Malware Analysis Report

2025-03-15 06:40

Sample ID 250111-bwjlhsxkc1
Target 7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d
SHA256 7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d
Tags
orcus
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d

Threat Level: Known bad

The file 7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d was found to be: Known bad.

Malicious Activity Summary

orcus

Orcurs Rat Executable

Orcus family

Orcus main payload

Drops desktop.ini file(s)

Drops file in Windows directory

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2025-01-11 01:29

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-11 01:29

Reported

2025-01-11 01:32

Platform

win7-20240903-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe

"C:\Users\Admin\AppData\Local\Temp\7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rz9xebk0.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C64.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5C63.tmp"

Network

Country Destination Domain Proto
N/A 192.168.31.232:8488 tcp
N/A 192.168.31.232:8488 tcp
N/A 192.168.31.232:8488 tcp
N/A 192.168.31.232:8488 tcp
N/A 192.168.31.232:8488 tcp
N/A 192.168.31.232:8488 tcp
N/A 192.168.31.232:8488 tcp
N/A 192.168.31.232:8488 tcp
N/A 192.168.31.232:8488 tcp
N/A 192.168.31.232:8488 tcp
N/A 192.168.31.232:8488 tcp
N/A 192.168.31.232:8488 tcp

Files

memory/2172-0-0x000007FEF653E000-0x000007FEF653F000-memory.dmp

memory/2172-2-0x0000000000410000-0x000000000041E000-memory.dmp

memory/2172-1-0x000000001AE70000-0x000000001AECC000-memory.dmp

memory/2172-3-0x000007FEF6280000-0x000007FEF6C1D000-memory.dmp

memory/2172-4-0x000007FEF6280000-0x000007FEF6C1D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\rz9xebk0.cmdline

MD5 dd9ef1fb0f914a7df41aa21ba43d2818
SHA1 0277d07bb02fd13b4e3d46cd98f02c34baea89dc
SHA256 d167271c8fb1ff361bfc5f0cfb5e4f4ac290c3142eb74c568cdbbb2cee49c6d2
SHA512 b73fd6afcaebd2dcc66f8837eaedb503fbe2eec982aa99beb832391f0f9cd2d78d7e41de5053ecf72d9dae278c2c841156e84773f8b9fe4e89425a915368cb58

\??\c:\Users\Admin\AppData\Local\Temp\rz9xebk0.0.cs

MD5 6011503497b1b9250a05debf9690e52c
SHA1 897aea61e9bffc82d7031f1b3da12fb83efc6d82
SHA256 08f42b8d57bb61bc8f9628c8a80953b06ca4149d50108083fca6dc26bdd49434
SHA512 604c33e82e8b5bb5c54389c2899c81e5482a06e69db08268173a5b4574327ee5de656d312011d07e50a2e398a4c9b0cd79029013f76e05e18cf67ce5a916ffd9

memory/2740-10-0x000007FEF6280000-0x000007FEF6C1D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC5C63.tmp

MD5 c71cd9e1ada3ca668494128cf75b235f
SHA1 858ee8c44104aefa3249084a45ffda8858dc6939
SHA256 97a3d6c6ce376cecd967c03b89efeda0ecfe479429dd6b3ee68b0b692796b0b5
SHA512 31f0fd7d953589255bdd9a131944bd0659f8dcb743648e29a1bb7518e20cac125c5269a5fa57f7b36676fd37afa1887489d34cb098da0d2abc89a604dc2834df

C:\Users\Admin\AppData\Local\Temp\RES5C64.tmp

MD5 fcd5110d4e40f699f9440f1e987d6f13
SHA1 ae6f81d2639cf8470d31cfe03908eb2128a2de5e
SHA256 3fe2e9be89755fb9083835b8693be639c9d90e0ddb968ad846674da561e0de4b
SHA512 44b907508cc2294f5dd5cbe793781c3e6e5c3a2a6e54e767e1a9065215236b37929aedda7652fd1bb285d56469368e22347461b64780dbdbb67a686b4ba703a0

memory/2740-17-0x000007FEF6280000-0x000007FEF6C1D000-memory.dmp

memory/2172-19-0x0000000002270000-0x0000000002286000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rz9xebk0.dll

MD5 58725cd9b51849d7e54f43aaeebc1ed6
SHA1 762487d310ef39283f046476fb790a63e3a51fff
SHA256 1879d4323e42af123960a2c8fa54d3413fe9784c663a9e254db97734a0767d47
SHA512 f560686e3019bc81c67970573bf4d75592e258e30cffbd2d2077556eef66fe6d8fe946cb65406665097a6690ec598b59a9fb724a030a889c33b82f89b2cfac6b

memory/2172-21-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

memory/2172-22-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

memory/2172-23-0x000000001B010000-0x000000001B028000-memory.dmp

memory/2172-24-0x0000000000420000-0x0000000000430000-memory.dmp

memory/2172-25-0x000007FEF6280000-0x000007FEF6C1D000-memory.dmp

memory/2172-26-0x000007FEF6280000-0x000007FEF6C1D000-memory.dmp

memory/2172-27-0x000007FEF653E000-0x000007FEF653F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-11 01:29

Reported

2025-01-11 01:32

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe"

Signatures

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe

"C:\Users\Admin\AppData\Local\Temp\7447b9a1359be0ab6ec6417b4e204baf435da07f12436f72cb4bff47a4ae743d.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\to04um8f.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A8E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8A8D.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 192.168.31.232:8488 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
N/A 192.168.31.232:8488 tcp
N/A 192.168.31.232:8488 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
N/A 192.168.31.232:8488 tcp
N/A 192.168.31.232:8488 tcp
N/A 192.168.31.232:8488 tcp
N/A 192.168.31.232:8488 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
N/A 192.168.31.232:8488 tcp
N/A 192.168.31.232:8488 tcp
N/A 192.168.31.232:8488 tcp
N/A 192.168.31.232:8488 tcp
N/A 192.168.31.232:8488 tcp

Files

memory/1268-0-0x00007FFB5C655000-0x00007FFB5C656000-memory.dmp

memory/1268-1-0x00007FFB5C3A0000-0x00007FFB5CD41000-memory.dmp

memory/1268-2-0x000000001B9F0000-0x000000001BA4C000-memory.dmp

memory/1268-5-0x000000001BBD0000-0x000000001BBDE000-memory.dmp

memory/1268-7-0x000000001C0F0000-0x000000001C5BE000-memory.dmp

memory/1268-6-0x00007FFB5C3A0000-0x00007FFB5CD41000-memory.dmp

memory/1268-8-0x000000001C660000-0x000000001C6FC000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\to04um8f.cmdline

MD5 8952c2b6798c6f219436e32f7a70df85
SHA1 16b24056a1d5745b37388d430a87e0cd27e8c69a
SHA256 ec2318ea446ef63c7d3d5f6a493791aa1218bd7b77d27494b00c3fa70ace263f
SHA512 75f132f3ab722dcfe07b52e4e5ca22e918942a316c2479ef0a74ea91088855b6cb34cdf9ce7a4b8f6b49bd4e9a860e0b059ff2394b8bb55b59b4bcd98a34809c

\??\c:\Users\Admin\AppData\Local\Temp\to04um8f.0.cs

MD5 ac842bdcbaedf3e3a3cf91babd2759ff
SHA1 dac6a53e5e8f1498cf27dec864e97d597827000c
SHA256 eaf8d46e2f35c0f34f61ef282195989572868aa127e362769bfd096d4cf50fc6
SHA512 01847dbcd74dfcf9c10c9c78f75e2149cf87aeaf37129c72d90262171502f24d42f195648b048d22daeba426c1197e7bf8d6c607030353ca9a54a69b5d8710f2

\??\c:\Users\Admin\AppData\Local\Temp\CSC8A8D.tmp

MD5 f2ef5a13b8b974dc7af1a8eb8d1ca550
SHA1 05f8d8a3f9f09d7d1bd5053b047f422fca7dcbea
SHA256 2bc1e8fca3b700d16f5e16221e5566a57f56f3e53f8a09f6cb02c0f319aeb90f
SHA512 4ad230961a86f1033d427e119d4d99c3380d6392cdd3b74fafa06f22cccff3e5828c2b5b01b4fca277eeef120d3510ae5978fb18b985ca676f11f85fe1ba80a6

memory/2828-19-0x00007FFB5C3A0000-0x00007FFB5CD41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RES8A8E.tmp

MD5 2c780d2c568df39d8a0bf9a4ab3cb939
SHA1 0f0b3ba61e66c49c1fea086fec0fa832bd40fbf3
SHA256 e597be852d5e4b23d5d8220186d239ab67296074a830b26bdbe25f958d5abffb
SHA512 a330a0686bb70457e71468572151cec95bdae919732e2cb0d0b26ef8a308c5f2ed7b92c4fb57c8fde6144e6a7991b3bf2601c37c0165f65d2389b97e67ad2bdc

memory/2828-21-0x00007FFB5C3A0000-0x00007FFB5CD41000-memory.dmp

memory/1268-23-0x000000001CCF0000-0x000000001CD06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\to04um8f.dll

MD5 5d736fa3dcf58317f6ac91543a86da78
SHA1 a498e6af4411c5cae5ad55da349140518721d2f8
SHA256 13000bc0488d6ccaa9337243a2ce475414a74a26a983377d01b584601207161d
SHA512 02c4507a20e1256b1012687671a62fc26040be79151c1c0134239a95d6fdd4a6477cb5ee94286e38a74a649db40d913c580c0b4980a037a8fc49155a58ea0532

memory/1268-25-0x000000001B940000-0x000000001B952000-memory.dmp

memory/1268-26-0x000000001B8C0000-0x000000001B8C8000-memory.dmp

memory/1268-27-0x000000001CD30000-0x000000001CD48000-memory.dmp

memory/1268-28-0x00000000014D0000-0x00000000014E0000-memory.dmp

memory/1268-29-0x00007FFB5C3A0000-0x00007FFB5CD41000-memory.dmp

memory/1268-30-0x000000001B8B0000-0x000000001B8B8000-memory.dmp

memory/1268-31-0x00007FFB5C655000-0x00007FFB5C656000-memory.dmp

memory/1268-32-0x00007FFB5C3A0000-0x00007FFB5CD41000-memory.dmp