Analysis Overview
SHA256
2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768
Threat Level: Known bad
The file 2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768 was found to be: Known bad.
Malicious Activity Summary
Orcurs Rat Executable
Orcus family
Orcus main payload
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-12-16 01:17
Signatures
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-16 01:17
Reported
2024-12-16 01:20
Platform
win7-20241023-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768.exe
"C:\Users\Admin\AppData\Local\Temp\2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l3gtq-an.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D78.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9D77.tmp"
Network
Files
memory/2616-0-0x000007FEF5E7E000-0x000007FEF5E7F000-memory.dmp
memory/2616-1-0x00000000002C0000-0x000000000031C000-memory.dmp
memory/2616-2-0x0000000000170000-0x000000000017E000-memory.dmp
memory/2616-3-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp
memory/2616-4-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\l3gtq-an.cmdline
| MD5 | dc58fbf1024649936e39317a11c7ef86 |
| SHA1 | c66951062f47df296e285322547814c0cca9fcf8 |
| SHA256 | 023185cfbed52b90720391e9544c6a38ea2d2ce3f050ede57cda6102069ac255 |
| SHA512 | 99986e5133fc941c3365a1e467332308cc95704316ad18d4e17c0091de9412a3c11f7285a4aa00496ae7f26de92ce4ec7e8a76e7ad0b0801ef930c4cc8cd6785 |
\??\c:\Users\Admin\AppData\Local\Temp\l3gtq-an.0.cs
| MD5 | e0e546d7fd3c64e5b22b3353b204dd11 |
| SHA1 | 5d5c49a6e788d4158b02ee7e108f21e70e38abe3 |
| SHA256 | a0905feb0f6f707877d65ee30bda55e361097b26cda6dde06bb0a56cb0ec3639 |
| SHA512 | 2f4a3b28d81b9ddf7e288e65d78867c35cce06e69c4891aaed3e1a06e46b704636f0c8ab2653550ce3b0a42d2c624f30d331be96560978d7e151478962b1466a |
memory/2420-10-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC9D77.tmp
| MD5 | 501a0b7ab6694f4f8dee8883a0e927df |
| SHA1 | 5049a365f799224423d7cb2842b5f5bdb320d308 |
| SHA256 | d18c7eb8a3bb6880ef1dce5ce413230648fdef6e3c7ae054ec054a48f9fc2791 |
| SHA512 | cebe68c152b62f40dda4372942fdddb5a854359f33ae92c7910ba371aac0bca7dc8f2673ad07dfd1dfc0a5c4a78a1a90f32a920baa842150c43105b433757cb1 |
C:\Users\Admin\AppData\Local\Temp\RES9D78.tmp
| MD5 | 8d6713309e414f0dbfe474f639dc30a5 |
| SHA1 | 12eed2ab8d4aa6795ad9aef2b4316b248db7b9e2 |
| SHA256 | d1285f928fc8cb8ad0164cde25afdb04a4901e845c8c3a3e8c82f09e077aebbc |
| SHA512 | 170aff8ac36e33d83f16154760618c4db325123d3c7fd739a53e8f1958e608ca310386a32ba71cfac9ce60e9b91f753d25909b709fec66dcdc9cc1f819e5f78a |
C:\Users\Admin\AppData\Local\Temp\l3gtq-an.dll
| MD5 | 11ad9a1155cdcd4bca49659457a4aaa4 |
| SHA1 | e3ae1dbca5aad46d5fcd3316dd6bb70cd2dbd2b4 |
| SHA256 | e44cf21b493d08552e6a1ef43d1492dab8cf2dbd8c2dce5d98b931b982081fec |
| SHA512 | c923f549a0608ac52f84a0371c8d5b38d1e7d359ac2d70b4af4294bac8ecf505fa0809f48110a6ad49d6a79fda3159225c1687b41818e8696cb9a563559d5b54 |
memory/2616-19-0x0000000000A70000-0x0000000000A86000-memory.dmp
memory/2420-17-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp
memory/2616-21-0x0000000000980000-0x0000000000992000-memory.dmp
memory/2616-22-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp
memory/2616-23-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-16 01:17
Reported
2024-12-16 01:20
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
151s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1092 wrote to memory of 744 | N/A | C:\Users\Admin\AppData\Local\Temp\2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe |
| PID 1092 wrote to memory of 744 | N/A | C:\Users\Admin\AppData\Local\Temp\2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe |
| PID 744 wrote to memory of 3164 | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe |
| PID 744 wrote to memory of 3164 | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768.exe
"C:\Users\Admin\AppData\Local\Temp\2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ozpknwmk.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FCB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9FCA.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/1092-0-0x00007FF915CC5000-0x00007FF915CC6000-memory.dmp
memory/1092-1-0x00007FF915A10000-0x00007FF9163B1000-memory.dmp
memory/1092-2-0x000000001B3A0000-0x000000001B3FC000-memory.dmp
memory/1092-3-0x000000001B350000-0x000000001B35E000-memory.dmp
memory/1092-4-0x00007FF915A10000-0x00007FF9163B1000-memory.dmp
memory/1092-5-0x000000001BCC0000-0x000000001C18E000-memory.dmp
memory/1092-6-0x000000001C230000-0x000000001C2CC000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\ozpknwmk.cmdline
| MD5 | e69348ef934c902df4363119122e80d0 |
| SHA1 | a73769b3221ec13d7430fc7577796b5ae3401526 |
| SHA256 | 07878165c345365b577777e326fefaf55828cbca32e8f8ca4c21c6ab777abc7a |
| SHA512 | 9724cc1dc28dc5b5aae4a87360a7cc716ec3d60d93adb0df234b6df372b78118123ece332fd45626622247dbcc4319cbc1a4cc61bbbec658d23072ca63587a7b |
\??\c:\Users\Admin\AppData\Local\Temp\ozpknwmk.0.cs
| MD5 | 41df20a843c753b1978267f3ee6b5257 |
| SHA1 | abf6f4f929e555c2ac98b9bfd223a08f25cd8ff1 |
| SHA256 | de251553ae1ac67af81c05fb35e05038a018708072e358c3176914373d42d280 |
| SHA512 | e530bbc647391bcd89b0fa40d662ee46a6713eeb074a003003536a0c9a79195fd15c1f57deee5b3d078bf0a2b9ce6bc4df991f937d850bc8f992352529081262 |
memory/744-14-0x00007FF915A10000-0x00007FF9163B1000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC9FCA.tmp
| MD5 | ec50e228834fbbccaf79af2c7f3ddf87 |
| SHA1 | c7d755b959e955070fb0fb814358872c96cc5280 |
| SHA256 | 2552cf7f8899904e9047e6e2a48dd3654df58b66774add35dfbc3e8134544fa1 |
| SHA512 | 836811e4d7f5a2603ce161bebe57bba19ec6f9ea8a081a29a14096c048df2ef170eb0f3c565655e4f7799aa88c23df5a578812c9952e8177a927cfa8021a1c60 |
C:\Users\Admin\AppData\Local\Temp\RES9FCB.tmp
| MD5 | d01f2cfc1bb27e80d06548ae761b8e62 |
| SHA1 | f380ecb715ddfa044ea92426e5f57c7fbb0d8223 |
| SHA256 | 1d56c26ee4c00009f02ff6fc8068bf5fc6816bf44956d296516ceae0189f32db |
| SHA512 | 5460576ff78d8c1cb23bc2c43ce4f164bd96bfafefde857cff84093ec3295e026633f1d3e3b8acd2b837e40dad83dc971f471e849845f692d727d74e4dc3e37a |
memory/744-19-0x00007FF915A10000-0x00007FF9163B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ozpknwmk.dll
| MD5 | bd0edd2bf3d4f5358ab5c927343c9e4a |
| SHA1 | ca2afba431ae5b89e5086b0c82e28192d4e60f90 |
| SHA256 | 87e71f26d1158fda01c8d7e8493b8491745bd033fb7aeedf96266272c75cb42b |
| SHA512 | 193724c357689471205d8e0deaeec90da5c437a549ebda39c572c1e5546d85ab8ed5f273f02f508382af03d20f349e5d06c9cc41d4ba932dab186c77f944f232 |
memory/1092-21-0x000000001C310000-0x000000001C326000-memory.dmp
memory/1092-23-0x000000001C2F0000-0x000000001C302000-memory.dmp
memory/1092-24-0x000000001B470000-0x000000001B478000-memory.dmp
memory/1092-25-0x00007FF915A10000-0x00007FF9163B1000-memory.dmp
memory/1092-27-0x00007FF915A10000-0x00007FF9163B1000-memory.dmp