8a3d0732066d784b2cadbe9b3d227f3a7df322f28afaae6bcb5ba8d45bd03964

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Orcus.Administration.exe
Size

16.0MB
MD5

7f7b2703abcebcb2d71f39bd52d1f769
SHA1

0f51575722ef821a518424ac63c4b88180cad283
SHA256

8a3d0732066d784b2cadbe9b3d227f3a7df322f28afaae6bcb5ba8d45bd03964
SHA512

d09d7b73232eef2b07db8cdf179a792a0639bb4a4eb656ae24f72cf717ec07e31a45aace639b690bf3c03a9b5a9c4b47e38d101283613fbb53f44004612928dc
SSDEEP

24576:RCRS04YNEMuExDiU6E5R9s8xY/2l/djJ5dtsPxNGfRBeIbt+rfUpbknyy:RCT4auS+UjfU2T95XDjeIbt+rubknyy

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	Orcus.Administration.exe

Executes dropped EXE 1 IoCs

pid	Process
4712	AudioDriver.exe

Loads dropped DLL 1 IoCs

pid	Process
4712	AudioDriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4712	AudioDriver.exe
4712	AudioDriver.exe
4712	AudioDriver.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4712	AudioDriver.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4712	AudioDriver.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 4712	2440	Orcus.Administration.exe	86
PID 2440 wrote to memory of 4712	2440	Orcus.Administration.exe	86
PID 2440 wrote to memory of 4712	2440	Orcus.Administration.exe	86

C:\Users\Admin\AppData\Local\Temp\Orcus.Administration.exe
"C:\Users\Admin\AppData\Local\Temp\Orcus.Administration.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\GamerView\sqlite3.dll

Filesize
626KB

MD5
d8aec01ff14e3e7ad43a4b71e30482e4

SHA1
e3015f56f17d845ec7eef11d41bbbc28cc16d096

SHA256
da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e

SHA512
f5b2f4bda0cc13e1d1c541fb0caea14081ee4daffd497e31a3d4d55d5f9d85a61158b4891a6527efe623b2f32b697ac912320d9be5c0303812ca98dcc8866fcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

Filesize
16.0MB

MD5
7f7b2703abcebcb2d71f39bd52d1f769

SHA1
0f51575722ef821a518424ac63c4b88180cad283

SHA256
8a3d0732066d784b2cadbe9b3d227f3a7df322f28afaae6bcb5ba8d45bd03964

SHA512
d09d7b73232eef2b07db8cdf179a792a0639bb4a4eb656ae24f72cf717ec07e31a45aace639b690bf3c03a9b5a9c4b47e38d101283613fbb53f44004612928dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

Filesize
16.0MB

MD5
7f7b2703abcebcb2d71f39bd52d1f769

SHA1
0f51575722ef821a518424ac63c4b88180cad283

SHA256
8a3d0732066d784b2cadbe9b3d227f3a7df322f28afaae6bcb5ba8d45bd03964

SHA512
d09d7b73232eef2b07db8cdf179a792a0639bb4a4eb656ae24f72cf717ec07e31a45aace639b690bf3c03a9b5a9c4b47e38d101283613fbb53f44004612928dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

Filesize
16.0MB

MD5
7f7b2703abcebcb2d71f39bd52d1f769

SHA1
0f51575722ef821a518424ac63c4b88180cad283

SHA256
8a3d0732066d784b2cadbe9b3d227f3a7df322f28afaae6bcb5ba8d45bd03964

SHA512
d09d7b73232eef2b07db8cdf179a792a0639bb4a4eb656ae24f72cf717ec07e31a45aace639b690bf3c03a9b5a9c4b47e38d101283613fbb53f44004612928dc

Download Submit
memory/2440-135-0x0000000005260000-0x0000000005804000-memory.dmp

Filesize
5.6MB

Download
memory/2440-136-0x0000000005050000-0x00000000050E2000-memory.dmp

Filesize
584KB

Download
memory/2440-134-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/2440-133-0x00000000000C0000-0x0000000000212000-memory.dmp

Filesize
1.3MB

Download
memory/2440-137-0x0000000005160000-0x00000000051C6000-memory.dmp

Filesize
408KB

Download
memory/4712-161-0x0000000007280000-0x000000000728A000-memory.dmp

Filesize
40KB

Download
memory/4712-152-0x0000000006850000-0x0000000006A12000-memory.dmp

Filesize
1.8MB

Download
memory/4712-151-0x00000000057D0000-0x00000000057E0000-memory.dmp

Filesize
64KB

Download
memory/4712-162-0x0000000007C80000-0x0000000008298000-memory.dmp

Filesize
6.1MB

Download
memory/4712-163-0x00000000076A0000-0x00000000076B2000-memory.dmp

Filesize
72KB

Download
memory/4712-164-0x0000000007700000-0x000000000773C000-memory.dmp

Filesize
240KB

Download
memory/4712-165-0x00000000078D0000-0x00000000079DA000-memory.dmp

Filesize
1.0MB

Download
memory/4712-166-0x00000000087D0000-0x0000000008CFC000-memory.dmp

Filesize
5.2MB

Download
memory/4712-167-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/4712-168-0x00000000057D0000-0x00000000057E0000-memory.dmp

Filesize
64KB

Download
memory/4712-170-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download