Analysis Overview
SHA256
f43b05e365e1ec3ac9c7367077739e5dd0ab70e7a09d0734f5ae99644867af13
Threat Level: Known bad
The file f43b05e365e1ec3ac9c7367077739e5dd0ab70e7a09d0734f5ae99644867af13 was found to be: Known bad.
Malicious Activity Summary
Orcurs Rat Executable
Orcus family
Orcus main payload
Drops desktop.ini file(s)
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-05-31 02:03
Signatures
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 02:03
Reported
2024-05-31 02:06
Platform
win7-20240215-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f43b05e365e1ec3ac9c7367077739e5dd0ab70e7a09d0734f5ae99644867af13.exe
"C:\Users\Admin\AppData\Local\Temp\f43b05e365e1ec3ac9c7367077739e5dd0ab70e7a09d0734f5ae99644867af13.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rzdpihsm.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCAF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCAE.tmp"
Network
Files
memory/1804-0-0x000007FEF5DAE000-0x000007FEF5DAF000-memory.dmp
memory/1804-1-0x00000000022C0000-0x000000000231C000-memory.dmp
memory/1804-2-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1804-3-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp
memory/1804-4-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\rzdpihsm.cmdline
| MD5 | b00b7f8e3c88e8a48fb7489544d710cc |
| SHA1 | ea37cd4dded6b20e2051544f8ba6c89a6fb54458 |
| SHA256 | d4aee628b694f44bfb0b1d0ff867de836f176f6ce269c176bed1eb4a421029d5 |
| SHA512 | 52ddceaf6abb8a96e91910ba98232cf4d071fdcdd44b7ead0cc66312315012cdc30f7897a8dbab766c17692d47b15332e1b37168b6bc611ab710ad2c0f92cf8c |
\??\c:\Users\Admin\AppData\Local\Temp\rzdpihsm.0.cs
| MD5 | 250321226bbc2a616d91e1c82cb4ab2b |
| SHA1 | 7cffd0b2e9c842865d8961386ab8fcfac8d04173 |
| SHA256 | ef2707f83a0c0927cfd46b115641b9cae52a41123e4826515b9eeb561785218d |
| SHA512 | bda59ca04cdf254f837f2cec6da55eff5c3d2af00da66537b9ebaa3601c502ae63772f082fd12663b63d537d2e03efe87a3b5746ef25e842aaf1c7d88245b4e1 |
memory/2268-12-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSCCAE.tmp
| MD5 | f307a2b4d074af4a85e57b572a44d1a9 |
| SHA1 | 6d9a58ff2ad8dcab697e9c80563c9bc62bce4e5b |
| SHA256 | e8f44f406943891f811f65f9b15b9c578ab0a5e1df00ff808aeded6fb7b96a8a |
| SHA512 | cc9ab9b0c57cb2c3abf2d069ecd7e3de489e1d9f626e31c0f668dbc5a0b026fdbdb3dfc9d31a294a054a862048120fe1a77439accd092c0d976440d7993de853 |
C:\Users\Admin\AppData\Local\Temp\RESCAF.tmp
| MD5 | 397b1e7d453ce786c0a9e23b6868d000 |
| SHA1 | 602ad9b0989b4ea0c143e8d6725346f80e3745ec |
| SHA256 | ccc712aa8c5b30c84375939611953d86d6adac8c6a26fc5d21073d169564839d |
| SHA512 | aa666e21f55699d81b724809742ebf640a841591e7477969c7a98457ab868685cac43735ea18c56c9d9f08271ad4b2d1f769023a97a869420b3ca5d3097bc4cb |
memory/2268-17-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp
memory/1804-19-0x00000000005D0000-0x00000000005E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rzdpihsm.dll
| MD5 | 529814e42405b7546e91459bf63e15b4 |
| SHA1 | 085b78973043e81540cbdbc705910e14bd26a883 |
| SHA256 | b8e1eae008a3bba69644463bb309a71ed31f9bf27b06febedb68810e6fadd6e4 |
| SHA512 | 3af5b35ffef634d1ffe98aff877fd14eda8246e0550234f66839b2d64cd3743f0a19c2f0a6e91fc955f2e0b43bd65dab7608861e2cce2e65215deafc1c0857ca |
memory/1804-21-0x0000000000420000-0x0000000000432000-memory.dmp
memory/1804-22-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp
memory/1804-23-0x000007FEF5DAE000-0x000007FEF5DAF000-memory.dmp
memory/1804-24-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-31 02:03
Reported
2024-05-31 02:06
Platform
win10v2004-20240426-en
Max time kernel
93s
Max time network
122s
Command Line
Signatures
