Malware Analysis Report

2025-01-22 15:11

Sample ID 240216-bkqwfseb34
Target 94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc
SHA256 94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc
Tags
orcus
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc

Threat Level: Known bad

The file 94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc was found to be: Known bad.

Malicious Activity Summary

orcus

Orcurs Rat Executable

Orcus family

Orcus main payload

Drops desktop.ini file(s)

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-16 01:12

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-16 01:12

Reported

2024-02-16 01:15

Platform

win7-20231215-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc.exe

"C:\Users\Admin\AppData\Local\Temp\94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dj4sni8r.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4828.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4827.tmp"

Network

N/A

Files

memory/1204-0-0x000000001B0D0000-0x000000001B12C000-memory.dmp

memory/1204-1-0x0000000000470000-0x000000000047E000-memory.dmp

memory/1204-2-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp

memory/1204-3-0x0000000000700000-0x0000000000780000-memory.dmp

memory/1204-4-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\dj4sni8r.cmdline

MD5 3a536796f42b5dfc3785babb50438af1
SHA1 2f19f6ab253c4994bfacffe4b959fe14c0664b37
SHA256 20f699e23a14ac736b66aa05aa1df67235c869bb541a5fcf078a0c5f9c70a547
SHA512 2caa7dbf870b3cdc85dd40a0a6d3123b7e2fad438a48b5c70355b68657fdc15f167765eb5b762ba589beba742effb1895ef32ba0168254f6f0ef4f4f0f99ce78

\??\c:\Users\Admin\AppData\Local\Temp\dj4sni8r.0.cs

MD5 3153e1e010a365374b9b0a1601ec6961
SHA1 2efec5aae2a46889bd03e091b92821c1b1b3cefa
SHA256 e7dfb897871d2edaa886e5c178a8f09e8aa2f54afeda8d9a11ae71f53cd10a77
SHA512 232dd9b39e62b8192fc353a023a2f6628c657509dad57ef96df0e60db62a28fd5655aec6902e81667d2641f98ec21a2007231fe05018b70ab63d954176fc77a7

memory/2384-10-0x0000000002240000-0x00000000022C0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC4827.tmp

MD5 fa8f2c0a8f99b7a044cda43ab531c837
SHA1 a45e65bd4f045ea9f26ca5d245607bd41280f4f8
SHA256 364ed1bca8299e4ccf695c24cddd97b0e3576e4441c7bb1367c40e276a0deada
SHA512 0c0f5dea7d586e45084afe524a9bd425a915a5492973d17b9aa7964f806f154adeb9325cb7b80a26f8a8e0fb528531f71f8928bd4f9339b194e1ea133bac5775

C:\Users\Admin\AppData\Local\Temp\RES4828.tmp

MD5 7cb8c6babf9dd2db85e21e2084b05143
SHA1 02c76ed0e1d4d1172026fbda38eed8bd147b3757
SHA256 e0c2aac216ff5313bf2f94d4b53b7c46dbc1134a8e2cc18adc125a56c9606692
SHA512 9bc34576626b61e59bb06c94b5c2b6a9a1029b5d7dd868b0825b58e0d1fda3dcaec5045e7ca5aa9de4cd3a4a5568c82b4e5f34678e9e66f4f168e9d5600d3ce7

C:\Users\Admin\AppData\Local\Temp\dj4sni8r.dll

MD5 1047604eac73615fdfececde3fbf2259
SHA1 a0846af055d687130fa37a43024c8b1a53f9a7c5
SHA256 2d1605bba18b1f30f4ddba4e125a86741619a1a03de9c914570bfb9c17324510
SHA512 8f5a43e1dba4fdfe63530d69e440930469b0dda75eae1b34e9b73cfd7e3588557387be27281ab475fc66457edd347b201e396c7e53b1aa6ed682ba715e568f52

memory/1204-18-0x00000000007A0000-0x00000000007B6000-memory.dmp

memory/1204-20-0x0000000000610000-0x0000000000622000-memory.dmp

memory/1204-21-0x0000000000700000-0x0000000000780000-memory.dmp

memory/1204-22-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp

memory/1204-23-0x0000000000700000-0x0000000000780000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-16 01:12

Reported

2024-02-16 01:15

Platform

win10v2004-20231222-en

Max time kernel

90s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc.exe"

Signatures

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc.exe

"C:\Users\Admin\AppData\Local\Temp\94c48fa0591e510d52be1e075ea9eaf8795d187d0be5002a110eb815fa4e7bcc.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xksn8u1c.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A39.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4A38.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/3964-0-0x00007FFFFB720000-0x00007FFFFC0C1000-memory.dmp

memory/3964-1-0x0000000001AC0000-0x0000000001AD0000-memory.dmp

memory/3964-2-0x000000001BF70000-0x000000001BFCC000-memory.dmp

memory/3964-5-0x000000001C160000-0x000000001C16E000-memory.dmp

memory/3964-7-0x000000001C640000-0x000000001CB0E000-memory.dmp

memory/3964-6-0x00007FFFFB720000-0x00007FFFFC0C1000-memory.dmp

memory/3964-8-0x000000001CBB0000-0x000000001CC4C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\xksn8u1c.cmdline

MD5 6cf7ce8d99c547d1861b808766fd1c73
SHA1 5dbb94fa31da603cfec7f15de34d33261832febd
SHA256 6fa13f0a8f2eb861b46b13217b4750e3115d93150a8a4909948812d945ab0984
SHA512 ec3dc2654af382cc3a9d7986e3307241caa3a1601602592e13a9386dfd30b46808c9b95b1987720038c9ab174cb983fbf4807f934e59da4c76fc4d5f8fc17271

\??\c:\Users\Admin\AppData\Local\Temp\xksn8u1c.0.cs

MD5 362c4ddf5166fab7d5efe10b06520d67
SHA1 de5e51b0ee462160e080c69c781d07bfac3ada8f
SHA256 7b60f304094e0a17280a604f48a829981d1cf968375e709954d6ad1b1c01b2d0
SHA512 f7f12a6f658ac758ec633fa3ecc8c24bf36f395e2dd5b8b099c71255351fa3dbe010ef3891e82dba4bc1c14f21a893ff41531f3d061d9fc89f41b772dcf6c794

memory/2420-14-0x00000000024C0000-0x00000000024D0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC4A38.tmp

MD5 6574545ed41a63575aa5e7ee0328c5ea
SHA1 1a8e0697f261fa1b198cc85f53e4fc359b31bdb2
SHA256 18a2cad9ffd67527a778b7a1b98ec5656085ccdabfbcedacffb6b6d245a512c2
SHA512 7bfeb1fbd938c53b3ab74f360438ededeb03bf722df8bb8659b1e96c22c0ad2f5290bdbfa17bcb093e3a47f2400574806502bb02f609a80ccebd5c8fbd0550e9

memory/3964-22-0x000000001D270000-0x000000001D286000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xksn8u1c.dll

MD5 b79bca4376bebdace863f611205678fb
SHA1 a973711b8d1fb7ade14c1762891d056595149689
SHA256 3699829ffb424c8731368f57ad336db515d258cce48d6aa609f8087c84ee347f
SHA512 bf2eb1b5d7d3df5ce0c8c6ca7124e39776812a41ab51b6a92cc77f266b6cd5864f63556e4b6384b73da95aa6597e56ba6d55035d9a7c60cf9d998f51ca53e8cc

C:\Users\Admin\AppData\Local\Temp\RES4A39.tmp

MD5 2a3996328b3ef883eafbe349722d8f8b
SHA1 f295f5d4a9ac88ffd347e19f776212b52e5a1c98
SHA256 aeb2187d8ee6e015f10eb183eb9c8f6f09438751ec71c88e342e57af6544e54f
SHA512 b5bdaf746fc45fe4dcfeb2b17ea1c3762d438bcfff0996b35cf3a71128d042e3b0141efb6ad5f82583d9b486d3cf4d2f695241a341b8d2aa8399c95f2ad2ae8a

memory/3964-24-0x0000000001A90000-0x0000000001AA2000-memory.dmp

memory/3964-25-0x0000000001A60000-0x0000000001A68000-memory.dmp

memory/3964-26-0x0000000001AC0000-0x0000000001AD0000-memory.dmp

memory/3964-27-0x00007FFFFB720000-0x00007FFFFC0C1000-memory.dmp

memory/3964-28-0x0000000001AC0000-0x0000000001AD0000-memory.dmp

memory/3964-29-0x0000000001AC0000-0x0000000001AD0000-memory.dmp