Analysis Overview
SHA256
94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc
Threat Level: Known bad
The file 94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc was found to be: Known bad.
Malicious Activity Summary
Orcurs Rat Executable
Orcus family
Orcus main payload
Drops desktop.ini file(s)
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-16 01:12
Signatures
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-16 01:12
Reported
2024-02-16 01:15
Platform
win7-20231215-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc.exe
"C:\Users\Admin\AppData\Local\Temp\94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dj4sni8r.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4828.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4827.tmp"
Network
Files
memory/1204-0-0x000000001B0D0000-0x000000001B12C000-memory.dmp
memory/1204-1-0x0000000000470000-0x000000000047E000-memory.dmp
memory/1204-2-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
memory/1204-3-0x0000000000700000-0x0000000000780000-memory.dmp
memory/1204-4-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\dj4sni8r.cmdline
| MD5 | 3a536796f42b5dfc3785babb50438af1 |
| SHA1 | 2f19f6ab253c4994bfacffe4b959fe14c0664b37 |
| SHA256 | 20f699e23a14ac736b66aa05aa1df67235c869bb541a5fcf078a0c5f9c70a547 |
| SHA512 | 2caa7dbf870b3cdc85dd40a0a6d3123b7e2fad438a48b5c70355b68657fdc15f167765eb5b762ba589beba742effb1895ef32ba0168254f6f0ef4f4f0f99ce78 |
\??\c:\Users\Admin\AppData\Local\Temp\dj4sni8r.0.cs
| MD5 | 3153e1e010a365374b9b0a1601ec6961 |
| SHA1 | 2efec5aae2a46889bd03e091b92821c1b1b3cefa |
| SHA256 | e7dfb897871d2edaa886e5c178a8f09e8aa2f54afeda8d9a11ae71f53cd10a77 |
| SHA512 | 232dd9b39e62b8192fc353a023a2f6628c657509dad57ef96df0e60db62a28fd5655aec6902e81667d2641f98ec21a2007231fe05018b70ab63d954176fc77a7 |
memory/2384-10-0x0000000002240000-0x00000000022C0000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC4827.tmp
| MD5 | fa8f2c0a8f99b7a044cda43ab531c837 |
| SHA1 | a45e65bd4f045ea9f26ca5d245607bd41280f4f8 |
| SHA256 | 364ed1bca8299e4ccf695c24cddd97b0e3576e4441c7bb1367c40e276a0deada |
| SHA512 | 0c0f5dea7d586e45084afe524a9bd425a915a5492973d17b9aa7964f806f154adeb9325cb7b80a26f8a8e0fb528531f71f8928bd4f9339b194e1ea133bac5775 |
C:\Users\Admin\AppData\Local\Temp\RES4828.tmp
| MD5 | 7cb8c6babf9dd2db85e21e2084b05143 |
| SHA1 | 02c76ed0e1d4d1172026fbda38eed8bd147b3757 |
| SHA256 | e0c2aac216ff5313bf2f94d4b53b7c46dbc1134a8e2cc18adc125a56c9606692 |
| SHA512 | 9bc34576626b61e59bb06c94b5c2b6a9a1029b5d7dd868b0825b58e0d1fda3dcaec5045e7ca5aa9de4cd3a4a5568c82b4e5f34678e9e66f4f168e9d5600d3ce7 |
C:\Users\Admin\AppData\Local\Temp\dj4sni8r.dll
| MD5 | 1047604eac73615fdfececde3fbf2259 |
| SHA1 | a0846af055d687130fa37a43024c8b1a53f9a7c5 |
| SHA256 | 2d1605bba18b1f30f4ddba4e125a86741619a1a03de9c914570bfb9c17324510 |
| SHA512 | 8f5a43e1dba4fdfe63530d69e440930469b0dda75eae1b34e9b73cfd7e3588557387be27281ab475fc66457edd347b201e396c7e53b1aa6ed682ba715e568f52 |
memory/1204-18-0x00000000007A0000-0x00000000007B6000-memory.dmp
memory/1204-20-0x0000000000610000-0x0000000000622000-memory.dmp
memory/1204-21-0x0000000000700000-0x0000000000780000-memory.dmp
memory/1204-22-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
memory/1204-23-0x0000000000700000-0x0000000000780000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-16 01:12
Reported
2024-02-16 01:15
Platform
win10v2004-20231222-en
Max time kernel
90s
Max time network
123s
Command Line
Signatures
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3964 wrote to memory of 2420 | N/A | C:\Users\Admin\AppData\Local\Temp\94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe |
| PID 3964 wrote to memory of 2420 | N/A | C:\Users\Admin\AppData\Local\Temp\94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe |
| PID 2420 wrote to memory of 844 | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe |
| PID 2420 wrote to memory of 844 | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc.exe
"C:\Users\Admin\AppData\Local\Temp\94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xksn8u1c.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A39.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4A38.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/3964-0-0x00007FFFFB720000-0x00007FFFFC0C1000-memory.dmp
memory/3964-1-0x0000000001AC0000-0x0000000001AD0000-memory.dmp
memory/3964-2-0x000000001BF70000-0x000000001BFCC000-memory.dmp
memory/3964-5-0x000000001C160000-0x000000001C16E000-memory.dmp
memory/3964-7-0x000000001C640000-0x000000001CB0E000-memory.dmp
memory/3964-6-0x00007FFFFB720000-0x00007FFFFC0C1000-memory.dmp
memory/3964-8-0x000000001CBB0000-0x000000001CC4C000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\xksn8u1c.cmdline
| MD5 | 6cf7ce8d99c547d1861b808766fd1c73 |
| SHA1 | 5dbb94fa31da603cfec7f15de34d33261832febd |
| SHA256 | 6fa13f0a8f2eb861b46b13217b4750e3115d93150a8a4909948812d945ab0984 |
| SHA512 | ec3dc2654af382cc3a9d7986e3307241caa3a1601602592e13a9386dfd30b46808c9b95b1987720038c9ab174cb983fbf4807f934e59da4c76fc4d5f8fc17271 |
\??\c:\Users\Admin\AppData\Local\Temp\xksn8u1c.0.cs
| MD5 | 362c4ddf5166fab7d5efe10b06520d67 |
| SHA1 | de5e51b0ee462160e080c69c781d07bfac3ada8f |
| SHA256 | 7b60f304094e0a17280a604f48a829981d1cf968375e709954d6ad1b1c01b2d0 |
| SHA512 | f7f12a6f658ac758ec633fa3ecc8c24bf36f395e2dd5b8b099c71255351fa3dbe010ef3891e82dba4bc1c14f21a893ff41531f3d061d9fc89f41b772dcf6c794 |
memory/2420-14-0x00000000024C0000-0x00000000024D0000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC4A38.tmp
| MD5 | 6574545ed41a63575aa5e7ee0328c5ea |
| SHA1 | 1a8e0697f261fa1b198cc85f53e4fc359b31bdb2 |
| SHA256 | 18a2cad9ffd67527a778b7a1b98ec5656085ccdabfbcedacffb6b6d245a512c2 |
| SHA512 | 7bfeb1fbd938c53b3ab74f360438ededeb03bf722df8bb8659b1e96c22c0ad2f5290bdbfa17bcb093e3a47f2400574806502bb02f609a80ccebd5c8fbd0550e9 |
memory/3964-22-0x000000001D270000-0x000000001D286000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xksn8u1c.dll
| MD5 | b79bca4376bebdace863f611205678fb |
| SHA1 | a973711b8d1fb7ade14c1762891d056595149689 |
| SHA256 | 3699829ffb424c8731368f57ad336db515d258cce48d6aa609f8087c84ee347f |
| SHA512 | bf2eb1b5d7d3df5ce0c8c6ca7124e39776812a41ab51b6a92cc77f266b6cd5864f63556e4b6384b73da95aa6597e56ba6d55035d9a7c60cf9d998f51ca53e8cc |
C:\Users\Admin\AppData\Local\Temp\RES4A39.tmp
| MD5 | 2a3996328b3ef883eafbe349722d8f8b |
| SHA1 | f295f5d4a9ac88ffd347e19f776212b52e5a1c98 |
| SHA256 | aeb2187d8ee6e015f10eb183eb9c8f6f09438751ec71c88e342e57af6544e54f |
| SHA512 | b5bdaf746fc45fe4dcfeb2b17ea1c3762d438bcfff0996b35cf3a71128d042e3b0141efb6ad5f82583d9b486d3cf4d2f695241a341b8d2aa8399c95f2ad2ae8a |
memory/3964-24-0x0000000001A90000-0x0000000001AA2000-memory.dmp
memory/3964-25-0x0000000001A60000-0x0000000001A68000-memory.dmp
memory/3964-26-0x0000000001AC0000-0x0000000001AD0000-memory.dmp
memory/3964-27-0x00007FFFFB720000-0x00007FFFFC0C1000-memory.dmp
memory/3964-28-0x0000000001AC0000-0x0000000001AD0000-memory.dmp
memory/3964-29-0x0000000001AC0000-0x0000000001AD0000-memory.dmp