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\f43b05e365e1ec3ac9c7367077739e5dd0ab70e7a09d0734f5ae99644867af13.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\f43b05e365e1ec3ac9c7367077739e5dd0ab70e7a09d0734f5ae99644867af13.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\f43b05e365e1ec3ac9c7367077739e5dd0ab70e7a09d0734f5ae99644867af13.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\f43b05e365e1ec3ac9c7367077739e5dd0ab70e7a09d0734f5ae99644867af13.exe | N/A |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\f43b05e365e1ec3ac9c7367077739e5dd0ab70e7a09d0734f5ae99644867af13.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1072 wrote to memory of 4528 | N/A | C:\Users\Admin\AppData\Local\Temp\f43b05e365e1ec3ac9c7367077739e5dd0ab70e7a09d0734f5ae99644867af13.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe |
| PID 1072 wrote to memory of 4528 | N/A | C:\Users\Admin\AppData\Local\Temp\f43b05e365e1ec3ac9c7367077739e5dd0ab70e7a09d0734f5ae99644867af13.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe |
| PID 4528 wrote to memory of 4852 | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe |
| PID 4528 wrote to memory of 4852 | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f43b05e365e1ec3ac9c7367077739e5dd0ab70e7a09d0734f5ae99644867af13.exe
"C:\Users\Admin\AppData\Local\Temp\f43b05e365e1ec3ac9c7367077739e5dd0ab70e7a09d0734f5ae99644867af13.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xnpk--8f.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4806.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4805.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/1072-0-0x00007FFDCE1B5000-0x00007FFDCE1B6000-memory.dmp
memory/1072-1-0x00007FFDCDF00000-0x00007FFDCE8A1000-memory.dmp
memory/1072-2-0x000000001B4A0000-0x000000001B4FC000-memory.dmp
memory/1072-5-0x000000001B570000-0x000000001B57E000-memory.dmp
memory/1072-6-0x00007FFDCDF00000-0x00007FFDCE8A1000-memory.dmp
memory/1072-7-0x000000001BB80000-0x000000001C04E000-memory.dmp
memory/1072-8-0x000000001C0F0000-0x000000001C18C000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\xnpk--8f.cmdline
| MD5 | 2dbb4781ad7b4c91547fcd1f09fb5d5b |
| SHA1 | 392461e2b530787203c3659ed2acdb998189d080 |
| SHA256 | 20f0cd0bbb7f8aa11d683c2d92c6fd6d6bd5457ba9af57a2a6763f5aec079205 |
| SHA512 | 5e91424202b0ab1ce2d887347c94095466f75f2d6e86b3a17b3e714ad04d11d003f58cffbf493187e6476af573423e0f6cd691990a1a18e379d1d2ed37f10cac |
\??\c:\Users\Admin\AppData\Local\Temp\xnpk--8f.0.cs
| MD5 | 223a99945e23894153b42c767bec3821 |
| SHA1 | f7737816dcfd5c63e320a86d3ce5c21eded105c8 |
| SHA256 | 6c4795a7206b7394cbe9404e15df9b11caba0da0c06e1a494af7902d26acad50 |
| SHA512 | 87cfff279961b471dc7acfcdae13cfc9c27f16f6483e9a64b207d099b3a33e71def73d4b658cc61fa69476cd4dd521deb00169d5d4b8bc1638ddfe92254881ce |
memory/4528-16-0x00007FFDCDF00000-0x00007FFDCE8A1000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC4805.tmp
| MD5 | 4a7afedc12eb0e6cea3d4cbf332e941c |
| SHA1 | 8aef238bcbe36fbe90dc28a11afce71406c76a0c |
| SHA256 | c7b9dd8ee40abc6e6e8b0f2e2436a0685c7935ab4f454b16e8cf2103e1216e7f |
| SHA512 | 686c7fa98e751f212acc98789ea9be51bff4f7b9a455b663b755649b7826ed01b18b3bab2a1d8d1c239440a98dccb20c2a49df77d22215b145b192133a3c9f47 |
C:\Users\Admin\AppData\Local\Temp\RES4806.tmp
| MD5 | 1bfacbc8629a9d2a878f7c503c9b846b |
| SHA1 | dd26642b21601c5e265d459d666023cc315432ad |
| SHA256 | 9a1dac7a1faf2adb6dd869c4bc0545240d485515cf5a0c217ce30142ab9c9d1f |
| SHA512 | 10de2a663627ae828dc886cc700e712ef3ac8d163f892e52922b868f8b8928c6835651ef404a189e346872a54f921cd67d3eda8c296a9a1fa0d0744dfaa5bfd6 |
memory/4528-21-0x00007FFDCDF00000-0x00007FFDCE8A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xnpk--8f.dll
| MD5 | b6435b27eb68059bf6d4fe87c86323f2 |
| SHA1 | 4a5ffc5ae4924f38cb735ced6f7ee4b7e5ef56e6 |
| SHA256 | 94f57547e9e3f5c31c4ae46979b4d333516b397bbfa27b3cd2a13d35046f2b99 |
| SHA512 | 9bc3de9f56bef03596e5f16603adeee3b54ffb019dd00e76b33576c9299ef896dfbf937b58d6e3db97312f45acc04fef756613a0b562d2f53f66d00a2d897172 |
memory/1072-23-0x000000001C780000-0x000000001C796000-memory.dmp
memory/1072-25-0x0000000000D80000-0x0000000000D92000-memory.dmp
memory/1072-26-0x0000000000D50000-0x0000000000D58000-memory.dmp
memory/1072-27-0x00007FFDCDF00000-0x00007FFDCE8A1000-memory.dmp
memory/1072-28-0x00007FFDCDF00000-0x00007FFDCE8A1000-memory.dmp
memory/1072-29-0x00007FFDCE1B5000-0x00007FFDCE1B6000-memory.dmp