8a3d0732066d784b2cadbe9b3d227f3a7df322f28afaae6bcb5ba8d45bd03964

General

Target

Orcus.Administration.exe
Size

16.0MB
MD5

7f7b2703abcebcb2d71f39bd52d1f769
SHA1

0f51575722ef821a518424ac63c4b88180cad283
SHA256

8a3d0732066d784b2cadbe9b3d227f3a7df322f28afaae6bcb5ba8d45bd03964
SHA512

d09d7b73232eef2b07db8cdf179a792a0639bb4a4eb656ae24f72cf717ec07e31a45aace639b690bf3c03a9b5a9c4b47e38d101283613fbb53f44004612928dc
SSDEEP

24576:RCRS04YNEMuExDiU6E5R9s8xY/2l/djJ5dtsPxNGfRBeIbt+rfUpbknyy:RCT4auS+UjfU2T95XDjeIbt+rubknyy

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1356	AudioDriver.exe

Loads dropped DLL 2 IoCs

pid	Process
2052	Orcus.Administration.exe
1356	AudioDriver.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Windows\CurrentVersion\Run\RESTART_STICKY_NOTES = "C:\\Windows\\system32\\StikyNot.exe"	StikyNot.exe
Key created	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Windows\CurrentVersion\Run	StikyNot.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1356	AudioDriver.exe
1356	AudioDriver.exe
1356	AudioDriver.exe
1356	AudioDriver.exe
1356	AudioDriver.exe
1356	AudioDriver.exe
1356	AudioDriver.exe
1356	AudioDriver.exe
1356	AudioDriver.exe
1356	AudioDriver.exe
1356	AudioDriver.exe
1356	AudioDriver.exe
1356	AudioDriver.exe
1356	AudioDriver.exe
1356	AudioDriver.exe
1356	AudioDriver.exe
1356	AudioDriver.exe
1356	AudioDriver.exe
1356	AudioDriver.exe
1356	AudioDriver.exe
1356	AudioDriver.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	AudioDriver.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1308	StikyNot.exe
1308	StikyNot.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1356	AudioDriver.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 1356	2052	Orcus.Administration.exe	29
PID 2052 wrote to memory of 1356	2052	Orcus.Administration.exe	29
PID 2052 wrote to memory of 1356	2052	Orcus.Administration.exe	29
PID 2052 wrote to memory of 1356	2052	Orcus.Administration.exe	29

C:\Users\Admin\AppData\Local\Temp\Orcus.Administration.exe
"C:\Users\Admin\AppData\Local\Temp\Orcus.Administration.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1356

C:\Windows\system32\StikyNot.exe
"C:\Windows\system32\StikyNot.exe"
1⤵
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab4943.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

Filesize
16.0MB

MD5
7f7b2703abcebcb2d71f39bd52d1f769

SHA1
0f51575722ef821a518424ac63c4b88180cad283

SHA256
8a3d0732066d784b2cadbe9b3d227f3a7df322f28afaae6bcb5ba8d45bd03964

SHA512
d09d7b73232eef2b07db8cdf179a792a0639bb4a4eb656ae24f72cf717ec07e31a45aace639b690bf3c03a9b5a9c4b47e38d101283613fbb53f44004612928dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

Filesize
16.0MB

MD5
7f7b2703abcebcb2d71f39bd52d1f769

SHA1
0f51575722ef821a518424ac63c4b88180cad283

SHA256
8a3d0732066d784b2cadbe9b3d227f3a7df322f28afaae6bcb5ba8d45bd03964

SHA512
d09d7b73232eef2b07db8cdf179a792a0639bb4a4eb656ae24f72cf717ec07e31a45aace639b690bf3c03a9b5a9c4b47e38d101283613fbb53f44004612928dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

Filesize
16.0MB

MD5
7f7b2703abcebcb2d71f39bd52d1f769

SHA1
0f51575722ef821a518424ac63c4b88180cad283

SHA256
8a3d0732066d784b2cadbe9b3d227f3a7df322f28afaae6bcb5ba8d45bd03964

SHA512
d09d7b73232eef2b07db8cdf179a792a0639bb4a4eb656ae24f72cf717ec07e31a45aace639b690bf3c03a9b5a9c4b47e38d101283613fbb53f44004612928dc

Download Submit
\Users\Admin\AppData\Roaming\GamerView\sqlite3.dll

Filesize
626KB

MD5
d8aec01ff14e3e7ad43a4b71e30482e4

SHA1
e3015f56f17d845ec7eef11d41bbbc28cc16d096

SHA256
da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e

SHA512
f5b2f4bda0cc13e1d1c541fb0caea14081ee4daffd497e31a3d4d55d5f9d85a61158b4891a6527efe623b2f32b697ac912320d9be5c0303812ca98dcc8866fcf

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

Filesize
16.0MB

MD5
7f7b2703abcebcb2d71f39bd52d1f769

SHA1
0f51575722ef821a518424ac63c4b88180cad283

SHA256
8a3d0732066d784b2cadbe9b3d227f3a7df322f28afaae6bcb5ba8d45bd03964

SHA512
d09d7b73232eef2b07db8cdf179a792a0639bb4a4eb656ae24f72cf717ec07e31a45aace639b690bf3c03a9b5a9c4b47e38d101283613fbb53f44004612928dc

Download Submit
memory/1308-97-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/1356-104-0x0000000001160000-0x000000000116C000-memory.dmp

Filesize
48KB

Download
memory/1356-103-0x0000000001150000-0x0000000001166000-memory.dmp

Filesize
88KB

Download
memory/1356-101-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/1356-100-0x00000000012D0000-0x0000000001310000-memory.dmp

Filesize
256KB

Download
memory/1356-69-0x0000000001310000-0x0000000001462000-memory.dmp

Filesize
1.3MB

Download
memory/1356-70-0x00000000012D0000-0x0000000001310000-memory.dmp

Filesize
256KB

Download
memory/1356-71-0x0000000000B60000-0x0000000000B70000-memory.dmp

Filesize
64KB

Download
memory/1356-99-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/1356-98-0x0000000000EB0000-0x0000000000EBC000-memory.dmp

Filesize
48KB

Download
memory/2052-54-0x0000000000EF0000-0x0000000001042000-memory.dmp

Filesize
1.3MB

Download
memory/2052-55-0x00000000004B0000-0x00000000004BA000-memory.dmp

Filesize
40KB

Download
memory/2052-56-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download
memory/2052-62-0x0000000000C20000-0x0000000000C6E000-memory.dmp

Filesize
312KB

Download
memory/2052-57-0x0000000000A60000-0x0000000000AAC000-memory.dmp

Filesize
304KB

Download
memory/2052-58-0x0000000000940000-0x0000000000948000-memory.dmp

Filesize
32KB

Download
memory/2052-59-0x00000000056E0000-0x0000000005798000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing