Analysis Overview
SHA256
2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1d
Threat Level: Known bad
The file 2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1dN.exe was found to be: Known bad.
Malicious Activity Summary
Orcurs Rat Executable
Orcus family
Orcus main payload
Drops desktop.ini file(s)
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-25 21:49
Signatures
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-25 21:49
Reported
2024-11-25 21:51
Platform
win7-20240903-en
Max time kernel
69s
Max time network
17s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1dN.exe
"C:\Users\Admin\AppData\Local\Temp\2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1dN.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2v22gvkp.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2C9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF2C8.tmp"
Network
Files
memory/3048-0-0x000007FEF573E000-0x000007FEF573F000-memory.dmp
memory/3048-2-0x0000000000380000-0x000000000038E000-memory.dmp
memory/3048-1-0x000000001AEB0000-0x000000001AF0C000-memory.dmp
memory/3048-3-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
memory/3048-4-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\2v22gvkp.cmdline
| MD5 | ce403edf34249f756eb51718fc2be63c |
| SHA1 | 837b46fecd9da2a8e34a6d90c091cc5b493c697b |
| SHA256 | 31322f141ab336ad290d0c1c46290ef5ef1d7491b66aa6ba955f169a940bcabd |
| SHA512 | d45af08563f254917cb3ab1f7bba654ef1727d87a90062ad5f0a90c94f9d99fe87fe36321758f38c5f1779cca7a95eeb10ed3a8de6239e38e1f2b673fcdc3e76 |
\??\c:\Users\Admin\AppData\Local\Temp\2v22gvkp.0.cs
| MD5 | c555d9796194c1d9a1310a05a2264e08 |
| SHA1 | 82641fc4938680519c3b2e925e05e1001cbd71d7 |
| SHA256 | ccbb8fd27ab2f27fbbd871793886ff52ff1fbd9117c98b8d190c1a96b67e498a |
| SHA512 | 0b85ca22878998c7697c589739905b218f9b264a32c8f99a9f9dd73d0687a5de46cc7e851697ee16424baf94d301e411648aa2d061ac149a6d2e06b085e07090 |
memory/2740-10-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSCF2C8.tmp
| MD5 | b26049d73fe9baad262a483a040c82e4 |
| SHA1 | a2f45d1c525652e9811a3a53e82df9a5438fadb6 |
| SHA256 | 75fb64f5d0f441803728a9473b6164d6454377dc750f577583af75bfcbf4d30a |
| SHA512 | ad32261eb9ae0c3782570d175220d93dc1ed70da1925efbe91c10e04d2928dd8c3224638321100e933119bde2f16f963628020c18fa59bff8674554c7a8fc5fe |
C:\Users\Admin\AppData\Local\Temp\RESF2C9.tmp
| MD5 | e5f2a3571b1f442247c1fc8f49853bd2 |
| SHA1 | 6a280535b18a98232a4e3f28bc1be3e845b4efc4 |
| SHA256 | 2a34e503b32e21a4626594598ad46916e4e2f6e1a456ec42c75c4a7167d56812 |
| SHA512 | cfd999c50086fa5a09df1ece8ac05f3089c069e3e03a1425601a4747b2b398ba9106ecc97a98a2fa45c8f02107d05efb8f13551af2075c8bd5d2ad3243d32175 |
memory/2740-17-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
memory/3048-19-0x000000001AF10000-0x000000001AF26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2v22gvkp.dll
| MD5 | 89e1c94912c359830439050ff546baf1 |
| SHA1 | 3c496256bacdf40f9662eecf133a6d5434ed42fb |
| SHA256 | 6dbd01ef5e9f9e165feeed732fea5a27088395e418dce3b2fe3c8cc99ad4084f |
| SHA512 | af5c24f0454b9d19d92502fa857a9b19036cac8faa48882052596b1532ef96a2ad5ebc7f870c5e023e46bed6b9ac2077f81aece1276fba3210d54dd671fb24c7 |
memory/3048-21-0x00000000005B0000-0x00000000005C2000-memory.dmp
memory/3048-22-0x00000000005C0000-0x00000000005C8000-memory.dmp
memory/3048-23-0x000000001AF50000-0x000000001AF58000-memory.dmp
memory/3048-24-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
memory/3048-26-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
memory/3048-27-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
memory/3048-28-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-25 21:49
Reported
2024-11-25 21:51
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1dN.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1dN.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1dN.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1dN.exe | N/A |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1dN.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1604 wrote to memory of 4492 | N/A | C:\Users\Admin\AppData\Local\Temp\2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1dN.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe |
| PID 1604 wrote to memory of 4492 | N/A | C:\Users\Admin\AppData\Local\Temp\2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1dN.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe |
| PID 4492 wrote to memory of 2024 | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe |
| PID 4492 wrote to memory of 2024 | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1dN.exe
"C:\Users\Admin\AppData\Local\Temp\2a1de2d43b9ce30d24fb2950b24626bbd372433422df337f8bbaa1caafbefa1dN.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ntx5-lav.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9338.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9337.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/1604-0-0x00007FFCC2665000-0x00007FFCC2666000-memory.dmp
memory/1604-1-0x00007FFCC23B0000-0x00007FFCC2D51000-memory.dmp
memory/1604-2-0x000000001B550000-0x000000001B5AC000-memory.dmp
memory/1604-5-0x000000001B740000-0x000000001B74E000-memory.dmp
memory/1604-7-0x000000001BC20000-0x000000001C0EE000-memory.dmp
memory/1604-6-0x00007FFCC23B0000-0x00007FFCC2D51000-memory.dmp
memory/1604-8-0x000000001C190000-0x000000001C22C000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\ntx5-lav.cmdline
| MD5 | 4c18055c39df8b8b626bb86da4062ab6 |
| SHA1 | 55c25609465afc1c9949cd559b89247f8772a8db |
| SHA256 | b6f0d5b7fdfcebe311e25f46f8352fc118dda7522048cbbf0d9a5d78d9b96b14 |
| SHA512 | bdea80f4665d6f71aed6e010c2df8a39bace119e70b2908eb63276aff4f43ff1118bb124f1d39255d445eed24de3a0d46083381883129b30d51c0fcccd7d31f3 |
\??\c:\Users\Admin\AppData\Local\Temp\ntx5-lav.0.cs
| MD5 | ad3fb6157917742e2291c095039d56af |
| SHA1 | 239c2b918f7a176e38c4338cb3877606158a95bc |
| SHA256 | 715067a2205e2c21a041f4de2ae9f0a9e44e52eac1109bc8a45b8ff0445c30c5 |
| SHA512 | ac6c0683daacc1a4bd921ec3fb5727c26b047c9cc2123e948fb32ae1dcba989e23b0d6ab2e148045db23b35ad53acf4c16f7abfd4a7e26e3483a39af05c50c84 |
memory/4492-14-0x00007FFCC23B0000-0x00007FFCC2D51000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC9337.tmp
| MD5 | b6cb04ee513beb7e7c598d2dc66e6b1b |
| SHA1 | f491df1f6160d2effea65aa02f9c6013faf27829 |
| SHA256 | 4d69b950451634b88acdb11ecbf16c24384828dd2190374d47d01be4189a3bb0 |
| SHA512 | 848e5789ef8108f516f88bb29ef1e68c30a3401da3079ff24e7263fe1960665a52130f9e82d1b5c2d65918ae24c4b98284925ac1bb35f421a4d3b642ca47a2f3 |
C:\Users\Admin\AppData\Local\Temp\RES9338.tmp
| MD5 | 70ed6f1ca02102f76ec5ffbe7d809697 |
| SHA1 | c18d032f57e1a04e39ec168a0fdb3acb1fb25026 |
| SHA256 | 9c4746b112c590c5597690865d983b3df43abbd92da24a484018a387933d7460 |
| SHA512 | fdd037f689fc286ffb43ef6484da1db593d9cc1cf63a91de1c67474e556a65debdca03066cd4ee576a7ec4b379d84b8f498af45f9e90255ba11c7cb970965c44 |
memory/4492-21-0x00007FFCC23B0000-0x00007FFCC2D51000-memory.dmp
memory/1604-23-0x000000001C260000-0x000000001C276000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ntx5-lav.dll
| MD5 | 4199b8818fef9f9405bbff31212d6984 |
| SHA1 | df7ed0e670f3160ab6a7e781806794477360418f |
| SHA256 | 63fe1a5ee471906cb04f759c078f9bb0673a77a51943566c8ccae8de0f20a722 |
| SHA512 | 22ef95c5be98c34728a12704b87829784b7ffc9c11fdbd7822e90cce4355a6183b3e85e1320c83c3c8683b2e0fdd12b1200b9257a547c3606bd603376ea58eb3 |
memory/1604-25-0x0000000000F20000-0x0000000000F32000-memory.dmp
memory/1604-26-0x0000000001050000-0x0000000001058000-memory.dmp
memory/1604-27-0x000000001B4B0000-0x000000001B4B8000-memory.dmp
memory/1604-28-0x000000001CC30000-0x000000001CC92000-memory.dmp
memory/1604-29-0x000000001D5A0000-0x000000001DB5A000-memory.dmp
memory/1604-30-0x000000001DB60000-0x000000001DC50000-memory.dmp
memory/1604-31-0x000000001C8A0000-0x000000001C8BE000-memory.dmp
memory/1604-32-0x000000001DC50000-0x000000001DC99000-memory.dmp
memory/1604-33-0x00007FFCC23B0000-0x00007FFCC2D51000-memory.dmp
memory/1604-34-0x000000001DD20000-0x000000001DD90000-memory.dmp
memory/1604-35-0x00007FFCC23B0000-0x00007FFCC2D51000-memory.dmp
memory/1604-37-0x000000001C280000-0x000000001C288000-memory.dmp
memory/1604-38-0x00007FFCC2665000-0x00007FFCC2666000-memory.dmp
memory/1604-40-0x00007FFCC23B0000-0x00007FFCC2D51000-memory.dmp
memory/1604-41-0x00007FFCC23B0000-0x00007FFCC2D51000-memory.dmp