Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

02dcee95b9...48.exe

windows7-x64

10

02dcee95b9...48.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21/12/2024, 01:18 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02dcee95b9025ea26e80d1643c8fa5526e2b41d0107410cdfba469adebc70748.exe

  • Size

    1.2MB

  • MD5

    284faf4d035afff98a534f6d8fe4ddab

  • SHA1

    4eb6fcd884176deaea3fad9eabc2313cc1beb547

  • SHA256

    02dcee95b9025ea26e80d1643c8fa5526e2b41d0107410cdfba469adebc70748

  • SHA512

    f5ea74b26c7042a9ef4067afcb3699942df1af87da745455dc84284819d7b2f2a0458a04caf1635ddc840efdd8161937c2958064bb498c2b76d0d16ab4af8790

  • SSDEEP

    24576:p9qPS04YNEMuExDiU6E5R9s8xY/2l/dRJ5dtsPxNGfSdIbt+rx:p9ql4auS+UjfU2T/5XDaIbt+r

Score
10/10
orcuscsgoskinhack2discoveryratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

CSGOSkinHack2

C2

10.0.2.15

Mutex

af9dc49d3c914466b9a3fb43bff5d514

Attributes
  • administration_rights_required

    false

  • anti_debugger

    false

  • anti_tcp_analyzer

    false

  • antivm

    false

  • change_creation_date

    false

  • force_installer_administrator_privileges

    false

  • hide_file

    false

  • install

    false

  • installation_folder

    %appdata%\Microsoft\Speech\AudioDriver.exe

  • installservice

    false

  • keylogger_enabled

    false

  • newcreationdate

    01/18/2017 15:09:59

  • plugins

    AgUFyfihswTdIPqEArukcmEdSF06Hw9CAFMAbwBEACAAUAByAG8AdABlAGMAdABpAG8AbgAHAzEALgAwAEEgYwBiADcAZgBhAGUAOQAwAGQAMQA0ADUANABkADMANQBiADIAMgA3ADIAYwA5ADgAMwA1AGUANAAzADYAMgAyAAEFl6aNkQPXkQKOmwKLvFcpr24sKCsVRABpAHMAYQBiAGwAZQAgAFcAZQBiAGMAYQBtACAATABpAGcAaAB0AHMABwMxAC4AMABBIDQANwA3ADEAZgA5AGUAMAAyADAAZAAyADQAZQAxAGIAYgAzAGUAMQA1AGQANwAxADUANQBiADMANAAzADEAMwABBcjswb8CldcC3rcCqMa3DYpVf2wVCkcAYQBtAGUAcgAgAFYAaQBlAHcABwMxAC4AMgBBIGUAZAAwADAAYwAwADIANgA1ADcAMgBiADQAMABjADMAYQA4AGMAMABiADcAYQAzAGMAMgBhAGQANQBiAGQANgACAAYG

  • reconnect_delay

    10000

  • registry_hidden_autostart

    false

  • set_admin_flag

    false

  • tasksch_request_highest_privileges

    false

  • try_other_autostart_onfail

    false

aes.plain
1
CrackedByWardow

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus family
    orcus
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02dcee95b9025ea26e80d1643c8fa5526e2b41d0107410cdfba469adebc70748.exe
    "C:\Users\Admin\AppData\Local\Temp\02dcee95b9025ea26e80d1643c8fa5526e2b41d0107410cdfba469adebc70748.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2156

Network

    No results found
  • 10.0.2.15:10134
    AudioDriver.exe
    152 B
     3
  • 10.0.2.15:10134
    AudioDriver.exe
    152 B
     3
  • 10.0.2.15:10134
    AudioDriver.exe
    152 B
     3
  • 10.0.2.15:10134
    AudioDriver.exe
    152 B
     3
  • 10.0.2.15:10134
    AudioDriver.exe
    152 B
     3
  • 10.0.2.15:10134
    AudioDriver.exe
    152 B
     3
  • 10.0.2.15:10134
    AudioDriver.exe
    152 B
     3
  • 10.0.2.15:10134
    AudioDriver.exe
    152 B
     3
  • 10.0.2.15:10134
    AudioDriver.exe
    152 B
     3
  • 10.0.2.15:10134
    AudioDriver.exe
    152 B
     3
  • 10.0.2.15:10134
    AudioDriver.exe
    152 B
     3
  • 10.0.2.15:10134
    AudioDriver.exe
    52 B
     1
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
    Filesize

    1.2MB

    MD5

    284faf4d035afff98a534f6d8fe4ddab

    SHA1

    4eb6fcd884176deaea3fad9eabc2313cc1beb547

    SHA256

    02dcee95b9025ea26e80d1643c8fa5526e2b41d0107410cdfba469adebc70748

    SHA512

    f5ea74b26c7042a9ef4067afcb3699942df1af87da745455dc84284819d7b2f2a0458a04caf1635ddc840efdd8161937c2958064bb498c2b76d0d16ab4af8790

    Download Submit

  • \Users\Admin\AppData\Roaming\GamerView\sqlite3.dll
    Filesize

    626KB

    MD5

    d8aec01ff14e3e7ad43a4b71e30482e4

    SHA1

    e3015f56f17d845ec7eef11d41bbbc28cc16d096

    SHA256

    da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e

    SHA512

    f5b2f4bda0cc13e1d1c541fb0caea14081ee4daffd497e31a3d4d55d5f9d85a61158b4891a6527efe623b2f32b697ac912320d9be5c0303812ca98dcc8866fcf

    Download Submit

  • memory/2156-30-0x0000000060900000-0x0000000060992000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2156-29-0x00000000743F0000-0x0000000074ADE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2156-24-0x0000000000A00000-0x0000000000A10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2156-20-0x00000000743F0000-0x0000000074ADE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2156-18-0x0000000001280000-0x00000000013B4000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2156-17-0x00000000743F0000-0x0000000074ADE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2444-4-0x0000000002090000-0x00000000020DC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2444-10-0x00000000021F0000-0x000000000223E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2444-7-0x00000000055E0000-0x0000000005698000-memory.dmp

    Filesize

    736KB

    Download

  • memory/2444-19-0x00000000743F0000-0x0000000074ADE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2444-6-0x0000000000780000-0x0000000000788000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2444-5-0x0000000000550000-0x0000000000558000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2444-0-0x00000000743FE000-0x00000000743FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2444-3-0x00000000743F0000-0x0000000074ADE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2444-2-0x0000000000240000-0x000000000024A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2444-1-0x0000000000880000-0x00000000009B4000-memory.dmp

    Filesize

    1.2MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.