Analysis Overview
SHA256
2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768
Threat Level: Known bad
The file 2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768 was found to be: Known bad.
Malicious Activity Summary
Orcus main payload
Orcurs Rat Executable
Orcus family
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-12-16 01:06
Signatures
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-16 01:06
Reported
2024-12-16 01:09
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768.exe
"C:\Users\Admin\AppData\Local\Temp\2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\izwo5h96.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CC6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8CC5.tmp"
Network
Files
memory/2088-0-0x000007FEF60AE000-0x000007FEF60AF000-memory.dmp
memory/2088-2-0x0000000000260000-0x000000000026E000-memory.dmp
memory/2088-3-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp
memory/2088-1-0x00000000002D0000-0x000000000032C000-memory.dmp
memory/2088-4-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\izwo5h96.cmdline
| MD5 | 1da84c408abc65675e82a91f83d7f7e8 |
| SHA1 | be614ed5a4ec3ad3ba45d10b393e918be6e91db8 |
| SHA256 | 939c9c8231af0864dec328b49889fff1401299d47300148b6edb0abed74628a0 |
| SHA512 | 3bbd2f8e54ab91604dde7ff1f9eeede2d667788cd2907dea6f98f9fe477bcb8e8d83df821022e25e6641b15acaedddd5ff4bb49805fcd10815f0217c3ca221d6 |
\??\c:\Users\Admin\AppData\Local\Temp\izwo5h96.0.cs
| MD5 | be563d305342c18be33a73aed4bc8daa |
| SHA1 | 1c4085e7b2758ff5e2478936ff5898e79c165fa7 |
| SHA256 | 50b6511769e8e323ef2191bd75183bb568cb8b7e5c63d4e62e949bd6a967d296 |
| SHA512 | 3470a6881fb9d28588d4566c18e1884ff44c31495ad8cffad6b5469cb359c6dd2f891220eb54ff68bc0350adbab96dabaa295bb601ff747d59069ced4296dffa |
memory/2988-12-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC8CC5.tmp
| MD5 | a5ccad693b7051961c622a1432e12545 |
| SHA1 | ed575d7c9167c60dd6efd76c14fde3edb70bd290 |
| SHA256 | 7ea521adacb7741690ec7a6543bacb1e53f990551c1e34299218a27d3d04a577 |
| SHA512 | 3c09012f9ec72e83869497e0dae7dabee85f3624a45c161e4433a6d4e150342ec9e43790f4400f52d8a88fd6092dbf9ea3dca8af79cfaaaa34c91c5498b6ff52 |
C:\Users\Admin\AppData\Local\Temp\RES8CC6.tmp
| MD5 | a9da8b93c00a1b6bc9e5935a9f8d6126 |
| SHA1 | f89519b4b2ed372bbd0fd9ae65563d967d445951 |
| SHA256 | 02e6968c2e5193c09149821e19a744c3747931b3591e8b5f0c60c0fc2cf43aa4 |
| SHA512 | 9f935e89416b4570f22997a9eabec5b192bd6b8f9b8d9f595c7aa88bfe21c5f0c75d1b86501a6512303756669256bccf85246e33ab67ffcb72eae84dac52aa33 |
memory/2988-17-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp
memory/2088-19-0x0000000000910000-0x0000000000926000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\izwo5h96.dll
| MD5 | f32121748bf45b6084ba0d3b84260132 |
| SHA1 | e3503121f80bbe228265308d6d31afdef61aa1af |
| SHA256 | ab301c0002f71814385d186878f5d88b0bfda1122213e74b3a3daf43aad04134 |
| SHA512 | 5cbe4dc423bd93baf42aa7cf089bb2ba762ee8a41802b7db9326623d44fa1d979b65fa86e2b742a834d9964925751c91c4019fc202692fec2d306a35848858d4 |
memory/2088-21-0x0000000000530000-0x0000000000542000-memory.dmp
memory/2088-22-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp
memory/2088-23-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-16 01:06
Reported
2024-12-16 01:09
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
150s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1300 wrote to memory of 1368 | N/A | C:\Users\Admin\AppData\Local\Temp\2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe |
| PID 1300 wrote to memory of 1368 | N/A | C:\Users\Admin\AppData\Local\Temp\2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe |
| PID 1368 wrote to memory of 1356 | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe |
| PID 1368 wrote to memory of 1356 | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768.exe
"C:\Users\Admin\AppData\Local\Temp\2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n7oy31kn.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9DD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA9DC.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/1300-0-0x00007FF8C14C5000-0x00007FF8C14C6000-memory.dmp
memory/1300-1-0x00007FF8C1210000-0x00007FF8C1BB1000-memory.dmp
memory/1300-2-0x000000001C0E0000-0x000000001C13C000-memory.dmp
memory/1300-3-0x0000000001A70000-0x0000000001A7E000-memory.dmp
memory/1300-4-0x00007FF8C1210000-0x00007FF8C1BB1000-memory.dmp
memory/1300-6-0x000000001CE80000-0x000000001CF1C000-memory.dmp
memory/1300-5-0x000000001C910000-0x000000001CDDE000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\n7oy31kn.cmdline
| MD5 | e69205aab478de26b0c7da902731628e |
| SHA1 | 3663ad244c648e8e0e5f774f4d63d43e88ab55df |
| SHA256 | 439f6a2ede0669c2e9eea410839b06ab16473b76672eeba3ebf0c1f167ba391b |
| SHA512 | ff0b6f413eaad1eaf72f343e25d2efc1b353571391192cae7d3657102bdee498f06dd478983ec36a201bc3c4edfdabc7aa33d287df0e2b329228bd678447b71d |
\??\c:\Users\Admin\AppData\Local\Temp\n7oy31kn.0.cs
| MD5 | 12606a76da40180f8da902f93ced24f9 |
| SHA1 | 64bfed89c9e45171fd4395e81317b243efa07d00 |
| SHA256 | 86ed6c41cfefb97ef289f1f28befe59b0b35f611faa97b2f9382762d53b9c92f |
| SHA512 | 5c98f5d95d91714af476bcda7dffc39f7eef0f541eca22ef34c3f7f1cb315d61d3b815935633db6846b26dcbb6b41f236ac8e40adfc768afe629c2ef73e3322c |
\??\c:\Users\Admin\AppData\Local\Temp\CSCA9DC.tmp
| MD5 | 32febf4b23d7948d3b870036e4cfd3b2 |
| SHA1 | 7be5902807cdf768f89f4d2f3fdf15404c277069 |
| SHA256 | cc19905415c3d03378560d59272a61467139ba329e14348cdd703b2f2d81a9d3 |
| SHA512 | bf5b7c300d193937ce879ed1c13fe895ee809305db1274e237a877db9dc3f51bda87e907f35722196687de5b615b31cd4193e13ea9e85c4bbfc32721e34ba7e8 |
memory/1368-16-0x00007FF8C1210000-0x00007FF8C1BB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RESA9DD.tmp
| MD5 | 286aa98bc1a7b3b59f95b07cccfadc3f |
| SHA1 | e22e33338c798211e6748377b5e11af7c7dbdf34 |
| SHA256 | 43ba821c89f0d81ff5fdaa3bd37acbc76e1e52e1fdc3103042b073e5611bd6ad |
| SHA512 | c702d28e45db9e7803d5adda26e06e412e7cbb1c13fed8d42674cb48c5e35d278ee3574255bc83afe92099f1895dd7b807e1b43441798ce2374bcde3eb8332c4 |
memory/1368-19-0x00007FF8C1210000-0x00007FF8C1BB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\n7oy31kn.dll
| MD5 | 0fe1dfeadda26b22ed75ac3c6adfa159 |
| SHA1 | 63d2a970a16b04a6c69ee5e0c6c6600dabeb3430 |
| SHA256 | 39d82b62011bc6d4ab9f19ee9188c0702eb112528278fd1abc8ee671eefd054e |
| SHA512 | fe2c90d7f542459e424ea1ea6f7aed8b4307781039ffc130b083f0a2ab752c37cd4681194d2a68235fc4782e90fb8e20f19b9d4e535fed7b76de8525e71aa1c5 |
memory/1300-21-0x000000001D430000-0x000000001D446000-memory.dmp
memory/1300-23-0x000000001BFD0000-0x000000001BFE2000-memory.dmp
memory/1300-24-0x0000000001AA0000-0x0000000001AA8000-memory.dmp
memory/1300-25-0x00007FF8C1210000-0x00007FF8C1BB1000-memory.dmp
memory/1300-27-0x00007FF8C1210000-0x00007FF8C1BB1000-memory.dmp