Malware Analysis Report

2025-01-22 14:58

Sample ID 241216-bglgkawlcz
Target 2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768
SHA256 2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768
Tags
orcus
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768

Threat Level: Known bad

The file 2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768 was found to be: Known bad.

Malicious Activity Summary

orcus

Orcus main payload

Orcurs Rat Executable

Orcus family

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-12-16 01:06

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-16 01:06

Reported

2024-12-16 01:09

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768.exe

"C:\Users\Admin\AppData\Local\Temp\2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\izwo5h96.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CC6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8CC5.tmp"

Network

N/A

Files

memory/2088-0-0x000007FEF60AE000-0x000007FEF60AF000-memory.dmp

memory/2088-2-0x0000000000260000-0x000000000026E000-memory.dmp

memory/2088-3-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

memory/2088-1-0x00000000002D0000-0x000000000032C000-memory.dmp

memory/2088-4-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\izwo5h96.cmdline

MD5 1da84c408abc65675e82a91f83d7f7e8
SHA1 be614ed5a4ec3ad3ba45d10b393e918be6e91db8
SHA256 939c9c8231af0864dec328b49889fff1401299d47300148b6edb0abed74628a0
SHA512 3bbd2f8e54ab91604dde7ff1f9eeede2d667788cd2907dea6f98f9fe477bcb8e8d83df821022e25e6641b15acaedddd5ff4bb49805fcd10815f0217c3ca221d6

\??\c:\Users\Admin\AppData\Local\Temp\izwo5h96.0.cs

MD5 be563d305342c18be33a73aed4bc8daa
SHA1 1c4085e7b2758ff5e2478936ff5898e79c165fa7
SHA256 50b6511769e8e323ef2191bd75183bb568cb8b7e5c63d4e62e949bd6a967d296
SHA512 3470a6881fb9d28588d4566c18e1884ff44c31495ad8cffad6b5469cb359c6dd2f891220eb54ff68bc0350adbab96dabaa295bb601ff747d59069ced4296dffa

memory/2988-12-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC8CC5.tmp

MD5 a5ccad693b7051961c622a1432e12545
SHA1 ed575d7c9167c60dd6efd76c14fde3edb70bd290
SHA256 7ea521adacb7741690ec7a6543bacb1e53f990551c1e34299218a27d3d04a577
SHA512 3c09012f9ec72e83869497e0dae7dabee85f3624a45c161e4433a6d4e150342ec9e43790f4400f52d8a88fd6092dbf9ea3dca8af79cfaaaa34c91c5498b6ff52

C:\Users\Admin\AppData\Local\Temp\RES8CC6.tmp

MD5 a9da8b93c00a1b6bc9e5935a9f8d6126
SHA1 f89519b4b2ed372bbd0fd9ae65563d967d445951
SHA256 02e6968c2e5193c09149821e19a744c3747931b3591e8b5f0c60c0fc2cf43aa4
SHA512 9f935e89416b4570f22997a9eabec5b192bd6b8f9b8d9f595c7aa88bfe21c5f0c75d1b86501a6512303756669256bccf85246e33ab67ffcb72eae84dac52aa33

memory/2988-17-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

memory/2088-19-0x0000000000910000-0x0000000000926000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\izwo5h96.dll

MD5 f32121748bf45b6084ba0d3b84260132
SHA1 e3503121f80bbe228265308d6d31afdef61aa1af
SHA256 ab301c0002f71814385d186878f5d88b0bfda1122213e74b3a3daf43aad04134
SHA512 5cbe4dc423bd93baf42aa7cf089bb2ba762ee8a41802b7db9326623d44fa1d979b65fa86e2b742a834d9964925751c91c4019fc202692fec2d306a35848858d4

memory/2088-21-0x0000000000530000-0x0000000000542000-memory.dmp

memory/2088-22-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

memory/2088-23-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-16 01:06

Reported

2024-12-16 01:09

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768.exe

"C:\Users\Admin\AppData\Local\Temp\2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n7oy31kn.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9DD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA9DC.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/1300-0-0x00007FF8C14C5000-0x00007FF8C14C6000-memory.dmp

