2440ed39a2aa011fde6337c3cb2b9cc6554a16318fce7180adc8c18d7076f3ae

Analysis

max time kernel
149s
max time network
150s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01/02/2025, 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Orcus swapper.exe
Size

901KB
MD5

c1550485609b58f6c391723124e44983
SHA1

a8f215ac5ab3c38639d2b79e871ba470b5184528
SHA256

2440ed39a2aa011fde6337c3cb2b9cc6554a16318fce7180adc8c18d7076f3ae
SHA512

e6cb0f54f0695e58e8e34eb9e13be2ab759bf12390ba1567afb790094f968a1ddd83e35981c6c80ef41ba2ebbf14ff134efe023a5049b989777476cf8ad08e98
SSDEEP

12288:XTUZ/Y95eo6L4ce7dG1lFlWcYT70pxnnaaoawZRVcTqSA+9rZNrI0AilFEvxHvBG:zqI4MROxnFMLqrZlI0AilFEvxHiTL

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	Orcus swapper.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Orcus swapper.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	Orcus swapper.exe
File opened for modification	C:\Windows\assembly	Orcus swapper.exe
File created	C:\Windows\assembly\Desktop.ini	Orcus swapper.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 3352	3796	Orcus swapper.exe	83
PID 3796 wrote to memory of 3352	3796	Orcus swapper.exe	83
PID 3352 wrote to memory of 2084	3352	csc.exe	85
PID 3352 wrote to memory of 2084	3352	csc.exe	85

C:\Users\Admin\AppData\Local\Temp\Orcus swapper.exe
"C:\Users\Admin\AppData\Local\Temp\Orcus swapper.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vejjubb6.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8250.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC824F.tmp"
    3⤵
    PID:2084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8250.tmp

Filesize
1KB

MD5
291604a8e0e6180c2f4e2501d6c70787

SHA1
d37cc634e3c1bda828be8d9ab923a1fa980e92c1

SHA256
de5c1b94604bc20e42eec235beb78da3bcd0b301f3c38ad04770730a48b212c5

SHA512
13ec27140f98892cb7c61263ffdd8280867c684d45b3e9746dfe35e431d272a82705a508119a483f8c96eb360fbe458c8602ea5f2e80a4fbd8c6eb352b56baa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vejjubb6.dll

Filesize
76KB

MD5
e332c4999c662da99cff427b9d723981

SHA1
605224090acf123b7e25afb90ee9a47d5d6a05c6

SHA256
ee211b6dc6eb480f26f01555c348091a649e4088b15cfbe839687e6a4002b77b

SHA512
fce97d4c8ae006f2d00234eb29e6b604aa5ef650ccc7bbae10a8dc3e9b780894f08484ca76e91e94197d669975e18210c1f02dfbae04ecee4d30e87256b92a32

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC824F.tmp

Filesize
676B

MD5
27d947d0061694911483de09d22d8e12

SHA1
28b1c1c9f77e78751b6e9b06b68743f527cf73e0

SHA256
36dcb5e6ba3d9ddd4e1cfb6754fb3584809dc8014023776d536ee5540b797db3

SHA512
91786fe9995459f03f61c4f138ba70034e4d9fb993a9f3141b83bfd3f04329a060e3e122dccc4d3fd233d99c5fb95d5995cfe5d77c68c63c1c8e37d481997b77

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vejjubb6.0.cs

Filesize
208KB

MD5
c10c692e64909490d5dfcced00bab1fc

SHA1
5ed3c7d7c9fc19db978726b4fbb94682f584a5a2

SHA256
4bb992279412956c9cf371dd092848749c6c15fd753358e2d770e790a0ab8d21

SHA512
4e2deb1b751a250395e0480885d22f21bb47f5760e01a7067f887c4618858b11bba7d95784988d96a6f3ccf08e7e3984c72f71258ead4c850538a97c5c1961e0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vejjubb6.cmdline

Filesize
349B

MD5
ba83314ce00c43bff7b476fda6cd51f3

SHA1
475f0d76f959db6f66f50dacd470e727dda38d68

SHA256
d08099cd9f1f6598b2d95b264c06eba14095dc3f667833118fef67ca5c41971f

SHA512
46c6842f0fd15152c3d60ed7d12b10f6297ef5da7cea5623b05eab221b33feb121b074b6110d7cd428a3bfc1ca4328ddab796b1ef04b64e77607e71208f1070c

Download Submit
memory/3352-21-0x00007FFDD7710000-0x00007FFDD80B1000-memory.dmp

Filesize
9.6MB

Download
memory/3352-16-0x00007FFDD7710000-0x00007FFDD80B1000-memory.dmp

Filesize
9.6MB

Download
memory/3796-7-0x000000001C710000-0x000000001CBDE000-memory.dmp

Filesize
4.8MB

Download
memory/3796-23-0x000000001D340000-0x000000001D356000-memory.dmp

Filesize
88KB

Download
memory/3796-0-0x00007FFDD79C5000-0x00007FFDD79C6000-memory.dmp

Filesize
4KB

Download
memory/3796-6-0x00007FFDD7710000-0x00007FFDD80B1000-memory.dmp

Filesize
9.6MB

Download
memory/3796-5-0x000000001C230000-0x000000001C23E000-memory.dmp

Filesize
56KB

Download
memory/3796-2-0x000000001B730000-0x000000001B78C000-memory.dmp

Filesize
368KB

Download
memory/3796-1-0x00007FFDD7710000-0x00007FFDD80B1000-memory.dmp

Filesize
9.6MB

Download
memory/3796-8-0x000000001CC80000-0x000000001CD1C000-memory.dmp

Filesize
624KB

Download
memory/3796-25-0x0000000001150000-0x0000000001162000-memory.dmp

Filesize
72KB

Download
memory/3796-26-0x0000000001110000-0x0000000001118000-memory.dmp

Filesize
32KB

Download
memory/3796-27-0x00007FFDD7710000-0x00007FFDD80B1000-memory.dmp

Filesize
9.6MB

Download
memory/3796-28-0x00007FFDD79C5000-0x00007FFDD79C6000-memory.dmp

Filesize
4KB

Download
memory/3796-29-0x00007FFDD7710000-0x00007FFDD80B1000-memory.dmp

Filesize
9.6MB

Download
memory/3796-30-0x00007FFDD7710000-0x00007FFDD80B1000-memory.dmp

Filesize
9.6MB

Download
memory/3796-31-0x00007FFDD7710000-0x00007FFDD80B1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads