orcus | 5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe
Size

1.2MB
MD5

8ab48c46fae7d005aa5f3a058d567517
SHA1

6a1acf1f9d78c295e98903cc60b6eb72f818c487
SHA256

5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d
SHA512

d477529724f2fd26a5fe1c7406c32009f8661ae28b0ff4cf0598cd2975ee243389963b34a499d5f510a4e641cabdfb8f17c9a434d757cd31573e6efd7a66c002
SSDEEP

24576:rwVTXJvatkjAE+k/7aygMpbUdtoQVj020iDqxJooLUcdJYRkH:KTQujL+hMyhVj8y8J7UcGm

Score

10^/10

orcus cuties discovery execution rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

cuties

5virginia-evil.gl.at.ply.gg

Mutex

c75fa2addeaf42abb9797c0d693eca2b

Attributes

administration_rights_required
false
anti_debugger
false
anti_tcp_analyzer
false
antivm
false
autostart_method
1
change_creation_date
false
force_installer_administrator_privileges
false
hide_file
false
install
false
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
installservice
false
keylogger_enabled
false
newcreationdate
10/27/2024 02:14:09
plugins
AgUFyfihswTdIPqEArukcmEdSF06Hw9CAFMAbwBEACAAUAByAG8AdABlAGMAdABpAG8AbgAHAzEALgAwAEEgNwA2ADkAMwA2AGQAMQAzAGMAYQAwAGMANAA5ADQANgA5AGIAMgBkAGUAOAA5ADQAMAAxADkANABiAGEAMAAzAAEFl6aNkQPXkQKOmwKLvFcpr24sKCsVRABpAHMAYQBiAGwAZQAgAFcAZQBiAGMAYQBtACAATABpAGcAaAB0AHMABwMxAC4AMABBIDAAYQA4ADAANgA5AGMAZAA2AGUAMwA1ADQANAA1ADQAYQBkADMAOAAwAGQANABjAGIAYQA4ADYANQA2ADAANwABBcjswb8CldcC3rcCqMa3DYpVf2wVCkcAYQBtAGUAcgAgAFYAaQBlAHcABwMxAC4AMgBBIDQAZAA0ADEAYQAwADEAMgBkADgAMwBlADQAOABmADQAYQAxADEAYQBiAGYAYwA3ADMAMQBkADIAOQAwAGEAYwACAAYG
reconnect_delay
10000
registry_autostart_keyname
cmd
registry_hidden_autostart
false
set_admin_flag
false
tasksch_name
Audio HD Driver
tasksch_request_highest_privileges
false
try_other_autostart_onfail
false

aes.plain

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Executes dropped EXE 2 IoCs

pid	Process
2900	AudioDriver.exe
2760	AudioDriver.exe

Loads dropped DLL 3 IoCs

pid	Process
2464	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe
2900	AudioDriver.exe
2760	AudioDriver.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2792	powershell.exe
2420	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2264 set thread context of 2464	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	33
PID 2900 set thread context of 2760	2900	AudioDriver.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AudioDriver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AudioDriver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2792	powershell.exe
2420	powershell.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2760	AudioDriver.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2760	AudioDriver.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2792	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	31
PID 2264 wrote to memory of 2792	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	31
PID 2264 wrote to memory of 2792	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	31
PID 2264 wrote to memory of 2792	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	31
PID 2264 wrote to memory of 2464	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	33
PID 2264 wrote to memory of 2464	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	33
PID 2264 wrote to memory of 2464	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	33
PID 2264 wrote to memory of 2464	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	33
PID 2264 wrote to memory of 2464	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	33
PID 2264 wrote to memory of 2464	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	33
PID 2264 wrote to memory of 2464	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	33
PID 2264 wrote to memory of 2464	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	33
PID 2264 wrote to memory of 2464	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	33
PID 2464 wrote to memory of 2900	2464	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	34
PID 2464 wrote to memory of 2900	2464	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	34
PID 2464 wrote to memory of 2900	2464	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	34
PID 2464 wrote to memory of 2900	2464	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	34
PID 2900 wrote to memory of 2420	2900	AudioDriver.exe	35
PID 2900 wrote to memory of 2420	2900	AudioDriver.exe	35
PID 2900 wrote to memory of 2420	2900	AudioDriver.exe	35
PID 2900 wrote to memory of 2420	2900	AudioDriver.exe	35
PID 2900 wrote to memory of 2760	2900	AudioDriver.exe	37
PID 2900 wrote to memory of 2760	2900	AudioDriver.exe	37
PID 2900 wrote to memory of 2760	2900	AudioDriver.exe	37
PID 2900 wrote to memory of 2760	2900	AudioDriver.exe	37
PID 2900 wrote to memory of 2760	2900	AudioDriver.exe	37
PID 2900 wrote to memory of 2760	2900	AudioDriver.exe	37
PID 2900 wrote to memory of 2760	2900	AudioDriver.exe	37
PID 2900 wrote to memory of 2760	2900	AudioDriver.exe	37
PID 2900 wrote to memory of 2760	2900	AudioDriver.exe	37

