Malware Analysis Report

2025-03-15 06:48

Sample ID 250112-sp351szpcr
Target resemblec2.exe
SHA256 e607e52cb362cdca751c9cf27c91b8f5087649c720d49fd31ee925176107e501
Tags
orcus discovery rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e607e52cb362cdca751c9cf27c91b8f5087649c720d49fd31ee925176107e501

Threat Level: Known bad

The file resemblec2.exe was found to be: Known bad.

Malicious Activity Summary

orcus discovery rat spyware stealer

Orcus

Orcus family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Drops desktop.ini file(s)

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Opens file in notepad (likely ransom note)

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-12 15:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-12 15:18

Reported

2025-01-12 15:21

Platform

win7-20240903-en

Max time kernel

117s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resemblec2.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\idk.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\idk.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 6.tcp.eu.ngrok.io N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\idk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\resemblec2.exe C:\Windows\system32\rundll32.exe
PID 3012 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\resemblec2.exe C:\Windows\system32\rundll32.exe
PID 3012 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\resemblec2.exe C:\Windows\system32\rundll32.exe
PID 3012 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\resemblec2.exe C:\Users\Admin\AppData\Local\Temp\idk.exe
PID 3012 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\resemblec2.exe C:\Users\Admin\AppData\Local\Temp\idk.exe
PID 3012 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\resemblec2.exe C:\Users\Admin\AppData\Local\Temp\idk.exe
PID 3012 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\resemblec2.exe C:\Users\Admin\AppData\Local\Temp\idk.exe
PID 2088 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\idk.exe C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
PID 2088 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\idk.exe C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
PID 2088 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\idk.exe C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
PID 2088 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\idk.exe C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

Processes

C:\Users\Admin\AppData\Local\Temp\resemblec2.exe

"C:\Users\Admin\AppData\Local\Temp\resemblec2.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\resemble.py

C:\Users\Admin\AppData\Local\Temp\idk.exe

"C:\Users\Admin\AppData\Local\Temp\idk.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 6.tcp.eu.ngrok.io udp
DE 18.197.239.109:19196 6.tcp.eu.ngrok.io tcp
DE 18.197.239.109:19196 6.tcp.eu.ngrok.io tcp

Files

memory/3012-0-0x000007FEF5B83000-0x000007FEF5B84000-memory.dmp

memory/3012-1-0x0000000000080000-0x000000000012E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\idk.exe

MD5 c0f4b33fab9864dfebccb1f7621ac76a
SHA1 9e65684a22bae25570f019366657a83522434590
SHA256 ce59e3370985a4b7f243de0fb67848bcb223781077dee528e2f4adb8e9d8d656
SHA512 6cd5672e2b3615ebb94fb96de29fe1b2cbfa81c1e18080ad6fbb48b25457481e17d8919823970e5bd1e230e2e8c76d379a515551e35bdc10f305d3349ab3cefe

memory/3012-9-0x000007FEF5B80000-0x000007FEF656C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab5EC.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-12 15:18

Reported

2025-01-12 15:21

Platform

win10v2004-20241007-en

Max time kernel

102s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\resemblec2.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\resemblec2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\idk.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\idk.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\idk.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\idk.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 6.tcp.eu.ngrok.io N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\idk.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\idk.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\idk.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\idk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\resemblec2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\resemblec2.exe

"C:\Users\Admin\AppData\Local\Temp\resemblec2.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\idk.exe

"C:\Users\Admin\AppData\Local\Temp\idk.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\resemble.py

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 6.tcp.eu.ngrok.io udp
DE 3.66.38.117:19196 6.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 117.38.66.3.in-addr.arpa udp
US 8.8.8.8:53 194.86.200.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/5004-0-0x00007FFBC5133000-0x00007FFBC5135000-memory.dmp

memory/5004-1-0x0000000000A80000-0x0000000000B2E000-memory.dmp

memory/5004-4-0x00007FFBC5130000-0x00007FFBC5BF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\idk.exe

MD5 c0f4b33fab9864dfebccb1f7621ac76a
SHA1 9e65684a22bae25570f019366657a83522434590
SHA256 ce59e3370985a4b7f243de0fb67848bcb223781077dee528e2f4adb8e9d8d656
SHA512 6cd5672e2b3615ebb94fb96de29fe1b2cbfa81c1e18080ad6fbb48b25457481e17d8919823970e5bd1e230e2e8c76d379a515551e35bdc10f305d3349ab3cefe

memory/5004-17-0x00007FFBC5130000-0x00007FFBC5BF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\resemble.py

MD5 23f1fabaef532d89fcb6d5bb14a36ef3
SHA1 679a82ed172d49f298bf07b6fa0de9b6c2ce0046
SHA256 e4410bc67b1ee8af2df456713b85040917b8cf749fb7d660feeb625b25ec9c51
SHA512 96e2baa6ce0220b9ad167b60220c683d5b080a9ba9a2e4d320aae6989f4aa2d241f8078e69bdd2da39a20d9b57ae84240da912d29e5e1db36cc90cf6a0537458