Malware Analysis Report

2025-01-22 14:46

Sample ID 241125-bsa5zazrgx
Target c5c447a6588773bd4c9f8c9a078663b0b3f6d4c2036d1c2b983a39bca74c2775
SHA256 c5c447a6588773bd4c9f8c9a078663b0b3f6d4c2036d1c2b983a39bca74c2775
Tags
orcus discovery rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c5c447a6588773bd4c9f8c9a078663b0b3f6d4c2036d1c2b983a39bca74c2775

Threat Level: Known bad

The file c5c447a6588773bd4c9f8c9a078663b0b3f6d4c2036d1c2b983a39bca74c2775 was found to be: Known bad.

Malicious Activity Summary

orcus discovery rat spyware stealer

Orcus

Orcus family

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 01:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 01:23

Reported

2024-11-25 01:26

Platform

win7-20240903-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c5c447a6588773bd4c9f8c9a078663b0b3f6d4c2036d1c2b983a39bca74c2775.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c5c447a6588773bd4c9f8c9a078663b0b3f6d4c2036d1c2b983a39bca74c2775.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c5c447a6588773bd4c9f8c9a078663b0b3f6d4c2036d1c2b983a39bca74c2775.exe

"C:\Users\Admin\AppData\Local\Temp\c5c447a6588773bd4c9f8c9a078663b0b3f6d4c2036d1c2b983a39bca74c2775.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"

Network

Country Destination Domain Proto
US 147.185.221.23:20214 tcp
US 8.8.8.8:53 communications-sugar.gl.at.ply.gg udp
US 147.185.221.23:20214 communications-sugar.gl.at.ply.gg tcp
US 147.185.221.23:20214 communications-sugar.gl.at.ply.gg tcp
US 147.185.221.23:20214 communications-sugar.gl.at.ply.gg tcp
US 147.185.221.23:20214 communications-sugar.gl.at.ply.gg tcp
US 147.185.221.23:20214 communications-sugar.gl.at.ply.gg tcp
US 147.185.221.23:20214 communications-sugar.gl.at.ply.gg tcp
US 147.185.221.23:20214 communications-sugar.gl.at.ply.gg tcp
US 147.185.221.23:20214 communications-sugar.gl.at.ply.gg tcp
US 147.185.221.23:20214 communications-sugar.gl.at.ply.gg tcp
US 147.185.221.23:20214 communications-sugar.gl.at.ply.gg tcp
US 147.185.221.23:20214 communications-sugar.gl.at.ply.gg tcp

Files

memory/2396-0-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

memory/2396-1-0x0000000000BF0000-0x0000000000CD6000-memory.dmp

memory/2396-2-0x00000000008D0000-0x00000000008DA000-memory.dmp

memory/2396-3-0x0000000073F20000-0x000000007460E000-memory.dmp

memory/2396-4-0x0000000000B70000-0x0000000000BBC000-memory.dmp

memory/2396-5-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

memory/2396-6-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

memory/2396-9-0x0000000002150000-0x000000000219E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

MD5 13c37f5336c5b01da8a841d5d5ea5329
SHA1 8db6b841dda79c0deb73f2a98ad0f331566afd38
SHA256 c5c447a6588773bd4c9f8c9a078663b0b3f6d4c2036d1c2b983a39bca74c2775
SHA512 1228b8bd532604621abc5aa1e51cd3a29d3c4b79c2e113d366e9276ffb8af98b61f97eda459468d23ef41ff14ae1d8e96627d86b43bab540bcf2fcb8a1435cd7

memory/2396-16-0x0000000073F20000-0x000000007460E000-memory.dmp

memory/2876-18-0x0000000000240000-0x0000000000326000-memory.dmp

memory/2876-19-0x0000000073F20000-0x000000007460E000-memory.dmp

memory/2876-17-0x0000000073F20000-0x000000007460E000-memory.dmp

memory/2876-20-0x00000000003A0000-0x00000000003B0000-memory.dmp

memory/2876-21-0x0000000073F20000-0x000000007460E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-25 01:23

Reported

2024-11-25 01:26

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c5c447a6588773bd4c9f8c9a078663b0b3f6d4c2036d1c2b983a39bca74c2775.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c5c447a6588773bd4c9f8c9a078663b0b3f6d4c2036d1c2b983a39bca74c2775.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c5c447a6588773bd4c9f8c9a078663b0b3f6d4c2036d1c2b983a39bca74c2775.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c5c447a6588773bd4c9f8c9a078663b0b3f6d4c2036d1c2b983a39bca74c2775.exe

"C:\Users\Admin\AppData\Local\Temp\c5c447a6588773bd4c9f8c9a078663b0b3f6d4c2036d1c2b983a39bca74c2775.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 147.185.221.23:20214 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 communications-sugar.gl.at.ply.gg udp
US 147.185.221.23:20214 communications-sugar.gl.at.ply.gg tcp
US 147.185.221.23:20214 communications-sugar.gl.at.ply.gg tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 147.185.221.23:20214 communications-sugar.gl.at.ply.gg tcp
US 147.185.221.23:20214 communications-sugar.gl.at.ply.gg tcp
US 147.185.221.23:20214 communications-sugar.gl.at.ply.gg tcp
US 147.185.221.23:20214 communications-sugar.gl.at.ply.gg tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 147.185.221.23:20214 communications-sugar.gl.at.ply.gg tcp
US 147.185.221.23:20214 communications-sugar.gl.at.ply.gg tcp
US 147.185.221.23:20214 communications-sugar.gl.at.ply.gg tcp
US 147.185.221.23:20214 communications-sugar.gl.at.ply.gg tcp
US 147.185.221.23:20214 communications-sugar.gl.at.ply.gg tcp

Files

memory/3340-0-0x00000000746DE000-0x00000000746DF000-memory.dmp

memory/3340-1-0x0000000000DF0000-0x0000000000ED6000-memory.dmp

memory/3340-2-0x0000000003380000-0x000000000338A000-memory.dmp

memory/3340-3-0x00000000746D0000-0x0000000074E80000-memory.dmp

memory/3340-4-0x0000000005E40000-0x00000000063E4000-memory.dmp

memory/3340-5-0x0000000005D40000-0x0000000005DD2000-memory.dmp

memory/3340-6-0x0000000005CB0000-0x0000000005CFC000-memory.dmp

memory/3340-8-0x0000000005DF0000-0x0000000005DF8000-memory.dmp

memory/3340-7-0x0000000005D30000-0x0000000005D38000-memory.dmp

memory/3340-11-0x00000000063F0000-0x000000000643E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

MD5 13c37f5336c5b01da8a841d5d5ea5329
SHA1 8db6b841dda79c0deb73f2a98ad0f331566afd38
SHA256 c5c447a6588773bd4c9f8c9a078663b0b3f6d4c2036d1c2b983a39bca74c2775
SHA512 1228b8bd532604621abc5aa1e51cd3a29d3c4b79c2e113d366e9276ffb8af98b61f97eda459468d23ef41ff14ae1d8e96627d86b43bab540bcf2fcb8a1435cd7

memory/320-24-0x00000000746D0000-0x0000000074E80000-memory.dmp

memory/3340-23-0x00000000746D0000-0x0000000074E80000-memory.dmp

memory/320-25-0x00000000746D0000-0x0000000074E80000-memory.dmp

memory/320-26-0x0000000006740000-0x0000000006902000-memory.dmp

memory/320-27-0x0000000005F00000-0x0000000005F10000-memory.dmp

memory/320-28-0x0000000005FA0000-0x0000000005FAA000-memory.dmp

memory/320-29-0x00000000746D0000-0x0000000074E80000-memory.dmp