Malware Analysis Report

2025-01-22 15:11

Sample ID 240220-bzfc9shd47
Target 5f12cb4204a88417d92325a1d6f9dbaa6f84f084aecd3c4c9b7d307e85c19f8e
SHA256 5f12cb4204a88417d92325a1d6f9dbaa6f84f084aecd3c4c9b7d307e85c19f8e
Tags
orcus
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f12cb4204a88417d92325a1d6f9dbaa6f84f084aecd3c4c9b7d307e85c19f8e

Threat Level: Known bad

The file 5f12cb4204a88417d92325a1d6f9dbaa6f84f084aecd3c4c9b7d307e85c19f8e was found to be: Known bad.

Malicious Activity Summary

orcus

Orcurs Rat Executable

Orcus family

Orcus main payload

Drops desktop.ini file(s)

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-20 01:34

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-20 01:34

Reported

2024-02-20 01:37

Platform

win7-20231215-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f12cb4204a88417d92325a1d6f9dbaa6f84f084aecd3c4c9b7d307e85c19f8e.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\5f12cb4204a88417d92325a1d6f9dbaa6f84f084aecd3c4c9b7d307e85c19f8e.exe

"C:\Users\Admin\AppData\Local\Temp\5f12cb4204a88417d92325a1d6f9dbaa6f84f084aecd3c4c9b7d307e85c19f8e.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p-io0icn.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B01.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1B00.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sulumantest.duckdns.org udp
US 192.169.69.25:644 sulumantest.duckdns.org tcp
US 192.169.69.25:644 sulumantest.duckdns.org tcp
US 192.169.69.25:644 sulumantest.duckdns.org tcp
US 192.169.69.25:644 sulumantest.duckdns.org tcp
US 192.169.69.25:644 sulumantest.duckdns.org tcp
US 192.169.69.25:644 sulumantest.duckdns.org tcp
US 8.8.8.8:53 sulumantest.duckdns.org udp
US 192.169.69.25:644 sulumantest.duckdns.org tcp
US 192.169.69.25:644 sulumantest.duckdns.org tcp
US 192.169.69.25:644 sulumantest.duckdns.org tcp
US 192.169.69.25:644 sulumantest.duckdns.org tcp
US 192.169.69.25:644 sulumantest.duckdns.org tcp
US 192.169.69.25:644 sulumantest.duckdns.org tcp
US 8.8.8.8:53 sulumantest.duckdns.org udp
US 192.169.69.25:644 sulumantest.duckdns.org tcp
US 192.169.69.25:644 sulumantest.duckdns.org tcp

Files

memory/1852-0-0x0000000000B60000-0x0000000000BBC000-memory.dmp

memory/1852-1-0x0000000000290000-0x000000000029E000-memory.dmp

memory/1852-3-0x0000000000C20000-0x0000000000CA0000-memory.dmp

memory/1852-2-0x000007FEF5B30000-0x000007FEF64CD000-memory.dmp

memory/1852-4-0x000007FEF5B30000-0x000007FEF64CD000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\p-io0icn.cmdline

MD5 b5aaff5b6f7575f51c3dd8f69dbb4b10
SHA1 c33a193c34e24acbaaaac0b7e8cbacad5612ae83
SHA256 38674e8c81819da1e67465a85e9f6160259a69620713d65fe201be49b4fcb1af
SHA512 d2086110aaf5f6e4c1f71232775077499f2254b3262803ad3918e65f6f5adf1c5fe607f084001fce5d445984b72bb81a8bb39e6e79ea6ab7f7c3e4369da6444a

\??\c:\Users\Admin\AppData\Local\Temp\p-io0icn.0.cs

MD5 250321226bbc2a616d91e1c82cb4ab2b
SHA1 7cffd0b2e9c842865d8961386ab8fcfac8d04173
SHA256 ef2707f83a0c0927cfd46b115641b9cae52a41123e4826515b9eeb561785218d
SHA512 bda59ca04cdf254f837f2cec6da55eff5c3d2af00da66537b9ebaa3601c502ae63772f082fd12663b63d537d2e03efe87a3b5746ef25e842aaf1c7d88245b4e1

\??\c:\Users\Admin\AppData\Local\Temp\CSC1B00.tmp

MD5 bfd223abe3edceda54ba0eb2adafc1de
SHA1 243116c8256faa8e57a8a6495d1d732510336743
SHA256 a7bc98e4880df8f4d98bf1045f551195bb1a5954440877290fafdd1330942611
SHA512 e6d474b1849d5eddf4e0c393affd4c4a8ce4f69c29fbdfe3ad470f06df4fbd60e84e4137fd22ac2bbe8fb82c91108f80e74b354ac2662c948453cfa0dde218a4

C:\Users\Admin\AppData\Local\Temp\RES1B01.tmp

MD5 d7abd66a9089d566457ec5925cce016a
SHA1 72289cd58978aff23b65240bb8437e9cc6e64bab
SHA256 a0c3ef02a9d9762d438b43874f0396ff7dda2da46de54ac9dba8c511921b2ecc
SHA512 9df36fa9d6003b5e8adbd46afaab706e4b75fb23048e6bc0a5a2ce4899c9fb8925383706babeb100450aba922c8905aa5d826f2695be54781b500f8ee80d09c5

C:\Users\Admin\AppData\Local\Temp\p-io0icn.dll

MD5 30321d90b7f09c10f21369643d059cba
SHA1 31367448a2ef34b2724863a6bba6f285f1d6c962
SHA256 23d95535e1cda9b6b94773c21a4a5859d0263db89fc091e73e560b9e815a1960
SHA512 c8a0a045f2c8391be93851fa267a0f1d84572efad9a171b1afa14f547b5af9dbef683a1c2c3b8495f374054d6cdd3b381e9048c7ee49566e0c297d7c64ad8406

memory/1852-17-0x00000000006F0000-0x0000000000706000-memory.dmp

memory/1852-19-0x0000000000440000-0x0000000000452000-memory.dmp

memory/1852-20-0x0000000000BE0000-0x0000000000BF8000-memory.dmp

memory/1852-21-0x0000000000430000-0x0000000000440000-memory.dmp

memory/1852-22-0x000007FEF5B30000-0x000007FEF64CD000-memory.dmp

memory/1852-23-0x0000000000C20000-0x0000000000CA0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-20 01:34

Reported

2024-02-20 01:37

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f12cb4204a88417d92325a1d6f9dbaa6f84f084aecd3c4c9b7d307e85c19f8e.exe"

Signatures

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5f12cb4204a88417d92325a1d6f9dbaa6f84f084aecd3c4c9b7d307e85c19f8e.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5f12cb4204a88417d92325a1d6f9dbaa6f84f084aecd3c4c9b7d307e85c19f8e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5f12cb4204a88417d92325a1d6f9dbaa6f84f084aecd3c4c9b7d307e85c19f8e.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\5f12cb4204a88417d92325a1d6f9dbaa6f84f084aecd3c4c9b7d307e85c19f8e.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5f12cb4204a88417d92325a1d6f9dbaa6f84f084aecd3c4c9b7d307e85c19f8e.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5f12cb4204a88417d92325a1d6f9dbaa6f84f084aecd3c4c9b7d307e85c19f8e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5f12cb4204a88417d92325a1d6f9dbaa6f84f084aecd3c4c9b7d307e85c19f8e.exe

"C:\Users\Admin\AppData\Local\Temp\5f12cb4204a88417d92325a1d6f9dbaa6f84f084aecd3c4c9b7d307e85c19f8e.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bw3wsl0z.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7C74.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7C64.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 sulumantest.duckdns.org udp
US 192.169.69.25:644 sulumantest.duckdns.org tcp
US 8.8.8.8:53 25.69.169.192.in-addr.arpa udp
US 192.169.69.25:644 sulumantest.duckdns.org tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 192.169.69.25:644 sulumantest.duckdns.org tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 192.169.69.25:644 sulumantest.duckdns.org tcp
US 192.169.69.25:644 sulumantest.duckdns.org tcp
US 192.169.69.25:644 sulumantest.duckdns.org tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 sulumantest.duckdns.org udp
US 192.169.69.25:644 sulumantest.duckdns.org tcp
US 192.169.69.25:644 sulumantest.duckdns.org tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 192.169.69.25:644 sulumantest.duckdns.org tcp
US 192.169.69.25:644 sulumantest.duckdns.org tcp
US 192.169.69.25:644 sulumantest.duckdns.org tcp
US 192.169.69.25:644 sulumantest.duckdns.org tcp
US 8.8.8.8:53 sulumantest.duckdns.org udp
US 192.169.69.25:644 sulumantest.duckdns.org tcp
US 8.8.8.8:53 50.192.11.51.in-addr.arpa udp
US 192.169.69.25:644 sulumantest.duckdns.org tcp

Files

memory/1880-0-0x00007FF9501E0000-0x00007FF950B81000-memory.dmp

memory/1880-1-0x00000000017D0000-0x00000000017E0000-memory.dmp

memory/1880-2-0x00007FF9501E0000-0x00007FF950B81000-memory.dmp

memory/1880-3-0x000000001BED0000-0x000000001BF2C000-memory.dmp

memory/1880-6-0x000000001C0B0000-0x000000001C0BE000-memory.dmp

memory/1880-7-0x000000001C590000-0x000000001CA5E000-memory.dmp

memory/1880-8-0x000000001CB00000-0x000000001CB9C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\bw3wsl0z.cmdline

MD5 faebd4a25b98c5f2f593078fe76f7c16
SHA1 6a3a284c249d40c6baf9e5a909a91b673a36b70f
SHA256 d9dfe910e796d317807ec07e13df277d3d526158d04e32b60bc5c640d156c38f
SHA512 3cf2b0dd0f264b1126e9beaa77e26bcbc15a762d3b8a3f9267dd78bfce08beddd543a398ddf6b4c0fd43e7de5c935e3b2fa9edfa92576f837cf0c76d8a009cba

\??\c:\Users\Admin\AppData\Local\Temp\bw3wsl0z.0.cs

MD5 cb33f46e3a1cc1ca71e0c8ab316d7902
SHA1 5b15865f9f819e850a80289870c56fae7c29ad3b
SHA256 b6d17134822537430275aab598d167a4f2ad75e4bb7046a973d6de4998880ea3
SHA512 f69c1e6bd284cce26dd313e724131d60964dae686d2ba0fe59d24fd8a09634e3f09de9f6e1bf84c0448e64f6eaffa52c47ac55a90ef216c1033f53ddd7f35e52

memory/3388-14-0x0000000000A20000-0x0000000000A30000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC7C64.tmp

MD5 1fa7bbe4a0ce9fc449d1c968789410a3
SHA1 1b3b5b46946f966ffb7d6ad76a9c2b59265796ea
SHA256 8efb555d1d3c2c64592b27f05131dcd86163adbb564b39fa4df8d9454e96d83f
SHA512 882629e21016f4275a6a0ea544f3b9a0d6fe2e3a6c0b319e741af167b812067998642c7e05fb004e261669ddd2abfc5c73bb3691912b11f8d23b252e4e6ac5ae

C:\Users\Admin\AppData\Local\Temp\RES7C74.tmp

MD5 9697140d0123822e202761cf3770cf14
SHA1 396b2e27bffbaa7804a653f298d7d39e5b5c5b40
SHA256 c5b901ab4f055e36911e2cacbd050489a7fe439af7bae61134abe1750464c749
SHA512 85e2fe0d55a4117107c6cf9ad65a74cf9be3f32b7263f3f65c3761166e2ba402eb4921908385bc47e07b42b5edaf603e1eb9a99d2f8858f083f4e28a56b47198

C:\Users\Admin\AppData\Local\Temp\bw3wsl0z.dll

MD5 189e85213ce96e8d65962d4fbd58b4da
SHA1 db1f4596647c6b053d974695e90595f7c67ac835
SHA256 0d7ea22b585bf10b0db95aad5e26bd91f9e198779bf3b003cfbe1e4bea5d80fc
SHA512 6928464c3768062e3fdbfe1c78eb9d621f44eac158ead69a11c00ca94f16778cd52098d6bb9dbae5f603d8d8024012eef3cf6dd7bcf49bb612b56d9502fd6b66

memory/1880-22-0x000000001D1C0000-0x000000001D1D6000-memory.dmp

memory/1880-24-0x000000001BE10000-0x000000001BE22000-memory.dmp

memory/1880-25-0x000000001D1F0000-0x000000001D208000-memory.dmp

memory/1880-26-0x000000001BD70000-0x000000001BD80000-memory.dmp

memory/1880-27-0x000000001BE90000-0x000000001BE98000-memory.dmp

memory/1880-28-0x00007FF9501E0000-0x00007FF950B81000-memory.dmp

memory/1880-29-0x00000000017D0000-0x00000000017E0000-memory.dmp

memory/1880-30-0x00007FF9501E0000-0x00007FF950B81000-memory.dmp