orcus | 5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d

General

Target

5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe
Size

1.2MB
MD5

8ab48c46fae7d005aa5f3a058d567517
SHA1

6a1acf1f9d78c295e98903cc60b6eb72f818c487
SHA256

5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d
SHA512

d477529724f2fd26a5fe1c7406c32009f8661ae28b0ff4cf0598cd2975ee243389963b34a499d5f510a4e641cabdfb8f17c9a434d757cd31573e6efd7a66c002
SSDEEP

24576:rwVTXJvatkjAE+k/7aygMpbUdtoQVj020iDqxJooLUcdJYRkH:KTQujL+hMyhVj8y8J7UcGm

Score

10^/10

orcus cuties discovery execution rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

cuties

C2

5virginia-evil.gl.at.ply.gg

Mutex

c75fa2addeaf42abb9797c0d693eca2b

Attributes

administration_rights_required
false
anti_debugger
false
anti_tcp_analyzer
false
antivm
false
autostart_method
1
change_creation_date
false
force_installer_administrator_privileges
false
hide_file
false
install
false
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
installservice
false
keylogger_enabled
false
newcreationdate
10/27/2024 02:14:09
plugins
AgUFyfihswTdIPqEArukcmEdSF06Hw9CAFMAbwBEACAAUAByAG8AdABlAGMAdABpAG8AbgAHAzEALgAwAEEgNwA2ADkAMwA2AGQAMQAzAGMAYQAwAGMANAA5ADQANgA5AGIAMgBkAGUAOAA5ADQAMAAxADkANABiAGEAMAAzAAEFl6aNkQPXkQKOmwKLvFcpr24sKCsVRABpAHMAYQBiAGwAZQAgAFcAZQBiAGMAYQBtACAATABpAGcAaAB0AHMABwMxAC4AMABBIDAAYQA4ADAANgA5AGMAZAA2AGUAMwA1ADQANAA1ADQAYQBkADMAOAAwAGQANABjAGIAYQA4ADYANQA2ADAANwABBcjswb8CldcC3rcCqMa3DYpVf2wVCkcAYQBtAGUAcgAgAFYAaQBlAHcABwMxAC4AMgBBIDQAZAA0ADEAYQAwADEAMgBkADgAMwBlADQAOABmADQAYQAxADEAYQBiAGYAYwA3ADMAMQBkADIAOQAwAGEAYwACAAYG
reconnect_delay
10000
registry_autostart_keyname
cmd
registry_hidden_autostart
false
set_admin_flag
false
tasksch_name
Audio HD Driver
tasksch_request_highest_privileges
false
try_other_autostart_onfail
false

aes.plain

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus
Executes dropped EXE 2 IoCs

Processes:

AudioDriver.exeAudioDriver.exe

pid process

2900 AudioDriver.exe
2760 AudioDriver.exe
Loads dropped DLL 3 IoCs

Processes:

5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exeAudioDriver.exeAudioDriver.exe

pid process

2464 5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe
2900 AudioDriver.exe
2760 AudioDriver.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2792 powershell.exe
2420 powershell.exe

pid	process
2900	AudioDriver.exe
2760	AudioDriver.exe

pid	process
2464	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe
2900	AudioDriver.exe
2760	AudioDriver.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exeAudioDriver.exe

description	pid	process	target process
PID 2264 set thread context of 2464	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe
PID 2900 set thread context of 2760	2900	AudioDriver.exe	AudioDriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exeAudioDriver.exepowershell.exeAudioDriver.exe5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AudioDriver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AudioDriver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

powershell.exepowershell.exeAudioDriver.exe

pid	process
2792	powershell.exe
2420	powershell.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe
2760	AudioDriver.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exeAudioDriver.exe

description pid process

Token: SeDebugPrivilege 2792 powershell.exe
Token: SeDebugPrivilege 2420 powershell.exe
Token: SeDebugPrivilege 2760 AudioDriver.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AudioDriver.exe

pid process

2760 AudioDriver.exe

description	pid	process
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2760	AudioDriver.exe

pid	process
2760	AudioDriver.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exeAudioDriver.exe

description	pid	process	target process
PID 2264 wrote to memory of 2792	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	powershell.exe
PID 2264 wrote to memory of 2792	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	powershell.exe
PID 2264 wrote to memory of 2792	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	powershell.exe
PID 2264 wrote to memory of 2792	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	powershell.exe
PID 2264 wrote to memory of 2464	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe
PID 2264 wrote to memory of 2464	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe
PID 2264 wrote to memory of 2464	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe
PID 2264 wrote to memory of 2464	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe
PID 2264 wrote to memory of 2464	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe
PID 2264 wrote to memory of 2464	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe
PID 2264 wrote to memory of 2464	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe
PID 2264 wrote to memory of 2464	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe
PID 2264 wrote to memory of 2464	2264	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe
PID 2464 wrote to memory of 2900	2464	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	AudioDriver.exe
PID 2464 wrote to memory of 2900	2464	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	AudioDriver.exe
PID 2464 wrote to memory of 2900	2464	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	AudioDriver.exe
PID 2464 wrote to memory of 2900	2464	5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe	AudioDriver.exe
PID 2900 wrote to memory of 2420	2900	AudioDriver.exe	powershell.exe
PID 2900 wrote to memory of 2420	2900	AudioDriver.exe	powershell.exe
PID 2900 wrote to memory of 2420	2900	AudioDriver.exe	powershell.exe
PID 2900 wrote to memory of 2420	2900	AudioDriver.exe	powershell.exe
PID 2900 wrote to memory of 2760	2900	AudioDriver.exe	AudioDriver.exe
PID 2900 wrote to memory of 2760	2900	AudioDriver.exe	AudioDriver.exe
PID 2900 wrote to memory of 2760	2900	AudioDriver.exe	AudioDriver.exe
PID 2900 wrote to memory of 2760	2900	AudioDriver.exe	AudioDriver.exe
PID 2900 wrote to memory of 2760	2900	AudioDriver.exe	AudioDriver.exe
PID 2900 wrote to memory of 2760	2900	AudioDriver.exe	AudioDriver.exe
PID 2900 wrote to memory of 2760	2900	AudioDriver.exe	AudioDriver.exe
PID 2900 wrote to memory of 2760	2900	AudioDriver.exe	AudioDriver.exe
PID 2900 wrote to memory of 2760	2900	AudioDriver.exe	AudioDriver.exe

C:\Users\Admin\AppData\Local\Temp\5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe
"C:\Users\Admin\AppData\Local\Temp\5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '' -Value '"C:\Users\Admin\AppData\Roaming\.exe"' -PropertyType 'String'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d.exe
  #cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '' -Value '"C:\Users\Admin\AppData\Roaming\.exe"' -PropertyType 'String'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2420
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
      #cmd
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
38d21b03c56894f3c77a19d0b1baa022

SHA1
9f3f06557952b7581f9b877abda6d856b34a2b0f

SHA256
5064f6035653a1e916f30af10d3c076d958788910122a4c5f2b92b2d537158a5

SHA512
2669d0dc090e7d8f6da422360f26dc7e029bdb08a0ef3a0e8f8434ad9cf429748a5499466a19490c3041b3b06688c2396d6489cbe33f06dc8cb26dc97eb4a734

Download Submit
\Users\Admin\AppData\Roaming\GamerView\sqlite3.dll

Filesize
626KB

MD5
d8aec01ff14e3e7ad43a4b71e30482e4

SHA1
e3015f56f17d845ec7eef11d41bbbc28cc16d096

SHA256
da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e

SHA512
f5b2f4bda0cc13e1d1c541fb0caea14081ee4daffd497e31a3d4d55d5f9d85a61158b4891a6527efe623b2f32b697ac912320d9be5c0303812ca98dcc8866fcf

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

Filesize
1.2MB

MD5
8ab48c46fae7d005aa5f3a058d567517

SHA1
6a1acf1f9d78c295e98903cc60b6eb72f818c487

SHA256
5d816fa5fb0796094c69484cd7fb9690fa50ff32591de7521a05f66d0066ee4d

SHA512
d477529724f2fd26a5fe1c7406c32009f8661ae28b0ff4cf0598cd2975ee243389963b34a499d5f510a4e641cabdfb8f17c9a434d757cd31573e6efd7a66c002

Download Submit
memory/2264-17-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2264-1-0x0000000000A30000-0x0000000000B66000-memory.dmp

Filesize
1.2MB

Download
memory/2264-0-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/2464-9-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2464-14-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2464-16-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2464-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2464-18-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/2464-7-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2464-20-0x0000000000770000-0x00000000007BC000-memory.dmp

Filesize
304KB

Download
memory/2464-22-0x00000000005B0000-0x00000000005B8000-memory.dmp

Filesize
32KB

Download
memory/2464-21-0x0000000000590000-0x0000000000598000-memory.dmp

Filesize
32KB

Download
memory/2464-23-0x0000000004A20000-0x0000000004AD8000-memory.dmp

Filesize
736KB

Download
memory/2464-26-0x00000000009E0000-0x0000000000A2E000-memory.dmp

Filesize
312KB

Download
memory/2464-12-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2464-6-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2464-5-0x0000000000400000-0x0000000000534000-memory.dmp

Filesize
1.2MB

Download
memory/2760-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2760-55-0x00000000008D0000-0x00000000008E0000-memory.dmp

Filesize
64KB

Download
memory/2760-63-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/2792-19-0x0000000002890000-0x00000000028D0000-memory.dmp

Filesize
256KB

Download
memory/2900-33-0x0000000001380000-0x00000000014B6000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads