Analysis Overview
SHA256
885a499d2e0fd28f91423772902b48903d59ef9d11222ceacdb5d46159d41401
Threat Level: Known bad
The file idk.exe was found to be: Known bad.
Malicious Activity Summary
Orcus
Orcus family
Executes dropped EXE
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Drops desktop.ini file(s)
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-10 21:14
Signatures
Orcus family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-10 21:14
Reported
2025-01-10 21:17
Platform
win10ltsc2021-20241211-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Orcus
Orcus family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\idk.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\idk.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\idk.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\idk.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\idk.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\idk.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\idk.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4108 wrote to memory of 2628 | N/A | C:\Users\Admin\AppData\Local\Temp\idk.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 4108 wrote to memory of 2628 | N/A | C:\Users\Admin\AppData\Local\Temp\idk.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 4108 wrote to memory of 2628 | N/A | C:\Users\Admin\AppData\Local\Temp\idk.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\idk.exe
"C:\Users\Admin\AppData\Local\Temp\idk.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| DE | 3.74.27.83:15027 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 83.27.74.3.in-addr.arpa | udp |
| DE | 3.74.27.83:15027 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| DE | 3.74.27.83:15027 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| FR | 20.74.47.205:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.74.27.83:15027 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.74.27.83:15027 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.78.28.71:15027 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 71.28.78.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.78.28.71:15027 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.78.28.71:15027 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.78.28.71:15027 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 52.57.120.10:15027 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 10.120.57.52.in-addr.arpa | udp |
| DE | 52.57.120.10:15027 | 0.tcp.eu.ngrok.io | tcp |
| DE | 52.57.120.10:15027 | 0.tcp.eu.ngrok.io | tcp |
| DE | 52.57.120.10:15027 | 0.tcp.eu.ngrok.io | tcp |
| DE | 52.57.120.10:15027 | 0.tcp.eu.ngrok.io | tcp |
Files
memory/4108-0-0x00000000752E2000-0x00000000752E3000-memory.dmp
memory/4108-1-0x00000000752E0000-0x0000000075891000-memory.dmp
memory/4108-2-0x00000000752E0000-0x0000000075891000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
| MD5 | 45702e3cbbd1b1fa5bc5b2e1add59a28 |
| SHA1 | 62f523fc942ad0fde771da6591c6e80d62112f3b |
| SHA256 | 885a499d2e0fd28f91423772902b48903d59ef9d11222ceacdb5d46159d41401 |
| SHA512 | 42b13e3bdc31255e62ee49c4e7d2c16486948ba1e5787dbfe8a8178ed5fae759e682c7d44c2ad10e283e83c5a4b12ca916f0ea3b9abb027a52435949293fe61e |
memory/4108-7-0x00000000752E0000-0x0000000075891000-memory.dmp
memory/2628-8-0x00000000752E0000-0x0000000075891000-memory.dmp
memory/2628-9-0x00000000752E0000-0x0000000075891000-memory.dmp
memory/2628-10-0x00000000752E0000-0x0000000075891000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-10 21:14
Reported
2025-01-10 21:17
Platform
win11-20241007-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\idk.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\idk.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\idk.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\idk.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\idk.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\idk.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4920 wrote to memory of 4232 | N/A | C:\Users\Admin\AppData\Local\Temp\idk.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 4920 wrote to memory of 4232 | N/A | C:\Users\Admin\AppData\Local\Temp\idk.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 4920 wrote to memory of 4232 | N/A | C:\Users\Admin\AppData\Local\Temp\idk.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\idk.exe
"C:\Users\Admin\AppData\Local\Temp\idk.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.78.28.71:15027 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.78.28.71:15027 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.78.28.71:15027 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.78.28.71:15027 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.78.28.71:15027 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.78.28.71:15027 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.74.27.83:15027 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.74.27.83:15027 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.74.27.83:15027 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.74.27.83:15027 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.74.27.83:15027 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.74.27.83:15027 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.30:15027 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.30:15027 | 0.tcp.eu.ngrok.io | tcp |
Files
memory/4920-0-0x0000000074601000-0x0000000074602000-memory.dmp
memory/4920-1-0x0000000074600000-0x0000000074BB1000-memory.dmp
memory/4920-2-0x0000000074600000-0x0000000074BB1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
| MD5 | 45702e3cbbd1b1fa5bc5b2e1add59a28 |
| SHA1 | 62f523fc942ad0fde771da6591c6e80d62112f3b |
| SHA256 | 885a499d2e0fd28f91423772902b48903d59ef9d11222ceacdb5d46159d41401 |
| SHA512 | 42b13e3bdc31255e62ee49c4e7d2c16486948ba1e5787dbfe8a8178ed5fae759e682c7d44c2ad10e283e83c5a4b12ca916f0ea3b9abb027a52435949293fe61e |
memory/4232-18-0x0000000074600000-0x0000000074BB1000-memory.dmp
memory/4232-20-0x0000000074600000-0x0000000074BB1000-memory.dmp
memory/4920-19-0x0000000074600000-0x0000000074BB1000-memory.dmp
memory/4232-21-0x0000000074600000-0x0000000074BB1000-memory.dmp