Malware Analysis Report

2025-01-22 14:46

Sample ID 241125-1ppxdsvmak
Target 2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1dN.exe
SHA256 2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1d
Tags
orcus
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1d

Threat Level: Known bad

The file 2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1dN.exe was found to be: Known bad.

Malicious Activity Summary

orcus

Orcurs Rat Executable

Orcus family

Orcus main payload

Drops desktop.ini file(s)

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-11-25 21:49

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 21:49

Reported

2024-11-25 21:51

Platform

win7-20240903-en

Max time kernel

69s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1dN.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1dN.exe

"C:\Users\Admin\AppData\Local\Temp\2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1dN.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2v22gvkp.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2C9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF2C8.tmp"

Network

N/A

Files

memory/3048-0-0x000007FEF573E000-0x000007FEF573F000-memory.dmp

memory/3048-2-0x0000000000380000-0x000000000038E000-memory.dmp

memory/3048-1-0x000000001AEB0000-0x000000001AF0C000-memory.dmp

memory/3048-3-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

memory/3048-4-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\2v22gvkp.cmdline

MD5 ce403edf34249f756eb51718fc2be63c
SHA1 837b46fecd9da2a8e34a6d90c091cc5b493c697b
SHA256 31322f141ab336ad290d0c1c46290ef5ef1d7491b66aa6ba955f169a940bcabd
SHA512 d45af08563f254917cb3ab1f7bba654ef1727d87a90062ad5f0a90c94f9d99fe87fe36321758f38c5f1779cca7a95eeb10ed3a8de6239e38e1f2b673fcdc3e76

\??\c:\Users\Admin\AppData\Local\Temp\2v22gvkp.0.cs

MD5 c555d9796194c1d9a1310a05a2264e08
SHA1 82641fc4938680519c3b2e925e05e1001cbd71d7
SHA256 ccbb8fd27ab2f27fbbd871793886ff52ff1fbd9117c98b8d190c1a96b67e498a
SHA512 0b85ca22878998c7697c589739905b218f9b264a32c8f99a9f9dd73d0687a5de46cc7e851697ee16424baf94d301e411648aa2d061ac149a6d2e06b085e07090

memory/2740-10-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSCF2C8.tmp

MD5 b26049d73fe9baad262a483a040c82e4
SHA1 a2f45d1c525652e9811a3a53e82df9a5438fadb6
SHA256 75fb64f5d0f441803728a9473b6164d6454377dc750f577583af75bfcbf4d30a
SHA512 ad32261eb9ae0c3782570d175220d93dc1ed70da1925efbe91c10e04d2928dd8c3224638321100e933119bde2f16f963628020c18fa59bff8674554c7a8fc5fe

C:\Users\Admin\AppData\Local\Temp\RESF2C9.tmp

MD5 e5f2a3571b1f442247c1fc8f49853bd2
SHA1 6a280535b18a98232a4e3f28bc1be3e845b4efc4
SHA256 2a34e503b32e21a4626594598ad46916e4e2f6e1a456ec42c75c4a7167d56812
SHA512 cfd999c50086fa5a09df1ece8ac05f3089c069e3e03a1425601a4747b2b398ba9106ecc97a98a2fa45c8f02107d05efb8f13551af2075c8bd5d2ad3243d32175

memory/2740-17-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

memory/3048-19-0x000000001AF10000-0x000000001AF26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2v22gvkp.dll

MD5 89e1c94912c359830439050ff546baf1
SHA1 3c496256bacdf40f9662eecf133a6d5434ed42fb
SHA256 6dbd01ef5e9f9e165feeed732fea5a27088395e418dce3b2fe3c8cc99ad4084f
SHA512 af5c24f0454b9d19d92502fa857a9b19036cac8faa48882052596b1532ef96a2ad5ebc7f870c5e023e46bed6b9ac2077f81aece1276fba3210d54dd671fb24c7

memory/3048-21-0x00000000005B0000-0x00000000005C2000-memory.dmp

memory/3048-22-0x00000000005C0000-0x00000000005C8000-memory.dmp

memory/3048-23-0x000000001AF50000-0x000000001AF58000-memory.dmp

memory/3048-24-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

memory/3048-26-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

memory/3048-27-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

memory/3048-28-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-25 21:49

Reported

2024-11-25 21:51

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1dN.exe"

Signatures

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1dN.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1dN.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1dN.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1dN.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1dN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1dN.exe

"C:\Users\Admin\AppData\Local\Temp\2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1dN.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ntx5-lav.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9338.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9337.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/1604-0-0x00007FFCC2665000-0x00007FFCC2666000-memory.dmp

memory/1604-1-0x00007FFCC23B0000-0x00007FFCC2D51000-memory.dmp

memory/1604-2-0x000000001B550000-0x000000001B5AC000-memory.dmp

memory/1604-5-0x000000001B740000-0x000000001B74E000-memory.dmp

memory/1604-7-0x000000001BC20000-0x000000001C0EE000-memory.dmp

memory/1604-6-0x00007FFCC23B0000-0x00007FFCC2D51000-memory.dmp

memory/1604-8-0x000000001C190000-0x000000001C22C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\ntx5-lav.cmdline

MD5 4c18055c39df8b8b626bb86da4062ab6
SHA1 55c25609465afc1c9949cd559b89247f8772a8db
SHA256 b6f0d5b7fdfcebe311e25f46f8352fc118dda7522048cbbf0d9a5d78d9b96b14
SHA512 bdea80f4665d6f71aed6e010c2df8a39bace119e70b2908eb63276aff4f43ff1118bb124f1d39255d445eed24de3a0d46083381883129b30d51c0fcccd7d31f3

\??\c:\Users\Admin\AppData\Local\Temp\ntx5-lav.0.cs

MD5 ad3fb6157917742e2291c095039d56af
SHA1 239c2b918f7a176e38c4338cb3877606158a95bc
SHA256 715067a2205e2c21a041f4de2ae9f0a9e44e52eac1109bc8a45b8ff0445c30c5
SHA512 ac6c0683daacc1a4bd921ec3fb5727c26b047c9cc2123e948fb32ae1dcba989e23b0d6ab2e148045db23b35ad53acf4c16f7abfd4a7e26e3483a39af05c50c84

memory/4492-14-0x00007FFCC23B0000-0x00007FFCC2D51000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC9337.tmp

MD5 b6cb04ee513beb7e7c598d2dc66e6b1b
SHA1 f491df1f6160d2effea65aa02f9c6013faf27829
SHA256 4d69b950451634b88acdb11ecbf16c24384828dd2190374d47d01be4189a3bb0
SHA512 848e5789ef8108f516f88bb29ef1e68c30a3401da3079ff24e7263fe1960665a52130f9e82d1b5c2d65918ae24c4b98284925ac1bb35f421a4d3b642ca47a2f3

C:\Users\Admin\AppData\Local\Temp\RES9338.tmp

MD5 70ed6f1ca02102f76ec5ffbe7d809697
SHA1 c18d032f57e1a04e39ec168a0fdb3acb1fb25026
SHA256 9c4746b112c590c5597690865d983b3df43abbd92da24a484018a387933d7460
SHA512 fdd037f689fc286ffb43ef6484da1db593d9cc1cf63a91de1c67474e556a65debdca03066cd4ee576a7ec4b379d84b8f498af45f9e90255ba11c7cb970965c44

memory/4492-21-0x00007FFCC23B0000-0x00007FFCC2D51000-memory.dmp

memory/1604-23-0x000000001C260000-0x000000001C276000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntx5-lav.dll

MD5 4199b8818fef9f9405bbff31212d6984
SHA1 df7ed0e670f3160ab6a7e781806794477360418f
SHA256 63fe1a5ee471906cb04f759c078f9bb0673a77a51943566c8ccae8de0f20a722
SHA512 22ef95c5be98c34728a12704b87829784b7ffc9c11fdbd7822e90cce4355a6183b3e85e1320c83c3c8683b2e0fdd12b1200b9257a547c3606bd603376ea58eb3

memory/1604-25-0x0000000000F20000-0x0000000000F32000-memory.dmp

memory/1604-26-0x0000000001050000-0x0000000001058000-memory.dmp

memory/1604-27-0x000000001B4B0000-0x000000001B4B8000-memory.dmp

memory/1604-28-0x000000001CC30000-0x000000001CC92000-memory.dmp

memory/1604-29-0x000000001D5A0000-0x000000001DB5A000-memory.dmp

memory/1604-30-0x000000001DB60000-0x000000001DC50000-memory.dmp

memory/1604-31-0x000000001C8A0000-0x000000001C8BE000-memory.dmp

memory/1604-32-0x000000001DC50000-0x000000001DC99000-memory.dmp

memory/1604-33-0x00007FFCC23B0000-0x00007FFCC2D51000-memory.dmp

memory/1604-34-0x000000001DD20000-0x000000001DD90000-memory.dmp

memory/1604-35-0x00007FFCC23B0000-0x00007FFCC2D51000-memory.dmp

memory/1604-37-0x000000001C280000-0x000000001C288000-memory.dmp

memory/1604-38-0x00007FFCC2665000-0x00007FFCC2666000-memory.dmp

memory/1604-40-0x00007FFCC23B0000-0x00007FFCC2D51000-memory.dmp

memory/1604-41-0x00007FFCC23B0000-0x00007FFCC2D51000-memory.dmp