Malware Analysis Report

2025-03-15 06:42

Sample ID 250121-bgm1dsyle1
Target 4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e
SHA256 4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e
Tags
orcus
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e

Threat Level: Known bad

The file 4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e was found to be: Known bad.

Malicious Activity Summary

orcus

Orcurs Rat Executable

Orcus family

Orcus main payload

Drops desktop.ini file(s)

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2025-01-21 01:07

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-21 01:07

Reported

2025-01-21 01:09

Platform

win7-20240903-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe

"C:\Users\Admin\AppData\Local\Temp\4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iaxpx7wz.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B52.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6B51.tmp"

Network

N/A

Files

memory/2848-0-0x000007FEF5A9E000-0x000007FEF5A9F000-memory.dmp

memory/2848-1-0x000000001B040000-0x000000001B09C000-memory.dmp

memory/2848-2-0x00000000003A0000-0x00000000003AE000-memory.dmp

memory/2848-3-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

memory/2848-4-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\iaxpx7wz.cmdline

MD5 a999037a9d55152f06b64fa9204d0c55
SHA1 a7b11a08e8f4e8b43e1dfcfcd01e9d4690c723d4
SHA256 75915511904ab45154578cce15713bc8ca32a026360d8a0b98118e740033dfd2
SHA512 37ff8bbfbc31d7a265ab3ae5e1abe78dd210125215de7d1acec5e823870f3eed6daec5b3e6fc1e460e4da4be6b3cef9004211bd6556cd08fb04387512d252931

\??\c:\Users\Admin\AppData\Local\Temp\iaxpx7wz.0.cs

MD5 c555d9796194c1d9a1310a05a2264e08
SHA1 82641fc4938680519c3b2e925e05e1001cbd71d7
SHA256 ccbb8fd27ab2f27fbbd871793886ff52ff1fbd9117c98b8d190c1a96b67e498a
SHA512 0b85ca22878998c7697c589739905b218f9b264a32c8f99a9f9dd73d0687a5de46cc7e851697ee16424baf94d301e411648aa2d061ac149a6d2e06b085e07090

memory/2848-18-0x000000001AD10000-0x000000001AD26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iaxpx7wz.dll

MD5 d649d9cbf352d9c0a19edb56d1793ca4
SHA1 e75720501c02fc4986c6292569c04319d122db36
SHA256 e4e6f124f7c7621c5e11b6c5611d8333d4aa1782f284623fd022693569dd07cf
SHA512 c768b03528ee2cb4ea59fc0c4006b7bb4124902f9b963f8b65f7028912a76b6a5c78e15b1c8e58c75a1e1684f938d45cabeddedd38d3a150a75d1447426148c4

C:\Users\Admin\AppData\Local\Temp\RES6B52.tmp

MD5 bd2ddebcfed188cb515fbcc5938b18fe
SHA1 b9c2f4424f94d5e6dcffd08f25419f46b6806aa2
SHA256 18f0b59948f7442467b7fd73ca2550148425e57711ed25e731baa32ed0752b26
SHA512 d3cdc6055b0e646d1707dcc86218a4fccec8cfa851fcd82f1df5002c2f1f20c0668fd4fed7808add87b7a90886db2982625d6a08a71c60e1f338039058d4f4c2

memory/2712-14-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC6B51.tmp

MD5 7d38974d517c1e9c8ba2a7987cbf95f2
SHA1 efab5a16fbcfd30d3f91fa16348c8eb1ce28d7e9
SHA256 25d0adb79f852c4ca5256623ebedff5d8d7c8288c85e915f3024e7d8819a7276
SHA512 1e22d812679b757aa298601dc914de081ae259fef83981f8f5d91ce9977fb21a89aa989be576f97df59793af5c71f467d7e6d170b9a24e3275ded85eab9ee0ef

memory/2848-20-0x0000000000660000-0x0000000000672000-memory.dmp

memory/2848-21-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

memory/2848-22-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

memory/2848-23-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

memory/2712-24-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-21 01:07

Reported

2025-01-21 01:09

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe"

Signatures

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe

"C:\Users\Admin\AppData\Local\Temp\4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cicqfncx.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB68.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFB67.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3544-0-0x00007FFCD4515000-0x00007FFCD4516000-memory.dmp

memory/3544-1-0x00007FFCD4260000-0x00007FFCD4C01000-memory.dmp

memory/3544-2-0x000000001BA30000-0x000000001BA8C000-memory.dmp

memory/3544-5-0x000000001BC10000-0x000000001BC1E000-memory.dmp

memory/3544-6-0x00007FFCD4260000-0x00007FFCD4C01000-memory.dmp

memory/3544-7-0x000000001C210000-0x000000001C6DE000-memory.dmp

memory/3544-8-0x000000001C6E0000-0x000000001C77C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\cicqfncx.cmdline

MD5 237b0973176275801227e53857e168eb
SHA1 053168a04eca46c7ed2d0fbede5fcde5ecf9a787
SHA256 f4d8f31c5155185ba087780eed3fcf3a1b6b33a7b5f3da9010c5a2f88dfea821
SHA512 63cef8c2ec7a1bcfba32b2c52101b62c131c57f7a2e63d9b1a5d406329cb2fec3db16198cc8346a69c2753e12adf3bedcb89a31c2cb2591cbcdf0dfdc039db52

\??\c:\Users\Admin\AppData\Local\Temp\cicqfncx.0.cs

MD5 57f0d56fe55220433d23651cf2ba66e3
SHA1 581a45ad54bb4c5bd50fad86a26824bc60b0e834
SHA256 de983c110f8aaf7f7049514cd3dd908292d0b7f18ae274cdcecaa1e3db708ff5
SHA512 d54196f3de01924b5d625ab5de8d6d8809211935461509b13043b618b746a99a45c9d0945dc0ca5d8b9250142f5dea9761224b1fa14bc79e83df8c5f8b85b01d

memory/2212-16-0x00007FFCD4260000-0x00007FFCD4C01000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSCFB67.tmp

MD5 19ea4a6c3c320f343a0307297b96f7fe
SHA1 2a0d07d0752a8aed2c1474cb5cbe49bf5900d1af
SHA256 22a2124168ac20074f68b60a477a147fd61bc274a5bd479177ea9074642e7065
SHA512 9bd660a9b9bbda30ad06018abce95f3f6977b734d8db87cccffaecaf1313e45d91f1620d1c5014486bc34a1a81157d8928f2aa9b1780e53635dd42b2bef25a76

C:\Users\Admin\AppData\Local\Temp\RESFB68.tmp

MD5 dce1f346a5689edad78b9bacc51da97f
SHA1 8f186ca039fb6138cd4f638422db8f9fe59ca181
SHA256 5947f0d4f09a30e8f15a8b4814a2b72549e4e348256e495c60da8212d7cbfe18
SHA512 f9545b10a97e928e1d83242303827d0337222b5d0411985cc1c95d65ab2156e2b3dba7f4361c330b52516d80d2ea8970039c96caa802c1f48ec32cae7ac9fc58

C:\Users\Admin\AppData\Local\Temp\cicqfncx.dll

MD5 fb9793bd8f7f39fa4c6547b3d68bbb48
SHA1 6587951cbeb9766911306a2f1b46b90f2ad28f70
SHA256 8ad44447e6f60ba4fb34b587936d56608fce83e8b7951f9feff1488192df3f53
SHA512 6d5d4dc6cf74e94c3f73bbee6a234704198a03232a3e20887ab20cfb4efd2b547f944b1e4df4f58f7720b9eed4a21636ea2a1a2633bc64a5d67d661e10e81492

memory/2212-21-0x00007FFCD4260000-0x00007FFCD4C01000-memory.dmp

memory/3544-23-0x000000001BCF0000-0x000000001BD06000-memory.dmp

memory/3544-25-0x00000000014A0000-0x00000000014B2000-memory.dmp

memory/3544-26-0x0000000001300000-0x0000000001308000-memory.dmp

memory/3544-27-0x00007FFCD4260000-0x00007FFCD4C01000-memory.dmp

memory/3544-29-0x00007FFCD4260000-0x00007FFCD4C01000-memory.dmp