Analysis Overview
SHA256
f1038db3426bff387fd48e9ccb44163155e71d6b3dcf0814ef675a21a6d9e208
Threat Level: Known bad
The file dwafawfg.exe was found to be: Known bad.
Malicious Activity Summary
Orcus family
Orcus
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-28 19:54
Signatures
Orcus family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-28 19:54
Reported
2024-11-28 19:56
Platform
win7-20240729-en
Max time kernel
148s
Max time network
17s
Command Line
Signatures
Orcus
Orcus family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dwafawfg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dwafawfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2420 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\dwafawfg.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 2420 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\dwafawfg.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 2420 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\dwafawfg.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 2420 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\dwafawfg.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\dwafawfg.exe
"C:\Users\Admin\AppData\Local\Temp\dwafawfg.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp |
Files
memory/2420-0-0x00000000740CE000-0x00000000740CF000-memory.dmp
memory/2420-1-0x0000000000FD0000-0x00000000010A8000-memory.dmp
memory/2420-2-0x0000000000370000-0x000000000037A000-memory.dmp
memory/2420-3-0x00000000740C0000-0x00000000747AE000-memory.dmp
memory/2420-4-0x0000000000D00000-0x0000000000D4C000-memory.dmp
memory/2420-7-0x0000000000DF0000-0x0000000000E3E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
| MD5 | 20b75cd92b6535a549b51b7814392675 |
| SHA1 | 1e0763547ea4f36a21d1925e4fcce5249f172096 |
| SHA256 | f1038db3426bff387fd48e9ccb44163155e71d6b3dcf0814ef675a21a6d9e208 |
| SHA512 | d8d44ee829fecfd8d3edfdf51401172af14227bfa787594e258dab3a08a334b3cf75ca67572330687d8b9cad88b90d8616e26bbe5b47f488ff17f9c937bc1eeb |
memory/2816-14-0x00000000740C0000-0x00000000747AE000-memory.dmp
memory/2420-17-0x00000000740C0000-0x00000000747AE000-memory.dmp
memory/2816-16-0x00000000740C0000-0x00000000747AE000-memory.dmp
memory/2816-15-0x0000000000A30000-0x0000000000B08000-memory.dmp
memory/2816-18-0x0000000000650000-0x0000000000660000-memory.dmp
memory/2816-19-0x00000000740C0000-0x00000000747AE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-28 19:54
Reported
2024-11-28 19:56
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
141s
Command Line
Signatures
Orcus
Orcus family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dwafawfg.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dwafawfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4144 wrote to memory of 4708 | N/A | C:\Users\Admin\AppData\Local\Temp\dwafawfg.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 4144 wrote to memory of 4708 | N/A | C:\Users\Admin\AppData\Local\Temp\dwafawfg.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 4144 wrote to memory of 4708 | N/A | C:\Users\Admin\AppData\Local\Temp\dwafawfg.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\dwafawfg.exe
"C:\Users\Admin\AppData\Local\Temp\dwafawfg.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp | |
| N/A | 127.0.0.1:7000 | tcp |
Files
memory/4144-0-0x000000007518E000-0x000000007518F000-memory.dmp
memory/4144-1-0x0000000000470000-0x0000000000548000-memory.dmp
memory/4144-2-0x0000000002830000-0x000000000283A000-memory.dmp
memory/4144-3-0x0000000075180000-0x0000000075930000-memory.dmp
memory/4144-4-0x00000000055E0000-0x0000000005B84000-memory.dmp
memory/4144-5-0x00000000053D0000-0x0000000005462000-memory.dmp
memory/4144-6-0x0000000005330000-0x000000000537C000-memory.dmp
memory/4144-7-0x00000000054E0000-0x0000000005546000-memory.dmp
memory/4144-10-0x0000000005E90000-0x0000000005EDE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
| MD5 | 20b75cd92b6535a549b51b7814392675 |
| SHA1 | 1e0763547ea4f36a21d1925e4fcce5249f172096 |
| SHA256 | f1038db3426bff387fd48e9ccb44163155e71d6b3dcf0814ef675a21a6d9e208 |
| SHA512 | d8d44ee829fecfd8d3edfdf51401172af14227bfa787594e258dab3a08a334b3cf75ca67572330687d8b9cad88b90d8616e26bbe5b47f488ff17f9c937bc1eeb |
memory/4708-23-0x0000000075180000-0x0000000075930000-memory.dmp
memory/4144-22-0x0000000075180000-0x0000000075930000-memory.dmp
memory/4708-24-0x0000000075180000-0x0000000075930000-memory.dmp
memory/4708-25-0x0000000006400000-0x00000000065C2000-memory.dmp
memory/4708-26-0x0000000006380000-0x0000000006390000-memory.dmp
memory/4708-27-0x0000000006AB0000-0x0000000006ABA000-memory.dmp
memory/4708-28-0x0000000075180000-0x0000000075930000-memory.dmp