memory/1300-1-0x00007FF8C1210000-0x00007FF8C1BB1000-memory.dmp

memory/1300-2-0x000000001C0E0000-0x000000001C13C000-memory.dmp

memory/1300-3-0x0000000001A70000-0x0000000001A7E000-memory.dmp

memory/1300-4-0x00007FF8C1210000-0x00007FF8C1BB1000-memory.dmp

memory/1300-6-0x000000001CE80000-0x000000001CF1C000-memory.dmp

memory/1300-5-0x000000001C910000-0x000000001CDDE000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\n7oy31kn.cmdline

MD5 e69205aab478de26b0c7da902731628e
SHA1 3663ad244c648e8e0e5f774f4d63d43e88ab55df
SHA256 439f6a2ede0669c2e9eea410839b06ab16473b76672eeba3ebf0c1f167ba391b
SHA512 ff0b6f413eaad1eaf72f343e25d2efc1b353571391192cae7d3657102bdee498f06dd478983ec36a201bc3c4edfdabc7aa33d287df0e2b329228bd678447b71d

\??\c:\Users\Admin\AppData\Local\Temp\n7oy31kn.0.cs

MD5 12606a76da40180f8da902f93ced24f9
SHA1 64bfed89c9e45171fd4395e81317b243efa07d00
SHA256 86ed6c41cfefb97ef289f1f28befe59b0b35f611faa97b2f9382762d53b9c92f
SHA512 5c98f5d95d91714af476bcda7dffc39f7eef0f541eca22ef34c3f7f1cb315d61d3b815935633db6846b26dcbb6b41f236ac8e40adfc768afe629c2ef73e3322c

\??\c:\Users\Admin\AppData\Local\Temp\CSCA9DC.tmp

MD5 32febf4b23d7948d3b870036e4cfd3b2
SHA1 7be5902807cdf768f89f4d2f3fdf15404c277069
SHA256 cc19905415c3d03378560d59272a61467139ba329e14348cdd703b2f2d81a9d3
SHA512 bf5b7c300d193937ce879ed1c13fe895ee809305db1274e237a877db9dc3f51bda87e907f35722196687de5b615b31cd4193e13ea9e85c4bbfc32721e34ba7e8

memory/1368-16-0x00007FF8C1210000-0x00007FF8C1BB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RESA9DD.tmp

MD5 286aa98bc1a7b3b59f95b07cccfadc3f
SHA1 e22e33338c798211e6748377b5e11af7c7dbdf34
SHA256 43ba821c89f0d81ff5fdaa3bd37acbc76e1e52e1fdc3103042b073e5611bd6ad
SHA512 c702d28e45db9e7803d5adda26e06e412e7cbb1c13fed8d42674cb48c5e35d278ee3574255bc83afe92099f1895dd7b807e1b43441798ce2374bcde3eb8332c4

memory/1368-19-0x00007FF8C1210000-0x00007FF8C1BB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\n7oy31kn.dll

MD5 0fe1dfeadda26b22ed75ac3c6adfa159
SHA1 63d2a970a16b04a6c69ee5e0c6c6600dabeb3430
SHA256 39d82b62011bc6d4ab9f19ee9188c0702eb112528278fd1abc8ee671eefd054e
SHA512 fe2c90d7f542459e424ea1ea6f7aed8b4307781039ffc130b083f0a2ab752c37cd4681194d2a68235fc4782e90fb8e20f19b9d4e535fed7b76de8525e71aa1c5

memory/1300-21-0x000000001D430000-0x000000001D446000-memory.dmp

memory/1300-23-0x000000001BFD0000-0x000000001BFE2000-memory.dmp

memory/1300-24-0x0000000001AA0000-0x0000000001AA8000-memory.dmp

memory/1300-25-0x00007FF8C1210000-0x00007FF8C1BB1000-memory.dmp

memory/1300-27-0x00007FF8C1210000-0x00007FF8C1BB1000-memory.dmp