orcus | fe74d29e5d79e70cce64c8954f8c5765a3968840a06a61cabc8573a53ae0e76c

General

Target

fe74d29e5d79e70cce64c8954f8c5765a3968840a06a61cabc8573a53ae0e76c.exe
Size

1.2MB
MD5

369a6ed5501c313131a7dfcba6ff360f
SHA1

d5dc971586d2c929444c913e7ab2f7be8e3ddf10
SHA256

fe74d29e5d79e70cce64c8954f8c5765a3968840a06a61cabc8573a53ae0e76c
SHA512

c1933f4f7120e3762dbdfdf89f0f54095da555486c1ebc2a429646743f2076e89202d03b5f393de6fab215374afe096c37f41525e40a0b1f8217bd3668fca57c
SSDEEP

24576:vywaS04YNEMuExDiU6E5R9s8xY/2l/dRJ5dtsPxNGf/YIbt+rf:vyw24auS+UjfU2T/5XDYIbt+r

Score

10^/10

orcus straze discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

straze

C2

26.148.145.110

Mutex

2a464dca4277420e91b1386ed3af2361

Attributes

administration_rights_required
false
anti_debugger
false
anti_tcp_analyzer
false
antivm
false
autostart_method
1
change_creation_date
false
force_installer_administrator_privileges
false
hide_file
false
install
false
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
installservice
false
keylogger_enabled
false
newcreationdate
12/19/2020 22:37:31
plugins
AgUFyfihswTdIPqEArukcmEdSF06Hw9CAFMAbwBEACAAUAByAG8AdABlAGMAdABpAG8AbgAHAzEALgAwAEEgNAAwADEAMwBjAGYAYQBmADUANwAzAGYANAA4ADIAZQA4ADkANgBhADYANABhADkAMwBmADMAZgA3ADUAMQAyAAEFl6aNkQPXkQKOmwKLvFcpr24sKCsVRABpAHMAYQBiAGwAZQAgAFcAZQBiAGMAYQBtACAATABpAGcAaAB0AHMABwMxAC4AMABBIDIAYQA2ADMAMgAyADMANQA4AGYANAAzADQAMAAyAGEAYgBkADEAYQAwAGMAZgAwADEAOQBkADUAYQBjAGUAZQABBcjswb8CldcC3rcCqMa3DYpVf2wVCkcAYQBtAGUAcgAgAFYAaQBlAHcABwMxAC4AMgBBIDgANQA0AGUAZABhADkAZAAxAGIAZAA4ADQAZQA4AGYAYQAyADgAZQBmADgAOAAzADMAZgBiADUAMQBiAGQANwACAAYG
reconnect_delay
9993
registry_autostart_keyname
Audio HD Driver
registry_hidden_autostart
false
set_admin_flag
false
tasksch_name
Audio HD Driver
tasksch_request_highest_privileges
false
try_other_autostart_onfail
false

aes.plain

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Executes dropped EXE 2 IoCs

pid	Process
2904	WindowsInput.exe
2716	AudioDriver.exe

Loads dropped DLL 3 IoCs

pid	Process
2264	fe74d29e5d79e70cce64c8954f8c5765a3968840a06a61cabc8573a53ae0e76c.exe
2264	fe74d29e5d79e70cce64c8954f8c5765a3968840a06a61cabc8573a53ae0e76c.exe
2716	AudioDriver.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.exe	fe74d29e5d79e70cce64c8954f8c5765a3968840a06a61cabc8573a53ae0e76c.exe
File opened for modification	C:\Windows\SysWOW64\WindowsInput.InstallLog	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AudioDriver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe74d29e5d79e70cce64c8954f8c5765a3968840a06a61cabc8573a53ae0e76c.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe
2716	AudioDriver.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	AudioDriver.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2716	AudioDriver.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2716	AudioDriver.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2716	AudioDriver.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2904	2264	fe74d29e5d79e70cce64c8954f8c5765a3968840a06a61cabc8573a53ae0e76c.exe	32
PID 2264 wrote to memory of 2904	2264	fe74d29e5d79e70cce64c8954f8c5765a3968840a06a61cabc8573a53ae0e76c.exe	32
PID 2264 wrote to memory of 2904	2264	fe74d29e5d79e70cce64c8954f8c5765a3968840a06a61cabc8573a53ae0e76c.exe	32
PID 2264 wrote to memory of 2904	2264	fe74d29e5d79e70cce64c8954f8c5765a3968840a06a61cabc8573a53ae0e76c.exe	32
PID 2264 wrote to memory of 2716	2264	fe74d29e5d79e70cce64c8954f8c5765a3968840a06a61cabc8573a53ae0e76c.exe	33
PID 2264 wrote to memory of 2716	2264	fe74d29e5d79e70cce64c8954f8c5765a3968840a06a61cabc8573a53ae0e76c.exe	33
PID 2264 wrote to memory of 2716	2264	fe74d29e5d79e70cce64c8954f8c5765a3968840a06a61cabc8573a53ae0e76c.exe	33
PID 2264 wrote to memory of 2716	2264	fe74d29e5d79e70cce64c8954f8c5765a3968840a06a61cabc8573a53ae0e76c.exe	33

C:\Users\Admin\AppData\Local\Temp\fe74d29e5d79e70cce64c8954f8c5765a3968840a06a61cabc8573a53ae0e76c.exe
"C:\Users\Admin\AppData\Local\Temp\fe74d29e5d79e70cce64c8954f8c5765a3968840a06a61cabc8573a53ae0e76c.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2904
- C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\WindowsInput.InstallLog

Filesize
224B

MD5
e469dda91ae810a1f94c96060f3f8a65

SHA1
0b4b3b0f6f937016b1e045ce5313ee2a65a38630

SHA256
d42fee8db8eb0e047ca53ad59b1c9bc69fe04993be36fec502e3532371908842

SHA512
2eb4037361c03e195c642a53f55a3182a6df19903db503060e366f2394750e64ae04fdaace61ef5a6dba649defc88322d78edd2928bc53ebd1ce11d68cc88dac

Download Submit
C:\Windows\SysWOW64\WindowsInput.InstallLog

Filesize
597B

MD5
c2291863df7c2d3038ce3c22fa276506

SHA1
7b7d2bc07a6c35523807342c747c9b6a19f3184e

SHA256
14504199bede3f46129969dbd2b7680f2e5b7fcd73a3e427ce1bb6217a6d13da

SHA512
00bf40174a67e3e663d18a887c5b461a1e5ead0b27f0a139d87969158c58f4ca72cfa5a731dda239356192ca4cb5ac6ae2b0e37401d534e686cabacd3cbee8fa

Download Submit
\Users\Admin\AppData\Roaming\GamerView\sqlite3.dll

Filesize
626KB

MD5
d8aec01ff14e3e7ad43a4b71e30482e4

SHA1
e3015f56f17d845ec7eef11d41bbbc28cc16d096

SHA256
da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e

SHA512
f5b2f4bda0cc13e1d1c541fb0caea14081ee4daffd497e31a3d4d55d5f9d85a61158b4891a6527efe623b2f32b697ac912320d9be5c0303812ca98dcc8866fcf

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

Filesize
1.2MB

MD5
369a6ed5501c313131a7dfcba6ff360f

SHA1
d5dc971586d2c929444c913e7ab2f7be8e3ddf10

SHA256
fe74d29e5d79e70cce64c8954f8c5765a3968840a06a61cabc8573a53ae0e76c

SHA512
c1933f4f7120e3762dbdfdf89f0f54095da555486c1ebc2a429646743f2076e89202d03b5f393de6fab215374afe096c37f41525e40a0b1f8217bd3668fca57c

Download Submit
\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e854a4636afc652b320e12e50ba4080e

SHA1
8a4ac6ecc22ee5f3a8ec846d38b41ff18c641fdc

SHA256
94b9c78c6fa2bf61fba20a08ad4563f7dd2f5668c28eff227965ce0a2032d5d5

SHA512
30aabd5079b6ed0948eb70fd18e9166096e4ba5d1d47fc35b7270f931d19bbe6cd929b6010f70297bf5272dc5a79e2523721354d211c4080d68ad8d17e316118

Download Submit
memory/2264-8-0x0000000001FB0000-0x0000000001FBC000-memory.dmp

Filesize
48KB

Download
memory/2264-46-0x0000000004360000-0x00000000043AE000-memory.dmp

Filesize
312KB

Download
memory/2264-7-0x0000000005170000-0x0000000005228000-memory.dmp

Filesize
736KB

Download
memory/2264-54-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2264-5-0x0000000000710000-0x0000000000718000-memory.dmp

Filesize
32KB

Download
memory/2264-0-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/2264-4-0x0000000001F50000-0x0000000001F9C000-memory.dmp

Filesize
304KB

Download
memory/2264-6-0x0000000001FA0000-0x0000000001FA8000-memory.dmp

Filesize
32KB

Download
memory/2264-3-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2264-2-0x0000000000340000-0x000000000034A000-memory.dmp

Filesize
40KB

Download
memory/2264-1-0x00000000003B0000-0x00000000004E4000-memory.dmp

Filesize
1.2MB

Download
memory/2716-63-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/2716-55-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/2716-53-0x0000000000860000-0x0000000000994000-memory.dmp

Filesize
1.2MB

Download
memory/2904-15-0x000007FEF61BE000-0x000007FEF61BF000-memory.dmp

Filesize
4KB

Download
memory/2904-42-0x000007FEF5F00000-0x000007FEF689D000-memory.dmp

Filesize
9.6MB

Download
memory/2904-26-0x000007FEF5F00000-0x000007FEF689D000-memory.dmp

Filesize
9.6MB

Download
memory/2904-25-0x000007FEF5F00000-0x000007FEF689D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing