Analysis Overview
SHA256
4e1729bc6da9b09dd3914f71694f75c06074bf6dc64b985a0099760dc00fcd33
Threat Level: Known bad
The file fffffffffff.exe was found to be: Known bad.
Malicious Activity Summary
Orcus
Orcus family
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-11 18:33
Signatures
Orcus family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-11 18:33
Reported
2024-12-12 08:11
Platform
win7-20240903-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
Orcus
Orcus family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WindowsInput.exe | C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsInput.InstallLog | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.InstallState | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe
"C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe"
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | email-hitting.gl.at.ply.gg | udp |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | email-hitting.gl.at.ply.gg | udp |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp |
Files
memory/2676-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp
memory/2676-1-0x0000000001310000-0x00000000013E8000-memory.dmp
memory/2676-2-0x00000000003F0000-0x00000000003FA000-memory.dmp
memory/2676-3-0x0000000074C50000-0x000000007533E000-memory.dmp
memory/2676-4-0x00000000008E0000-0x000000000092C000-memory.dmp
memory/2676-5-0x00000000009B0000-0x00000000009BC000-memory.dmp
\Windows\SysWOW64\WindowsInput.exe
| MD5 | e854a4636afc652b320e12e50ba4080e |
| SHA1 | 8a4ac6ecc22ee5f3a8ec846d38b41ff18c641fdc |
| SHA256 | 94b9c78c6fa2bf61fba20a08ad4563f7dd2f5668c28eff227965ce0a2032d5d5 |
| SHA512 | 30aabd5079b6ed0948eb70fd18e9166096e4ba5d1d47fc35b7270f931d19bbe6cd929b6010f70297bf5272dc5a79e2523721354d211c4080d68ad8d17e316118 |
memory/2940-12-0x000007FEF65EE000-0x000007FEF65EF000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.InstallLog
| MD5 | e469dda91ae810a1f94c96060f3f8a65 |
| SHA1 | 0b4b3b0f6f937016b1e045ce5313ee2a65a38630 |
| SHA256 | d42fee8db8eb0e047ca53ad59b1c9bc69fe04993be36fec502e3532371908842 |
| SHA512 | 2eb4037361c03e195c642a53f55a3182a6df19903db503060e366f2394750e64ae04fdaace61ef5a6dba649defc88322d78edd2928bc53ebd1ce11d68cc88dac |
memory/2940-22-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp
memory/2940-23-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.InstallLog
| MD5 | c2291863df7c2d3038ce3c22fa276506 |
| SHA1 | 7b7d2bc07a6c35523807342c747c9b6a19f3184e |
| SHA256 | 14504199bede3f46129969dbd2b7680f2e5b7fcd73a3e427ce1bb6217a6d13da |
| SHA512 | 00bf40174a67e3e663d18a887c5b461a1e5ead0b27f0a139d87969158c58f4ca72cfa5a731dda239356192ca4cb5ac6ae2b0e37401d534e686cabacd3cbee8fa |
memory/2940-39-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp
memory/2676-42-0x00000000047F0000-0x000000000483E000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
| MD5 | bf3709975587af1ae764262fd2ce2f48 |
| SHA1 | de63b6c5b11653e8d777f8cbbf6018972413d44a |
| SHA256 | 4e1729bc6da9b09dd3914f71694f75c06074bf6dc64b985a0099760dc00fcd33 |
| SHA512 | 19d3ed22232c5f907b951935ff465bea24317421c47934032cb010f250eb8bdebfd6907a26b844716c4da1599d37c54e8275ce67f13810c9b064c962b84e4d94 |
memory/2124-50-0x0000000001130000-0x0000000001208000-memory.dmp
memory/2676-48-0x0000000074C50000-0x000000007533E000-memory.dmp
memory/2124-51-0x00000000009B0000-0x00000000009C0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-11 18:33
Reported
2024-12-11 18:45
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Orcus
Orcus family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WindowsInput.exe | C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsInput.InstallLog | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.InstallState | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4024 wrote to memory of 960 | N/A | C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe | C:\Windows\SysWOW64\WindowsInput.exe |
| PID 4024 wrote to memory of 960 | N/A | C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe | C:\Windows\SysWOW64\WindowsInput.exe |
| PID 4024 wrote to memory of 1128 | N/A | C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 4024 wrote to memory of 1128 | N/A | C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 4024 wrote to memory of 1128 | N/A | C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe
"C:\Users\Admin\AppData\Local\Temp\fffffffffff.exe"
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | email-hitting.gl.at.ply.gg | udp |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:7000 | tcp | |
| US | 147.185.221.22:63341 | email-hitting.gl.at.ply.gg | tcp |
Files
memory/4024-0-0x000000007526E000-0x000000007526F000-memory.dmp
memory/4024-1-0x0000000000520000-0x00000000005F8000-memory.dmp
memory/4024-3-0x0000000075260000-0x0000000075A10000-memory.dmp
memory/4024-2-0x0000000002910000-0x000000000291A000-memory.dmp
memory/4024-4-0x0000000005580000-0x0000000005B24000-memory.dmp
memory/4024-5-0x0000000005370000-0x0000000005402000-memory.dmp
memory/4024-6-0x00000000052D0000-0x000000000531C000-memory.dmp
memory/4024-7-0x0000000005410000-0x0000000005432000-memory.dmp
memory/4024-8-0x0000000005330000-0x000000000533C000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.exe
| MD5 | e854a4636afc652b320e12e50ba4080e |
| SHA1 | 8a4ac6ecc22ee5f3a8ec846d38b41ff18c641fdc |
| SHA256 | 94b9c78c6fa2bf61fba20a08ad4563f7dd2f5668c28eff227965ce0a2032d5d5 |
| SHA512 | 30aabd5079b6ed0948eb70fd18e9166096e4ba5d1d47fc35b7270f931d19bbe6cd929b6010f70297bf5272dc5a79e2523721354d211c4080d68ad8d17e316118 |
memory/960-20-0x00007FFB81315000-0x00007FFB81316000-memory.dmp
memory/960-21-0x0000000001140000-0x0000000001158000-memory.dmp
memory/960-22-0x000000001B560000-0x000000001B580000-memory.dmp
memory/960-23-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp
memory/960-24-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp
memory/960-27-0x000000001B880000-0x000000001B8A4000-memory.dmp
memory/960-35-0x000000001C1E0000-0x000000001C6AE000-memory.dmp
memory/960-36-0x000000001C750000-0x000000001C7EC000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.InstallLog
| MD5 | c2291863df7c2d3038ce3c22fa276506 |
| SHA1 | 7b7d2bc07a6c35523807342c747c9b6a19f3184e |
| SHA256 | 14504199bede3f46129969dbd2b7680f2e5b7fcd73a3e427ce1bb6217a6d13da |
| SHA512 | 00bf40174a67e3e663d18a887c5b461a1e5ead0b27f0a139d87969158c58f4ca72cfa5a731dda239356192ca4cb5ac6ae2b0e37401d534e686cabacd3cbee8fa |
memory/960-53-0x00007FFB81060000-0x00007FFB81A01000-memory.dmp
memory/4024-56-0x0000000006140000-0x000000000618E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
| MD5 | bf3709975587af1ae764262fd2ce2f48 |
| SHA1 | de63b6c5b11653e8d777f8cbbf6018972413d44a |
| SHA256 | 4e1729bc6da9b09dd3914f71694f75c06074bf6dc64b985a0099760dc00fcd33 |
| SHA512 | 19d3ed22232c5f907b951935ff465bea24317421c47934032cb010f250eb8bdebfd6907a26b844716c4da1599d37c54e8275ce67f13810c9b064c962b84e4d94 |
memory/1128-69-0x000000007526E000-0x000000007526F000-memory.dmp
memory/4024-68-0x0000000075260000-0x0000000075A10000-memory.dmp
memory/1128-70-0x0000000075260000-0x0000000075A10000-memory.dmp
memory/1128-71-0x0000000006320000-0x00000000064E2000-memory.dmp
memory/1128-72-0x0000000005AF0000-0x0000000005B00000-memory.dmp
memory/1128-73-0x00000000062F0000-0x00000000062FA000-memory.dmp
memory/1128-74-0x0000000075260000-0x0000000075A10000-memory.dmp