C:\Users\Admin\AppData\Local\Temp\5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe
"C:\Users\Admin\AppData\Local\Temp\5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '' -Value '"C:\Users\Admin\AppData\Roaming\.exe"' -PropertyType 'String'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe
  #cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '' -Value '"C:\Users\Admin\AppData\Roaming\.exe"' -PropertyType 'String'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2420
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
      #cmd
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
38d21b03c56894f3c77a19d0b1baa022

SHA1
9f3f06557952b7581f9b877abda6d856b34a2b0f

SHA256
5064f6035653a1e916f30af10d3c076d958788910122a4c5f2b92b2d537158a5

SHA512
2669d0dc090e7d8f6da422360f26dc7e029bdb08a0ef3a0e8f8434ad9cf429748a5499466a19490c3041b3b06688c2396d6489cbe33f06dc8cb26dc97eb4a734

Download Submit
\Users\Admin\AppData\Roaming\GamerView\sqlite3.dll

Filesize
626KB

MD5
d8aec01ff14e3e7ad43a4b71e30482e4

SHA1
e3015f56f17d845ec7eef11d41bbbc28cc16d096

SHA256
da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e

SHA512
f5b2f4bda0cc13e1d1c541fb0caea14081ee4daffd497e31a3d4d55d5f9d85a61158b4891a6527efe623b2f32b697ac912320d9be5c0303812ca98dcc8866fcf

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

Filesize
1.2MB

MD5
8ab48c46fae7d005aa5f3a058d567517

SHA1
6a1acf1f9d78c295e98903cc60b6eb72f818c487

SHA256
5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d

SHA512
d477529724f2fd26a5fe1c7406c32009f8661ae28b0ff4cf0598cd2975ee243389963b34a499d5f510a4e641cabdfb8f17c9a434d757cd31573e6efd7a66c002

Download Submit
memory/2264-17-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2264-1-0x0000000000A30000-0x0000000000B66000-memory.dmp

Filesize
1.2MB

Download
memory/2264-0-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/2464-9-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2464-14-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2464-16-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2464-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2464-18-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/2464-7-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2464-20-0x0000000000770000-0x00000000007BC000-memory.dmp

Filesize
304KB

Download
memory/2464-22-0x00000000005B0000-0x00000000005B8000-memory.dmp

Filesize
32KB

Download
memory/2464-21-0x0000000000590000-0x0000000000598000-memory.dmp

Filesize
32KB

Download
memory/2464-23-0x0000000004A20000-0x0000000004AD8000-memory.dmp

Filesize
736KB

Download
memory/2464-26-0x00000000009E0000-0x0000000000A2E000-memory.dmp

Filesize
312KB

Download
memory/2464-12-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2464-6-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2464-5-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2760-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2760-55-0x00000000008D0000-0x00000000008E0000-memory.dmp

Filesize
64KB

Download
memory/2760-63-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/2792-19-0x0000000002890000-0x00000000028D0000-memory.dmp

Filesize
256KB

Download
memory/2900-33-0x0000000001380000-0x00000000014B6000-memory.dmp

Filesize
1.2MB

Download