Malware Analysis Report

2025-01-22 14:48

Sample ID 241128-yq2apstqak
Target esg.exe
SHA256 ce241023e11491d0faae22ad7fda8db3a8ae6d70b9421234e7ff371d1e42c410
Tags
rat aefgag orcus discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ce241023e11491d0faae22ad7fda8db3a8ae6d70b9421234e7ff371d1e42c410

Threat Level: Known bad

The file esg.exe was found to be: Known bad.

Malicious Activity Summary

rat aefgag orcus discovery spyware stealer

Orcus

Orcus family

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-28 20:00

Signatures

Orcus family

orcus

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-28 20:00

Reported

2024-11-28 20:02

Platform

win7-20240903-en

Max time kernel

148s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\esg.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\esg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\esg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\esg.exe

"C:\Users\Admin\AppData\Local\Temp\esg.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"

Network

Country Destination Domain Proto
DE 87.177.68.221:7000 tcp
N/A 127.0.0.1:7000 tcp
DE 87.177.68.221:7000 tcp
N/A 127.0.0.1:7000 tcp
DE 87.177.68.221:7000 tcp
N/A 127.0.0.1:7000 tcp
DE 87.177.68.221:7000 tcp
N/A 127.0.0.1:7000 tcp
DE 87.177.68.221:7000 tcp
N/A 127.0.0.1:7000 tcp
DE 87.177.68.221:7000 tcp
N/A 127.0.0.1:7000 tcp
DE 87.177.68.221:7000 tcp
N/A 127.0.0.1:7000 tcp

Files

memory/2868-0-0x00000000740DE000-0x00000000740DF000-memory.dmp

memory/2868-1-0x0000000000A00000-0x0000000000AD8000-memory.dmp

memory/2868-2-0x00000000006E0000-0x00000000006EA000-memory.dmp

memory/2868-3-0x00000000740D0000-0x00000000747BE000-memory.dmp

memory/2868-4-0x00000000042D0000-0x000000000431C000-memory.dmp

memory/2868-7-0x0000000004800000-0x000000000484E000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

MD5 1ef3aeb3921f543f6b951d32a8f992e4
SHA1 5c3172bb2490ecc3e572cd5b5fee8e6fc3758bf9
SHA256 ce241023e11491d0faae22ad7fda8db3a8ae6d70b9421234e7ff371d1e42c410
SHA512 60c65eefe018d3171309c8ba13e2d4ced013f4bbfe456db3095d662136c6e05fa28e5601493dd4a23f4ef82c4ebc87cad248bead43a8f43b7ae4adaf535638b5

memory/2868-14-0x00000000740D0000-0x00000000747BE000-memory.dmp

memory/2576-16-0x00000000740D0000-0x00000000747BE000-memory.dmp

memory/2576-15-0x0000000000370000-0x0000000000448000-memory.dmp

memory/2576-17-0x00000000740D0000-0x00000000747BE000-memory.dmp

memory/2576-18-0x0000000002190000-0x00000000021A0000-memory.dmp

memory/2576-19-0x00000000740D0000-0x00000000747BE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-28 20:00

Reported

2024-11-28 20:02

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\esg.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\esg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\esg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\esg.exe

"C:\Users\Admin\AppData\Local\Temp\esg.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"

Network

Country Destination Domain Proto
DE 87.177.68.221:7000 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
N/A 127.0.0.1:7000 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
DE 87.177.68.221:7000 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
N/A 127.0.0.1:7000 tcp
DE 87.177.68.221:7000 tcp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
N/A 127.0.0.1:7000 tcp
DE 87.177.68.221:7000 tcp
N/A 127.0.0.1:7000 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
DE 87.177.68.221:7000 tcp
N/A 127.0.0.1:7000 tcp
DE 87.177.68.221:7000 tcp
N/A 127.0.0.1:7000 tcp

Files

memory/396-0-0x00000000747EE000-0x00000000747EF000-memory.dmp

memory/396-1-0x0000000000B30000-0x0000000000C08000-memory.dmp

memory/396-2-0x0000000003090000-0x000000000309A000-memory.dmp

memory/396-3-0x00000000747E0000-0x0000000074F90000-memory.dmp

memory/396-4-0x0000000005D00000-0x00000000062A4000-memory.dmp

memory/396-5-0x0000000005A70000-0x0000000005B02000-memory.dmp

memory/396-6-0x00000000059E0000-0x0000000005A2C000-memory.dmp

memory/396-7-0x0000000005B80000-0x0000000005BE6000-memory.dmp

memory/396-10-0x0000000006510000-0x000000000655E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

MD5 1ef3aeb3921f543f6b951d32a8f992e4
SHA1 5c3172bb2490ecc3e572cd5b5fee8e6fc3758bf9
SHA256 ce241023e11491d0faae22ad7fda8db3a8ae6d70b9421234e7ff371d1e42c410
SHA512 60c65eefe018d3171309c8ba13e2d4ced013f4bbfe456db3095d662136c6e05fa28e5601493dd4a23f4ef82c4ebc87cad248bead43a8f43b7ae4adaf535638b5

memory/4692-22-0x00000000747E0000-0x0000000074F90000-memory.dmp

memory/4692-23-0x00000000747E0000-0x0000000074F90000-memory.dmp

memory/4692-24-0x0000000006210000-0x00000000063D2000-memory.dmp

memory/4692-25-0x00000000061A0000-0x00000000061B0000-memory.dmp

memory/4692-26-0x00000000068B0000-0x00000000068BA000-memory.dmp

memory/396-27-0x00000000747E0000-0x0000000074F90000-memory.dmp

memory/4692-28-0x00000000747E0000-0x0000000074F90000-memory.dmp