000001140000-memory.dmp

memory/4676-2-0x000000001B6C0000-0x000000001B71C000-memory.dmp

memory/4676-3-0x00007FF917D90000-0x00007FF918731000-memory.dmp

memory/4676-6-0x000000001B8B0000-0x000000001B8BE000-memory.dmp

memory/4676-7-0x000000001BDD0000-0x000000001C29E000-memory.dmp

memory/4676-8-0x000000001C340000-0x000000001C3DC000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\t244gtzr.cmdline

MD5 a1f5639c30c907b8ea468bfd28aa4d20
SHA1 526650eb1875e26bb78881453456213ba9b903dd
SHA256 66293ac0294f4665137ff2644b9582ab3bdbeefd003a9d896db2f22834401f58
SHA512 4e765acc71154ba5eb635559a90020281113614d3324bcfeff01cb1cefacfe321815ec192304086be71ff2f9b83c1c63e497a7bf6470a50cb14c3f8869d77bc9

\??\c:\Users\Admin\AppData\Local\Temp\t244gtzr.0.cs

MD5 51a9669821dad4e5e9fe2e3cbadade16
SHA1 76b09c096394e783b112539429c49a65c901f022
SHA256 e630f56a50ab4b851c30150a72fc63ee5d44acd982e71f513bb613a8bb28c20f
SHA512 cf456cd453022e2e4a49d51bd19483f76bf7bb932396a9c3747920dcadca0d4b0d2e3f0dea7c9d25769696666b692f21c046f039dce4af44c4b6d2bac1c98906

memory/4948-14-0x00000000009F0000-0x0000000000A00000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC80D8.tmp

MD5 e5b05d7c78754ce8126033a17fc4f109
SHA1 78fca10ef6dc8f72ccace2bb62dcbe4180803e0b
SHA256 d93c89d7c4cdb9036bf3a2ee182716c1427ef3c0dda4424f767b93452ad1263b
SHA512 6e2fd2cba03c4b13376bcd36668215b0e0c5ad887e9eb1716f4af122044d0336065d4c5be2a22f9aefcacf2a39f95b001c9a9ca764db71d62b54a7f3b92066c7

C:\Users\Admin\AppData\Local\Temp\RES80D9.tmp

MD5 1c54966386534b2290f4316d80272bc5
SHA1 89a189aee8cb0ff1f22464db17e3da41c8819ced
SHA256 64ee85f6f6ca9e44b12d3668e9e4de5d0f0b84257643acdac05a55761b725237
SHA512 eba026f05334abd11c539e0fb157a87bc84405380ea3862f7aad992e15fea061b20d21ccb37192165465e3cbe3ad398caa476f88b501465bb8ff47ddb3db6c36

C:\Users\Admin\AppData\Local\Temp\t244gtzr.dll

MD5 945372eb39c6ae4f232b2c45e2727721
SHA1 73eeaebb9b4feb8e2f8aaf4c1f9d95ee0b0d58c1
SHA256 2f7c45fb5d9154fafcb7265b9a6d10de7ef135b00a48dc52a7f8531362bbb61b
SHA512 7ebb6ec726c23d39bc0db3b5579ee06a0d6cf56516e7966e325bfd9b9f767c300019c3231ebeeea364cd095e736682ae0f713c08dc432b35170b5a6996998a23

memory/4676-22-0x000000001C9D0000-0x000000001C9E6000-memory.dmp

memory/4676-24-0x00000000012E0000-0x00000000012F2000-memory.dmp

memory/4676-25-0x0000000000EA0000-0x0000000000EA8000-memory.dmp

memory/4676-26-0x0000000001130000-0x0000000001140000-memory.dmp

memory/4676-27-0x00007FF917D90000-0x00007FF918731000-memory.dmp

memory/4676-28-0x0000000001130000-0x0000000001140000-memory.dmp

memory/4676-29-0x0000000001130000-0x0000000001140000-memory.dmp