Analysis Overview
SHA256
562a88dd72bb03a4e99227652424e2f96b5172007a4331e9f208c4bf5b4b3ef3
Threat Level: Known bad
The file ya nigga.exe was found to be: Known bad.
Malicious Activity Summary
Orcus
Orcus main payload
Orcurs Rat Executable
Orcus family
Orcurs Rat Executable
Loads dropped DLL
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-25 13:46
Signatures
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-25 13:46
Reported
2025-01-25 13:49
Platform
win7-20240729-en
Max time kernel
63s
Max time network
126s
Command Line
Signatures
Orcus
Orcus family
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ya nigga.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ya nigga.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ya nigga.exe
"C:\Users\Admin\AppData\Local\Temp\ya nigga.exe"
Network
| Country | Destination | Domain | Proto |
| PL | 79.163.232.122:10134 | tcp |
Files
memory/1172-0-0x0000000073DBE000-0x0000000073DBF000-memory.dmp
memory/1172-1-0x0000000001010000-0x00000000010F8000-memory.dmp
memory/1172-2-0x0000000000200000-0x000000000020E000-memory.dmp
memory/1172-3-0x0000000073DB0000-0x000000007449E000-memory.dmp
memory/1172-4-0x0000000000550000-0x00000000005AC000-memory.dmp
memory/1172-5-0x0000000000470000-0x0000000000482000-memory.dmp
memory/1172-6-0x00000000005F0000-0x0000000000608000-memory.dmp
memory/1172-7-0x0000000000620000-0x0000000000630000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab8401.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/1172-24-0x0000000073DBE000-0x0000000073DBF000-memory.dmp
memory/1172-25-0x0000000073DB0000-0x000000007449E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-25 13:46
Reported
2025-01-25 13:49
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
154s
Command Line
Signatures
Orcus
Orcus family
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ya nigga.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ya nigga.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ya nigga.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ya nigga.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ya nigga.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ya nigga.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ya nigga.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ya nigga.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ya nigga.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ya nigga.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ya nigga.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ya nigga.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ya nigga.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ya nigga.exe
"C:\Users\Admin\AppData\Local\Temp\ya nigga.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\InstallMount.vbe"
Network
| Country | Destination | Domain | Proto |
| PL | 79.163.232.122:10134 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.89.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.51.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.232.163.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/4428-0-0x00000000749DE000-0x00000000749DF000-memory.dmp
memory/4428-1-0x0000000000E60000-0x0000000000F48000-memory.dmp
memory/4428-2-0x0000000005830000-0x000000000583E000-memory.dmp
memory/4428-4-0x00000000058F0000-0x000000000594C000-memory.dmp
memory/4428-3-0x00000000749D0000-0x0000000075180000-memory.dmp
memory/4428-5-0x0000000005FE0000-0x0000000006584000-memory.dmp
memory/4428-6-0x0000000005AD0000-0x0000000005B62000-memory.dmp
memory/4428-7-0x0000000005AC0000-0x0000000005AD2000-memory.dmp
memory/4428-8-0x0000000005F70000-0x0000000005F88000-memory.dmp
memory/4428-9-0x0000000005FD0000-0x0000000005FE0000-memory.dmp
memory/4428-10-0x00000000068C0000-0x00000000068CA000-memory.dmp
memory/4428-13-0x0000000007250000-0x00000000072B6000-memory.dmp
memory/4428-14-0x00000000078E0000-0x0000000007EF8000-memory.dmp
memory/4428-15-0x00000000072F0000-0x0000000007302000-memory.dmp
memory/4428-16-0x0000000007350000-0x000000000738C000-memory.dmp
memory/4428-17-0x00000000073A0000-0x00000000073EC000-memory.dmp
memory/4428-18-0x0000000007520000-0x000000000762A000-memory.dmp
memory/4428-19-0x0000000007F00000-0x00000000080C2000-memory.dmp
memory/4428-20-0x00000000749DE000-0x00000000749DF000-memory.dmp
memory/4428-21-0x00000000749D0000-0x0000000075180000-memory.dmp
C:\Users\Admin\AppData\Roaming\Orcus\lib_75ca5c5640914a7395cf7a069406fd0e\SharpDX.dll
| MD5 | ffb4b61cc11bec6d48226027c2c26704 |
| SHA1 | fa8b9e344accbdc4dffa9b5d821d23f0716da29e |
| SHA256 | 061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303 |
| SHA512 | 48aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9 |
memory/4428-26-0x0000000006A90000-0x0000000006AD4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Orcus\lib_75ca5c5640914a7395cf7a069406fd0e\SharpDX.Direct3D11.dll
| MD5 | 98eb5ba5871acdeaebf3a3b0f64be449 |
| SHA1 | c965284f60ef789b00b10b3df60ee682b4497de3 |
| SHA256 | d7617d926648849cbfef450b8f48e458ee52e2793fb2251a30094b778aa8848c |
| SHA512 | a60025e304713d333e4b82b2d0be28087950688b049c98d2db5910c00b8d45b92e16d25ac8a58ff1318de019de3a9a00c7cbf8a6ad4b5bb1cb175dafa1b9bea2 |
memory/4428-33-0x0000000006AE0000-0x0000000006B2A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Orcus\lib_75ca5c5640914a7395cf7a069406fd0e\SharpDX.Direct3D9.dll
| MD5 | 934da0e49208d0881c44fe19d5033840 |
| SHA1 | a19c5a822e82e41752a08d3bd9110db19a8a5016 |
| SHA256 | 02da4af8cd4a8de19d816000caaae885e676b9e52f136ff071a279c2b8ad34c7 |
| SHA512 | de62f629c2299b50af62893244a28895d63b78138c8632449984306f45de16bd01076eadbb0d75a700215e970c1df731e202ea640236c0f0da6ed15146193b59 |
memory/4428-40-0x0000000006B30000-0x0000000006B8A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Orcus\lib_75ca5c5640914a7395cf7a069406fd0e\SharpDX.DXGI.dll
| MD5 | 2b44c70c49b70d797fbb748158b5d9bb |
| SHA1 | 93e00e6527e461c45c7868d14cf05c007e478081 |
| SHA256 | 3762d43c83af69cd38c9341a927ca6bd00f6bae8217c874d693047d6df4705bf |
| SHA512 | faced62f6ecbfa2ee0d7a47e300302d23030d1f28758cbe9c442e9d8d4f8359c59088aa6237a28103e43d248c8efc7eeaf2c184028701b752df6cce92d6854d0 |
memory/4428-47-0x00000000066A0000-0x00000000066C6000-memory.dmp
C:\Users\Admin\AppData\Roaming\Orcus\lib_75ca5c5640914a7395cf7a069406fd0e\TurboJpegWrapper.dll
| MD5 | ac6acc235ebef6374bed71b37e322874 |
| SHA1 | a267baad59cd7352167636836bad4b971fcd6b6b |
| SHA256 | 047b042cebf4c851f0d14f85f16ce952f03e48c20362d4ed9390875d4900fe96 |
| SHA512 | 72ac8b8c8f27264cc261297c325d14a0be2084d007c6132ab8402d87f912fe9189cb074db11625d9f86d29a6188f22a89e58ae45c9131fac4522473567017081 |
memory/4428-54-0x0000000008430000-0x0000000008584000-memory.dmp
C:\Users\Admin\AppData\Roaming\Orcus\lib_75ca5c5640914a7395cf7a069406fd0e\x86\turbojpeg.dll
| MD5 | 82898ed19da89d7d44e280a3ced95e9b |
| SHA1 | eec0af5733c642eac8c5e08479f462d1ec1ed4db |
| SHA256 | 5f4b9f8360764d75c9faaecd94f6d200c54611b33064cd216e363d973dae7c29 |
| SHA512 | ee7b884ce7d7366ee28fb17721b6c89bd4eba8fb373cdbb483e26a4ed7a74ab5db847513c54704d753d77a7e18b1fb9fee90ed6bbc0540bff702273fda36b682 |
memory/4428-60-0x00000000660C0000-0x000000006614F000-memory.dmp