General

  • Target

    https://gofile.io/d/dg0UQ7

  • Sample

    241229-hpbqnawkaz

Malware Config

Extracted

Family

orcus

C2

another-contains.gl.at.ply.gg

Mutex

a49af69032c94d6fa7c0d2639d32f038

Attributes
  • administration_rights_required

    false

  • anti_debugger

    false

  • anti_tcp_analyzer

    false

  • antivm

    false

  • autostart_method

    1

  • change_creation_date

    false

  • force_installer_administrator_privileges

    false

  • hide_file

    false

  • install

    false

  • installation_folder

    %appdata%\Microsoft\Speech\AudioDriver.exe

  • installservice

    false

  • keylogger_enabled

    false

  • newcreationdate

    12/24/2024 02:03:43

  • plugins

    AgUFyOzBvwKV1wLetwKoxrcNilV/bBUKRwBhAG0AZQByACAAVgBpAGUAdwAHAzEALgAyAEEgYgA2ADkAZgA0ADUAZQBiADYANgAxADYANAA2ADAAZgA5AGUAMQAwADIAMgBkADcANwA3ADMAMABmADAANwAzAAIAAAACAg==

  • reconnect_delay

    10000

  • registry_autostart_keyname

    Audio HD Driver

  • registry_hidden_autostart

    false

  • set_admin_flag

    false

  • tasksch_name

    Audio HD Driver

  • tasksch_request_highest_privileges

    false

  • try_other_autostart_onfail

    false

aes.plain

Targets

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus family

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks