Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

454dce322f...3d.exe

windows7-x64

10

454dce322f...3d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28/12/2024, 01:10 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    454dce322fc945844e21c756cce7e3caad1e25737cf46c8f5cb6b8a95db8253d.exe

  • Size

    840KB

  • MD5

    820ae186e5846a3bae6df8c6b38a1224

  • SHA1

    4ce2f3f346366f580fb107c2f361319c787ea30d

  • SHA256

    454dce322fc945844e21c756cce7e3caad1e25737cf46c8f5cb6b8a95db8253d

  • SHA512

    d1b3bdc6112ea88fde380e2fad2827c0de998e5d39c1cff5d9fbb694d66eca650356aad1c46e5f645852d2380598d75e1d68ede8c60b1af0959d25d7f2bc2bf4

  • SSDEEP

    24576:bSJS04YNEMuExDiU6E5R9s8xY/2l/d1N1Ibt+rn:bSr4auS+UjfU2TD1Ibt+r

Score
10/10
orcusdiscoveryratspywarestealer

Malware Config

Extracted

Family

orcus

C2

5students-much.gl.at.ply.gg

Mutex

cdeaefd44a3e460aa1f102ce3cd484c5

Attributes
  • administration_rights_required

    false

  • anti_debugger

    false

  • anti_tcp_analyzer

    false

  • antivm

    false

  • autostart_method

    1

  • change_creation_date

    false

  • force_installer_administrator_privileges

    false

  • hide_file

    false

  • install

    false

  • installation_folder

    %appdata%\Microsoft\Speech\AudioDriver.exe

  • installservice

    false

  • keylogger_enabled

    false

  • newcreationdate

    12/27/2024 04:13:42

  • plugins

    AgEAAA==

  • reconnect_delay

    10000

  • registry_autostart_keyname

    Audio HD Driver

  • registry_hidden_autostart

    false

  • set_admin_flag

    false

  • tasksch_name

    Audio HD Driver

  • tasksch_request_highest_privileges

    false

  • try_other_autostart_onfail

    false

aes.plain
1
CrackedByWardow

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus family
    orcus
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\454dce322fc945844e21c756cce7e3caad1e25737cf46c8f5cb6b8a95db8253d.exe
    "C:\Users\Admin\AppData\Local\Temp\454dce322fc945844e21c756cce7e3caad1e25737cf46c8f5cb6b8a95db8253d.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:552

Network

  • flag-us
    DNS
    students-much.gl.at.ply.gg
    AudioDriver.exe
    Remote address:
    8.8.8.8:53
    Request
    students-much.gl.at.ply.gg
    IN A
    Response
    students-much.gl.at.ply.gg
    IN A
    147.185.221.24
  • 147.185.221.24:48146
    students-much.gl.at.ply.gg
    AudioDriver.exe
    152 B
     3
  • 147.185.221.24:48146
    students-much.gl.at.ply.gg
    AudioDriver.exe
    152 B
     3
  • 147.185.221.24:48146
    students-much.gl.at.ply.gg
    AudioDriver.exe
    152 B
     3
  • 147.185.221.24:48146
    students-much.gl.at.ply.gg
    AudioDriver.exe
    152 B
     3
  • 147.185.221.24:48146
    students-much.gl.at.ply.gg
    AudioDriver.exe
    152 B
     3
  • 147.185.221.24:48146
    students-much.gl.at.ply.gg
    AudioDriver.exe
    152 B
     3
  • 147.185.221.24:48146
    students-much.gl.at.ply.gg
    AudioDriver.exe
    152 B
     3
  • 147.185.221.24:48146
    students-much.gl.at.ply.gg
    AudioDriver.exe
    152 B
     3
  • 147.185.221.24:48146
    students-much.gl.at.ply.gg
    AudioDriver.exe
    152 B
     3
  • 147.185.221.24:48146
    students-much.gl.at.ply.gg
    AudioDriver.exe
    152 B
     3
  • 147.185.221.24:48146
    students-much.gl.at.ply.gg
    AudioDriver.exe
    152 B
     3
  • 147.185.221.24:48146
    students-much.gl.at.ply.gg
    AudioDriver.exe
    104 B
     2
  • 8.8.8.8:53
    students-much.gl.at.ply.gg
    dns
    AudioDriver.exe
    72 B
     88 B
     1
    1

    DNS Request

    students-much.gl.at.ply.gg

    DNS Response

    147.185.221.24

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
    Filesize

    840KB

    MD5

    820ae186e5846a3bae6df8c6b38a1224

    SHA1

    4ce2f3f346366f580fb107c2f361319c787ea30d

    SHA256

    454dce322fc945844e21c756cce7e3caad1e25737cf46c8f5cb6b8a95db8253d

    SHA512

    d1b3bdc6112ea88fde380e2fad2827c0de998e5d39c1cff5d9fbb694d66eca650356aad1c46e5f645852d2380598d75e1d68ede8c60b1af0959d25d7f2bc2bf4

    Download Submit

  • memory/552-15-0x0000000000920000-0x00000000009F8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/552-16-0x00000000748E0000-0x0000000074FCE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/552-17-0x00000000748E0000-0x0000000074FCE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/552-18-0x00000000006B0000-0x00000000006C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/552-19-0x00000000748E0000-0x0000000074FCE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2648-2-0x0000000000350000-0x000000000035A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2648-3-0x00000000748E0000-0x0000000074FCE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2648-4-0x0000000000650000-0x000000000069C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2648-7-0x0000000004150000-0x000000000419E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2648-1-0x00000000003A0000-0x0000000000478000-memory.dmp

    Filesize

    864KB

    Download

  • memory/2648-14-0x00000000748E0000-0x0000000074FCE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2648-0-0x00000000748EE000-0x00000000748EF000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.