Malware Analysis Report

2025-01-22 14:54

Sample ID 241216-bnmm7swpaw
Target 2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768
SHA256 2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768
Tags
orcus
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768

Threat Level: Known bad

The file 2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768 was found to be: Known bad.

Malicious Activity Summary

orcus

Orcurs Rat Executable

Orcus family

Orcus main payload

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-12-16 01:17

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-16 01:17

Reported

2024-12-16 01:20

Platform

win7-20241023-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768.exe

"C:\Users\Admin\AppData\Local\Temp\2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l3gtq-an.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D78.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9D77.tmp"

Network

N/A

Files

memory/2616-0-0x000007FEF5E7E000-0x000007FEF5E7F000-memory.dmp

memory/2616-1-0x00000000002C0000-0x000000000031C000-memory.dmp

memory/2616-2-0x0000000000170000-0x000000000017E000-memory.dmp

memory/2616-3-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

memory/2616-4-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\l3gtq-an.cmdline

MD5 dc58fbf1024649936e39317a11c7ef86
SHA1 c66951062f47df296e285322547814c0cca9fcf8
SHA256 023185cfbed52b90720391e9544c6a38ea2d2ce3f050ede57cda6102069ac255
SHA512 99986e5133fc941c3365a1e467332308cc95704316ad18d4e17c0091de9412a3c11f7285a4aa00496ae7f26de92ce4ec7e8a76e7ad0b0801ef930c4cc8cd6785

\??\c:\Users\Admin\AppData\Local\Temp\l3gtq-an.0.cs

MD5 e0e546d7fd3c64e5b22b3353b204dd11
SHA1 5d5c49a6e788d4158b02ee7e108f21e70e38abe3
SHA256 a0905feb0f6f707877d65ee30bda55e361097b26cda6dde06bb0a56cb0ec3639
SHA512 2f4a3b28d81b9ddf7e288e65d78867c35cce06e69c4891aaed3e1a06e46b704636f0c8ab2653550ce3b0a42d2c624f30d331be96560978d7e151478962b1466a

memory/2420-10-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC9D77.tmp

MD5 501a0b7ab6694f4f8dee8883a0e927df
SHA1 5049a365f799224423d7cb2842b5f5bdb320d308
SHA256 d18c7eb8a3bb6880ef1dce5ce413230648fdef6e3c7ae054ec054a48f9fc2791
SHA512 cebe68c152b62f40dda4372942fdddb5a854359f33ae92c7910ba371aac0bca7dc8f2673ad07dfd1dfc0a5c4a78a1a90f32a920baa842150c43105b433757cb1

C:\Users\Admin\AppData\Local\Temp\RES9D78.tmp

MD5 8d6713309e414f0dbfe474f639dc30a5
SHA1 12eed2ab8d4aa6795ad9aef2b4316b248db7b9e2
SHA256 d1285f928fc8cb8ad0164cde25afdb04a4901e845c8c3a3e8c82f09e077aebbc
SHA512 170aff8ac36e33d83f16154760618c4db325123d3c7fd739a53e8f1958e608ca310386a32ba71cfac9ce60e9b91f753d25909b709fec66dcdc9cc1f819e5f78a

C:\Users\Admin\AppData\Local\Temp\l3gtq-an.dll

MD5 11ad9a1155cdcd4bca49659457a4aaa4
SHA1 e3ae1dbca5aad46d5fcd3316dd6bb70cd2dbd2b4
SHA256 e44cf21b493d08552e6a1ef43d1492dab8cf2dbd8c2dce5d98b931b982081fec
SHA512 c923f549a0608ac52f84a0371c8d5b38d1e7d359ac2d70b4af4294bac8ecf505fa0809f48110a6ad49d6a79fda3159225c1687b41818e8696cb9a563559d5b54

memory/2616-19-0x0000000000A70000-0x0000000000A86000-memory.dmp

memory/2420-17-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

memory/2616-21-0x0000000000980000-0x0000000000992000-memory.dmp

memory/2616-22-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

memory/2616-23-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-16 01:17

Reported

2024-12-16 01:20

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768.exe

"C:\Users\Admin\AppData\Local\Temp\2f1f1453e9b25081aa85cc14188a17d39bad9380a303ddca391e1670022c5768.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ozpknwmk.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FCB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9FCA.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1092-0-0x00007FF915CC5000-0x00007FF915CC6000-memory.dmp

memory/1092-1-0x00007FF915A10000-0x00007FF9163B1000-memory.dmp

memory/1092-2-0x000000001B3A0000-0x000000001B3FC000-memory.dmp

memory/1092-3-0x000000001B350000-0x000000001B35E000-memory.dmp

memory/1092-4-0x00007FF915A10000-0x00007FF9163B1000-memory.dmp

memory/1092-5-0x000000001BCC0000-0x000000001C18E000-memory.dmp

memory/1092-6-0x000000001C230000-0x000000001C2CC000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\ozpknwmk.cmdline

MD5 e69348ef934c902df4363119122e80d0
SHA1 a73769b3221ec13d7430fc7577796b5ae3401526
SHA256 07878165c345365b577777e326fefaf55828cbca32e8f8ca4c21c6ab777abc7a
SHA512 9724cc1dc28dc5b5aae4a87360a7cc716ec3d60d93adb0df234b6df372b78118123ece332fd45626622247dbcc4319cbc1a4cc61bbbec658d23072ca63587a7b

\??\c:\Users\Admin\AppData\Local\Temp\ozpknwmk.0.cs

MD5 41df20a843c753b1978267f3ee6b5257
SHA1 abf6f4f929e555c2ac98b9bfd223a08f25cd8ff1
SHA256 de251553ae1ac67af81c05fb35e05038a018708072e358c3176914373d42d280
SHA512 e530bbc647391bcd89b0fa40d662ee46a6713eeb074a003003536a0c9a79195fd15c1f57deee5b3d078bf0a2b9ce6bc4df991f937d850bc8f992352529081262

memory/744-14-0x00007FF915A10000-0x00007FF9163B1000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC9FCA.tmp

MD5 ec50e228834fbbccaf79af2c7f3ddf87
SHA1 c7d755b959e955070fb0fb814358872c96cc5280
SHA256 2552cf7f8899904e9047e6e2a48dd3654df58b66774add35dfbc3e8134544fa1
SHA512 836811e4d7f5a2603ce161bebe57bba19ec6f9ea8a081a29a14096c048df2ef170eb0f3c565655e4f7799aa88c23df5a578812c9952e8177a927cfa8021a1c60

C:\Users\Admin\AppData\Local\Temp\RES9FCB.tmp

MD5 d01f2cfc1bb27e80d06548ae761b8e62
SHA1 f380ecb715ddfa044ea92426e5f57c7fbb0d8223
SHA256 1d56c26ee4c00009f02ff6fc8068bf5fc6816bf44956d296516ceae0189f32db
SHA512 5460576ff78d8c1cb23bc2c43ce4f164bd96bfafefde857cff84093ec3295e026633f1d3e3b8acd2b837e40dad83dc971f471e849845f692d727d74e4dc3e37a

memory/744-19-0x00007FF915A10000-0x00007FF9163B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ozpknwmk.dll

MD5 bd0edd2bf3d4f5358ab5c927343c9e4a
SHA1 ca2afba431ae5b89e5086b0c82e28192d4e60f90
SHA256 87e71f26d1158fda01c8d7e8493b8491745bd033fb7aeedf96266272c75cb42b
SHA512 193724c357689471205d8e0deaeec90da5c437a549ebda39c572c1e5546d85ab8ed5f273f02f508382af03d20f349e5d06c9cc41d4ba932dab186c77f944f232

memory/1092-21-0x000000001C310000-0x000000001C326000-memory.dmp

memory/1092-23-0x000000001C2F0000-0x000000001C302000-memory.dmp

memory/1092-24-0x000000001B470000-0x000000001B478000-memory.dmp

memory/1092-25-0x00007FF915A10000-0x00007FF9163B1000-memory.dmp

memory/1092-27-0x00007FF915A10000-0x00007FF9163B1000-memory.dmp