Analysis Overview
SHA256
60d79803c2b81c09f266a57c1e91476d1a5ef4abd3cccc113cd84077398edead
Threat Level: Known bad
The file example.exe was found to be: Known bad.
Malicious Activity Summary
Orcus
Orcus family
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Browser Information Discovery
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-25 16:31
Signatures
Orcus family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-25 16:31
Reported
2024-11-25 16:43
Platform
win7-20240903-en
Max time kernel
48s
Max time network
141s
Command Line
Signatures
Orcus
Orcus family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\example.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\example.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\example.exe
"C:\Users\Admin\AppData\Local\Temp\example.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef76a9758,0x7fef76a9768,0x7fef76a9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1400 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1520 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2160 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2168 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2808 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2888 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3532 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3668 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2536 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2916 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3900 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4088 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3880 --field-trial-handle=1220,i,10638838980491461906,14694091318888149560,131072 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | during-interesting.gl.at.ply.gg | udp |
| US | 147.185.221.22:25798 | during-interesting.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 147.185.221.22:25798 | during-interesting.gl.at.ply.gg | tcp |
| US | 147.185.221.22:25798 | during-interesting.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | udp |
| US | 8.8.8.8:53 | cdn.prod.website-files.com | udp |
| US | 8.8.8.8:53 | cdn.localizeapi.com | udp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| US | 104.18.161.117:443 | cdn.prod.website-files.com | tcp |
| GB | 142.250.179.234:443 | ajax.googleapis.com | tcp |
| US | 104.22.20.64:443 | cdn.localizeapi.com | tcp |
| US | 104.18.161.117:443 | cdn.prod.website-files.com | udp |
| US | 8.8.8.8:53 | d3e54v103j8qbb.cloudfront.net | udp |
| FR | 52.222.153.27:443 | d3e54v103j8qbb.cloudfront.net | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 104.18.161.117:443 | cdn.prod.website-files.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 8.8.8.8:53 | geolocation.onetrust.com | udp |
| US | 104.18.32.137:443 | geolocation.onetrust.com | tcp |
| GB | 142.250.200.14:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | a.nel.cloudflare.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| GB | 142.250.200.14:443 | www.youtube.com | udp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| US | 147.185.221.22:25798 | during-interesting.gl.at.ply.gg | tcp |
| US | 147.185.221.22:25798 | during-interesting.gl.at.ply.gg | tcp |
| US | 147.185.221.22:25798 | during-interesting.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| GB | 216.58.213.10:443 | ogads-pa.googleapis.com | tcp |
| GB | 216.58.213.10:443 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.187.206:443 | play.google.com | tcp |
| GB | 142.250.187.206:443 | play.google.com | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 142.250.180.14:443 | consent.google.com | tcp |
| US | 147.185.221.22:25798 | during-interesting.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | lh5.googleusercontent.com | udp |
| GB | 216.58.201.97:443 | lh5.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| US | 147.185.221.22:25798 | during-interesting.gl.at.ply.gg | tcp |
| US | 147.185.221.22:25798 | during-interesting.gl.at.ply.gg | tcp |
| US | 104.18.161.117:443 | cdn.prod.website-files.com | udp |
| US | 147.185.221.22:25798 | during-interesting.gl.at.ply.gg | tcp |
| US | 147.185.221.22:25798 | during-interesting.gl.at.ply.gg | tcp |
| US | 147.185.221.22:25798 | during-interesting.gl.at.ply.gg | tcp |
Files
memory/2684-0-0x0000000074981000-0x0000000074982000-memory.dmp
memory/2684-1-0x0000000074980000-0x0000000074F2B000-memory.dmp
memory/2684-2-0x0000000074980000-0x0000000074F2B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
| MD5 | 351808659677be354200ca26e9b63f5a |
| SHA1 | a147a31f13d21ff0bf0eca9c8dcf20b7cab5e363 |
| SHA256 | 60d79803c2b81c09f266a57c1e91476d1a5ef4abd3cccc113cd84077398edead |
| SHA512 | c8bcb1278652b76e4825cb4ede51f59790469f17c37b9b75f31c3208d2570c287e9e2dcf17ebd2f406927c558490860bd30b214949a276d66492d6142e125dc8 |
memory/2684-11-0x0000000074980000-0x0000000074F2B000-memory.dmp
memory/2692-13-0x0000000074980000-0x0000000074F2B000-memory.dmp
memory/2692-12-0x0000000074980000-0x0000000074F2B000-memory.dmp
memory/2692-14-0x0000000074980000-0x0000000074F2B000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
\??\pipe\crashpad_2680_GVBGNISDCOQVVYOX
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
memory/2692-64-0x0000000074980000-0x0000000074F2B000-memory.dmp
memory/2692-69-0x0000000074980000-0x0000000074F2B000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Temp\Cab5C74.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar5CB6.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b87e145d824751f9b437cd63ee015150 |
| SHA1 | 8006c30c4232fc73cbe9ea42e6317177cde1be18 |
| SHA256 | d110b2354fe9f82ddaf7386390b9d9a176de147a8b09856169614e3d7b4c0b7a |
| SHA512 | a28c7b43aa1ccc959546f695f841e4b3d99c707693db9d729e91870d0e4682bb8ebd24e2d863dd15af806c1c6e8737a567a1b15fd77ceca7ab3a12aaf1845cf5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 46f8738cb56bbb083bbe0c3dc49c54bb |
| SHA1 | 9779b86e22acbee7013d0bca90b034026c4ff397 |
| SHA256 | baa6e6a3bc0b6ebd940e34036bdbed9de3ab37793c12c1b1101253e58449a85d |
| SHA512 | 546a9d57b9bbbd9e9dbaccaec98fab5cd849300a6f3662d9dd6ea76c4181ec139e60afc02d162ca3c7bb0c4716bd69f1e33a6f19adb9bb44db04cda2e36a4549 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | b84282ff08292a2824d356757189a681 |
| SHA1 | ea6585a16e6df6f224fe7e8803b634ba2b8ce63d |
| SHA256 | d0885314a7f8a077e3fecb512e613a87f764d62fb7b8495b130c620ca1d8e9f8 |
| SHA512 | 0dfb4a10e00238e9cc11d0a0c0e6e61b6112f9060a91cad3b7cabaa4d5d74960db6af3c3137677ba95db066ae2a12630733854d41d0eb2d941923f98c8bdd970 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | fe49ebad4bd92db4ab790a8229f842bc |
| SHA1 | 2aaacef97c62f6ff6ea183ae3b052ec46445eeba |
| SHA256 | 6439139c50149b948286fce21bf83a6918e70f39f29d38909c6e940d0050e316 |
| SHA512 | 23cc1defa2370d43165035194d6e998debdeb91ac47a641e4b51cd60d34f730a4785c8a7ac4a53616355327ffa70626bf0a5b52729ad115f49de60376772e0c3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 8833a6be3e854f761c7e68d5506588b2 |
| SHA1 | eded8f1fa9ca7d3f715716c2c235957dfd0aba43 |
| SHA256 | 5da8702bc9ee5d31be368127e534b9d55f375b3f4ea39a3c86cc742e1e646fb6 |
| SHA512 | 9f30d0319c349c97f3044a4453af6eca4130d2c3cad7f94182bbef3f59ce53c9ab19812bddf5a3e022a7d808d8edac6e9efa5e43365361f523f85d7109fc1195 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | e9867d69588cfccc79ed63b5e0707c74 |
| SHA1 | 24ae6e90e68cce0b365e191b8d64c35103ace56d |
| SHA256 | 3c7454383e334c91a01d4c9ab77acd2ea878ff4424c01038ae16d14157e882e9 |
| SHA512 | decf6f61b826063a0de2f128487e1644092161ac1ca2445d89c5f50e36deef83414af229e9484ab9b8aabe2171c8598d9eb15776bcf882bd3dd884c62f4fe10a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1f2b980c640479d1ebbf53facc9213e8 |
| SHA1 | 8b9524ea6d9893c809aa861240cc6ea98880a41e |
| SHA256 | 8e675336ac6729ed6f8753ac3562be252ff209228084d0241c1a9a010b38f7a1 |
| SHA512 | ff5a0024212a1829909452659ef448c31c6e7f3d5606f71fdc2c0ac0f5b92d2f80ccab0442b614947aa524aeb6e13b20ee2c8bd21d7bd68ca3f63553e7257fc7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000041
| MD5 | 2be38925751dc3580e84c3af3a87f98d |
| SHA1 | 8a390d24e6588bef5da1d3db713784c11ca58921 |
| SHA256 | 1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b |
| SHA512 | 1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 2e065e7dba84d5f116d456974703346c |
| SHA1 | d43929478ee940c95b284015d17ee8026d0f3456 |
| SHA256 | f454cfb030b673e044d25fabc793d3145cc40e88876d8e235ae556327f86461a |
| SHA512 | 4eed4115a570c60eb5d74f340c8f70906d579509dfd63b7c092d8a1ad1c627233cccf3fb6f3922283a43ea90a88fa60f46878d82663521b586b2ca03fd892f71 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2a6e0ac37480f78083c60ad65d0ca553 |
| SHA1 | c85fada1e3df994a4b4026350448415cf4778bd0 |
| SHA256 | ce7e391c09852d690ea038646a20b0293b85b73f53b2e8b73eecbd6f18d73195 |
| SHA512 | 5fdedc476932010dc24e8df5e498a19f7c009b96c31e1ef33d3ce2bd31af6bd23d1d4be2db2b693e42b8f419602c85009e6a4419e008eb25fbec3f743c5b92b3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 980084a217a39a144a1d33eb23ac502a |
| SHA1 | ed6d0466ba7200dee957106b8329b94ddcf763b5 |
| SHA256 | 0a4e29a382f8837683f4e73e569a9943c59d65ddbf7a1f02de35f41ac7dc62c7 |
| SHA512 | bc388bcb9624c669dd943a7552995b544166aa1191c4e5c544262bdcd4fe1846b29454c55779f805bf52554114cae60d44960514cdd5835ba2180f0a123ef1e8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | a99a046adfc45c8bd5e9d2fd91405cd4 |
| SHA1 | 08f23b3d8ca0af5488d3bf902397f3f22ad5829a |
| SHA256 | d583f45d31cc897d908a7f2fb7d0404fe00d6340698ac109036e08affdff9ea3 |
| SHA512 | 6ca276312495989c3e7f077d8c63bc451945ed2f649c340722039eb9d75e0579601c53e070dbea381dc36083ee75ac2aec0272b263f9fdf6a2ae5d20cb54c70a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 8d4ca1b9b49e89278cfb0af281dd979b |
| SHA1 | 5874464849b64366fc9637362dfaee65c45c5db1 |
| SHA256 | 776192ae563965928c3e148c11ced5f28eba20eaf9c1f8980c431d88f90fd481 |
| SHA512 | c26b2b21fcbeea50d3a48cb7fdb70b41249bb7cd7b42d82ca6c58719dac3b704e70ebf60c0edabc46f4998adc9d26e48f62ea980107a2b59479013f1ac42e0ca |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ebb118eb-6a7d-462d-9ece-5db4dd83f1fd.tmp
| MD5 | 5268c4a4e29f91944ccaf32eb4405582 |
| SHA1 | c39e75ebd53dc0648ea66b793e203b3604863c52 |
| SHA256 | b86c5d67f1e55b852c36ba84d243811c132b141ca020ace53eb6ef88d98c41c6 |
| SHA512 | e0971e7796de42a076c08f5b2b05226b6cf752f5da9535c4ef8d66be351ec73e7a220465075ba8d35114d74f20984a1bfc9e00b9b9949b5f81d7167e7c12362a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 5cd9c9368cfb913fe4787ac7787edea2 |
| SHA1 | d94941264c11562fd5b714dd8ca97b47fd4fc5ce |
| SHA256 | 17036e08abb39d5e7630facb7d7808b9975be8cdd718a8ddc0d1bce6950a7dd7 |
| SHA512 | 3bd43b68e6b8ddbdb304c0092bb044b7ca0e7e282a6418d25e225eac89e718f146ba88d6e9389f2d137c833276fabb55226f69594277ca1d236fb25cdf85b79e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-25 16:31
Reported
2024-11-25 16:43
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\example.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\example.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\example.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\example.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\example.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\example.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\example.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4452 wrote to memory of 1856 | N/A | C:\Users\Admin\AppData\Local\Temp\example.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 4452 wrote to memory of 1856 | N/A | C:\Users\Admin\AppData\Local\Temp\example.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 4452 wrote to memory of 1856 | N/A | C:\Users\Admin\AppData\Local\Temp\example.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\example.exe
"C:\Users\Admin\AppData\Local\Temp\example.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | during-interesting.gl.at.ply.gg | udp |
| US | 147.185.221.22:25798 | during-interesting.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 147.185.221.22:25798 | during-interesting.gl.at.ply.gg | tcp |
| US | 147.185.221.22:25798 | during-interesting.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 147.185.221.22:25798 | during-interesting.gl.at.ply.gg | tcp |
| US | 147.185.221.22:25798 | during-interesting.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 147.185.221.22:25798 | during-interesting.gl.at.ply.gg | tcp |
| US | 147.185.221.22:25798 | during-interesting.gl.at.ply.gg | tcp |
| US | 147.185.221.22:25798 | during-interesting.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 147.185.221.22:25798 | during-interesting.gl.at.ply.gg | tcp |
| US | 147.185.221.22:25798 | during-interesting.gl.at.ply.gg | tcp |
| US | 147.185.221.22:25798 | during-interesting.gl.at.ply.gg | tcp |
| US | 147.185.221.22:25798 | during-interesting.gl.at.ply.gg | tcp |
Files
memory/4452-0-0x0000000074A22000-0x0000000074A23000-memory.dmp
memory/4452-1-0x0000000074A20000-0x0000000074FD1000-memory.dmp
memory/4452-2-0x0000000074A20000-0x0000000074FD1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
| MD5 | 351808659677be354200ca26e9b63f5a |
| SHA1 | a147a31f13d21ff0bf0eca9c8dcf20b7cab5e363 |
| SHA256 | 60d79803c2b81c09f266a57c1e91476d1a5ef4abd3cccc113cd84077398edead |
| SHA512 | c8bcb1278652b76e4825cb4ede51f59790469f17c37b9b75f31c3208d2570c287e9e2dcf17ebd2f406927c558490860bd30b214949a276d66492d6142e125dc8 |
memory/4452-18-0x0000000074A20000-0x0000000074FD1000-memory.dmp
memory/1856-19-0x0000000074A20000-0x0000000074FD1000-memory.dmp
memory/1856-20-0x0000000074A20000-0x0000000074FD1000-memory.dmp
memory/1856-21-0x0000000074A20000-0x0000000074FD1000-memory.dmp