Analysis Overview
SHA256
4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e
Threat Level: Known bad
The file 4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e was found to be: Known bad.
Malicious Activity Summary
Orcurs Rat Executable
Orcus family
Orcus main payload
Drops desktop.ini file(s)
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-01-21 01:07
Signatures
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-21 01:07
Reported
2025-01-21 01:09
Platform
win7-20240903-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe
"C:\Users\Admin\AppData\Local\Temp\4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iaxpx7wz.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B52.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6B51.tmp"
Network
Files
memory/2848-0-0x000007FEF5A9E000-0x000007FEF5A9F000-memory.dmp
memory/2848-1-0x000000001B040000-0x000000001B09C000-memory.dmp
memory/2848-2-0x00000000003A0000-0x00000000003AE000-memory.dmp
memory/2848-3-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp
memory/2848-4-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\iaxpx7wz.cmdline
| MD5 | a999037a9d55152f06b64fa9204d0c55 |
| SHA1 | a7b11a08e8f4e8b43e1dfcfcd01e9d4690c723d4 |
| SHA256 | 75915511904ab45154578cce15713bc8ca32a026360d8a0b98118e740033dfd2 |
| SHA512 | 37ff8bbfbc31d7a265ab3ae5e1abe78dd210125215de7d1acec5e823870f3eed6daec5b3e6fc1e460e4da4be6b3cef9004211bd6556cd08fb04387512d252931 |
\??\c:\Users\Admin\AppData\Local\Temp\iaxpx7wz.0.cs
| MD5 | c555d9796194c1d9a1310a05a2264e08 |
| SHA1 | 82641fc4938680519c3b2e925e05e1001cbd71d7 |
| SHA256 | ccbb8fd27ab2f27fbbd871793886ff52ff1fbd9117c98b8d190c1a96b67e498a |
| SHA512 | 0b85ca22878998c7697c589739905b218f9b264a32c8f99a9f9dd73d0687a5de46cc7e851697ee16424baf94d301e411648aa2d061ac149a6d2e06b085e07090 |
memory/2848-18-0x000000001AD10000-0x000000001AD26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iaxpx7wz.dll
| MD5 | d649d9cbf352d9c0a19edb56d1793ca4 |
| SHA1 | e75720501c02fc4986c6292569c04319d122db36 |
| SHA256 | e4e6f124f7c7621c5e11b6c5611d8333d4aa1782f284623fd022693569dd07cf |
| SHA512 | c768b03528ee2cb4ea59fc0c4006b7bb4124902f9b963f8b65f7028912a76b6a5c78e15b1c8e58c75a1e1684f938d45cabeddedd38d3a150a75d1447426148c4 |
C:\Users\Admin\AppData\Local\Temp\RES6B52.tmp
| MD5 | bd2ddebcfed188cb515fbcc5938b18fe |
| SHA1 | b9c2f4424f94d5e6dcffd08f25419f46b6806aa2 |
| SHA256 | 18f0b59948f7442467b7fd73ca2550148425e57711ed25e731baa32ed0752b26 |
| SHA512 | d3cdc6055b0e646d1707dcc86218a4fccec8cfa851fcd82f1df5002c2f1f20c0668fd4fed7808add87b7a90886db2982625d6a08a71c60e1f338039058d4f4c2 |
memory/2712-14-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC6B51.tmp
| MD5 | 7d38974d517c1e9c8ba2a7987cbf95f2 |
| SHA1 | efab5a16fbcfd30d3f91fa16348c8eb1ce28d7e9 |
| SHA256 | 25d0adb79f852c4ca5256623ebedff5d8d7c8288c85e915f3024e7d8819a7276 |
| SHA512 | 1e22d812679b757aa298601dc914de081ae259fef83981f8f5d91ce9977fb21a89aa989be576f97df59793af5c71f467d7e6d170b9a24e3275ded85eab9ee0ef |
memory/2848-20-0x0000000000660000-0x0000000000672000-memory.dmp
memory/2848-21-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp
memory/2848-22-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp
memory/2848-23-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp
memory/2712-24-0x000007FEF57E0000-0x000007FEF617D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-21 01:07
Reported
2025-01-21 01:09
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
144s
Command Line
Signatures
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe | N/A |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3544 wrote to memory of 2212 | N/A | C:\Users\Admin\AppData\Local\Temp\4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe |
| PID 3544 wrote to memory of 2212 | N/A | C:\Users\Admin\AppData\Local\Temp\4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe |
| PID 2212 wrote to memory of 408 | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe |
| PID 2212 wrote to memory of 408 | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe
"C:\Users\Admin\AppData\Local\Temp\4507cd3211bb9010fe7f00f553d270d2cdbf9cfc2d9e179ac7ec914fb99e791e.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cicqfncx.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB68.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFB67.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/3544-0-0x00007FFCD4515000-0x00007FFCD4516000-memory.dmp
memory/3544-1-0x00007FFCD4260000-0x00007FFCD4C01000-memory.dmp
memory/3544-2-0x000000001BA30000-0x000000001BA8C000-memory.dmp
memory/3544-5-0x000000001BC10000-0x000000001BC1E000-memory.dmp
memory/3544-6-0x00007FFCD4260000-0x00007FFCD4C01000-memory.dmp
memory/3544-7-0x000000001C210000-0x000000001C6DE000-memory.dmp
memory/3544-8-0x000000001C6E0000-0x000000001C77C000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\cicqfncx.cmdline
| MD5 | 237b0973176275801227e53857e168eb |
| SHA1 | 053168a04eca46c7ed2d0fbede5fcde5ecf9a787 |
| SHA256 | f4d8f31c5155185ba087780eed3fcf3a1b6b33a7b5f3da9010c5a2f88dfea821 |
| SHA512 | 63cef8c2ec7a1bcfba32b2c52101b62c131c57f7a2e63d9b1a5d406329cb2fec3db16198cc8346a69c2753e12adf3bedcb89a31c2cb2591cbcdf0dfdc039db52 |
\??\c:\Users\Admin\AppData\Local\Temp\cicqfncx.0.cs
| MD5 | 57f0d56fe55220433d23651cf2ba66e3 |
| SHA1 | 581a45ad54bb4c5bd50fad86a26824bc60b0e834 |
| SHA256 | de983c110f8aaf7f7049514cd3dd908292d0b7f18ae274cdcecaa1e3db708ff5 |
| SHA512 | d54196f3de01924b5d625ab5de8d6d8809211935461509b13043b618b746a99a45c9d0945dc0ca5d8b9250142f5dea9761224b1fa14bc79e83df8c5f8b85b01d |
memory/2212-16-0x00007FFCD4260000-0x00007FFCD4C01000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSCFB67.tmp
| MD5 | 19ea4a6c3c320f343a0307297b96f7fe |
| SHA1 | 2a0d07d0752a8aed2c1474cb5cbe49bf5900d1af |
| SHA256 | 22a2124168ac20074f68b60a477a147fd61bc274a5bd479177ea9074642e7065 |
| SHA512 | 9bd660a9b9bbda30ad06018abce95f3f6977b734d8db87cccffaecaf1313e45d91f1620d1c5014486bc34a1a81157d8928f2aa9b1780e53635dd42b2bef25a76 |
C:\Users\Admin\AppData\Local\Temp\RESFB68.tmp
| MD5 | dce1f346a5689edad78b9bacc51da97f |
| SHA1 | 8f186ca039fb6138cd4f638422db8f9fe59ca181 |
| SHA256 | 5947f0d4f09a30e8f15a8b4814a2b72549e4e348256e495c60da8212d7cbfe18 |
| SHA512 | f9545b10a97e928e1d83242303827d0337222b5d0411985cc1c95d65ab2156e2b3dba7f4361c330b52516d80d2ea8970039c96caa802c1f48ec32cae7ac9fc58 |
C:\Users\Admin\AppData\Local\Temp\cicqfncx.dll
| MD5 | fb9793bd8f7f39fa4c6547b3d68bbb48 |
| SHA1 | 6587951cbeb9766911306a2f1b46b90f2ad28f70 |
| SHA256 | 8ad44447e6f60ba4fb34b587936d56608fce83e8b7951f9feff1488192df3f53 |
| SHA512 | 6d5d4dc6cf74e94c3f73bbee6a234704198a03232a3e20887ab20cfb4efd2b547f944b1e4df4f58f7720b9eed4a21636ea2a1a2633bc64a5d67d661e10e81492 |
memory/2212-21-0x00007FFCD4260000-0x00007FFCD4C01000-memory.dmp
memory/3544-23-0x000000001BCF0000-0x000000001BD06000-memory.dmp
memory/3544-25-0x00000000014A0000-0x00000000014B2000-memory.dmp
memory/3544-26-0x0000000001300000-0x0000000001308000-memory.dmp
memory/3544-27-0x00007FFCD4260000-0x00007FFCD4C01000-memory.dmp
memory/3544-29-0x00007FFCD4260000-0x00007FFCD4C01000-memory.dmp