Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
09/07/2023, 20:18
Static task
static1
Behavioral task
behavioral1
Sample
Orcus.Administration.exe
Resource
win7-20230703-en
Behavioral task
behavioral2
Sample
Orcus.Administration.exe
Resource
win10v2004-20230703-en
General
-
Target
Orcus.Administration.exe
-
Size
16.0MB
-
MD5
7f7b2703abcebcb2d71f39bd52d1f769
-
SHA1
0f51575722ef821a518424ac63c4b88180cad283
-
SHA256
8a3d0732066d784b2cadbe9b3d227f3a7df322f28afaae6bcb5ba8d45bd03964
-
SHA512
d09d7b73232eef2b07db8cdf179a792a0639bb4a4eb656ae24f72cf717ec07e31a45aace639b690bf3c03a9b5a9c4b47e38d101283613fbb53f44004612928dc
-
SSDEEP
24576:RCRS04YNEMuExDiU6E5R9s8xY/2l/djJ5dtsPxNGfRBeIbt+rfUpbknyy:RCT4auS+UjfU2T95XDjeIbt+rubknyy
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation Orcus.Administration.exe -
Executes dropped EXE 1 IoCs
pid Process 4712 AudioDriver.exe -
Loads dropped DLL 1 IoCs
pid Process 4712 AudioDriver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4712 AudioDriver.exe 4712 AudioDriver.exe 4712 AudioDriver.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4712 AudioDriver.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4712 AudioDriver.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2440 wrote to memory of 4712 2440 Orcus.Administration.exe 86 PID 2440 wrote to memory of 4712 2440 Orcus.Administration.exe 86 PID 2440 wrote to memory of 4712 2440 Orcus.Administration.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\Orcus.Administration.exe"C:\Users\Admin\AppData\Local\Temp\Orcus.Administration.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4712
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
626KB
MD5d8aec01ff14e3e7ad43a4b71e30482e4
SHA1e3015f56f17d845ec7eef11d41bbbc28cc16d096
SHA256da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e
SHA512f5b2f4bda0cc13e1d1c541fb0caea14081ee4daffd497e31a3d4d55d5f9d85a61158b4891a6527efe623b2f32b697ac912320d9be5c0303812ca98dcc8866fcf
-
Filesize
16.0MB
MD57f7b2703abcebcb2d71f39bd52d1f769
SHA10f51575722ef821a518424ac63c4b88180cad283
SHA2568a3d0732066d784b2cadbe9b3d227f3a7df322f28afaae6bcb5ba8d45bd03964
SHA512d09d7b73232eef2b07db8cdf179a792a0639bb4a4eb656ae24f72cf717ec07e31a45aace639b690bf3c03a9b5a9c4b47e38d101283613fbb53f44004612928dc
-
Filesize
16.0MB
MD57f7b2703abcebcb2d71f39bd52d1f769
SHA10f51575722ef821a518424ac63c4b88180cad283
SHA2568a3d0732066d784b2cadbe9b3d227f3a7df322f28afaae6bcb5ba8d45bd03964
SHA512d09d7b73232eef2b07db8cdf179a792a0639bb4a4eb656ae24f72cf717ec07e31a45aace639b690bf3c03a9b5a9c4b47e38d101283613fbb53f44004612928dc
-
Filesize
16.0MB
MD57f7b2703abcebcb2d71f39bd52d1f769
SHA10f51575722ef821a518424ac63c4b88180cad283
SHA2568a3d0732066d784b2cadbe9b3d227f3a7df322f28afaae6bcb5ba8d45bd03964
SHA512d09d7b73232eef2b07db8cdf179a792a0639bb4a4eb656ae24f72cf717ec07e31a45aace639b690bf3c03a9b5a9c4b47e38d101283613fbb53f44004612928dc