Analysis Overview
SHA256
f1c3730640cff981b26a31d45a759bae4339512b63ef57ad310cbe4df8d40a65
Threat Level: Known bad
The file f1c3730640cff981b26a31d45a759bae4339512b63ef57ad310cbe4df8d40a65 was found to be: Known bad.
Malicious Activity Summary
Orcus
Orcus family
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Drops desktop.ini file(s)
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-11 01:04
Signatures
Orcus family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-11 01:04
Reported
2025-01-11 01:06
Platform
win7-20241010-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Orcus
Orcus family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f1c3730640cff981b26a31d45a759bae4339512b63ef57ad310cbe4df8d40a65.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f1c3730640cff981b26a31d45a759bae4339512b63ef57ad310cbe4df8d40a65.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1672 wrote to memory of 2568 | N/A | C:\Users\Admin\AppData\Local\Temp\f1c3730640cff981b26a31d45a759bae4339512b63ef57ad310cbe4df8d40a65.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 1672 wrote to memory of 2568 | N/A | C:\Users\Admin\AppData\Local\Temp\f1c3730640cff981b26a31d45a759bae4339512b63ef57ad310cbe4df8d40a65.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 1672 wrote to memory of 2568 | N/A | C:\Users\Admin\AppData\Local\Temp\f1c3730640cff981b26a31d45a759bae4339512b63ef57ad310cbe4df8d40a65.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 1672 wrote to memory of 2568 | N/A | C:\Users\Admin\AppData\Local\Temp\f1c3730640cff981b26a31d45a759bae4339512b63ef57ad310cbe4df8d40a65.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f1c3730640cff981b26a31d45a759bae4339512b63ef57ad310cbe4df8d40a65.exe
"C:\Users\Admin\AppData\Local\Temp\f1c3730640cff981b26a31d45a759bae4339512b63ef57ad310cbe4df8d40a65.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | make-tools.gl.at.ply.gg | udp |
| US | 147.185.221.25:5012 | make-tools.gl.at.ply.gg | tcp |
| US | 147.185.221.25:5012 | make-tools.gl.at.ply.gg | tcp |
| US | 147.185.221.25:5012 | make-tools.gl.at.ply.gg | tcp |
| US | 147.185.221.25:5012 | make-tools.gl.at.ply.gg | tcp |
| US | 147.185.221.25:5012 | make-tools.gl.at.ply.gg | tcp |
| US | 147.185.221.25:5012 | make-tools.gl.at.ply.gg | tcp |
| US | 147.185.221.25:5012 | make-tools.gl.at.ply.gg | tcp |
| US | 147.185.221.25:5012 | make-tools.gl.at.ply.gg | tcp |
| US | 147.185.221.25:5012 | make-tools.gl.at.ply.gg | tcp |
| US | 147.185.221.25:5012 | make-tools.gl.at.ply.gg | tcp |
| US | 147.185.221.25:5012 | make-tools.gl.at.ply.gg | tcp |
| US | 147.185.221.25:5012 | make-tools.gl.at.ply.gg | tcp |
Files
memory/1672-0-0x0000000074891000-0x0000000074892000-memory.dmp
memory/1672-1-0x0000000074890000-0x0000000074E3B000-memory.dmp
memory/1672-2-0x0000000074890000-0x0000000074E3B000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
| MD5 | b3c2d66e8359f2b7e6a28c82e69ce611 |
| SHA1 | 6449776bcc2b76c5317471689b3e04b6c6183870 |
| SHA256 | f1c3730640cff981b26a31d45a759bae4339512b63ef57ad310cbe4df8d40a65 |
| SHA512 | 8dd801ebe37e68f9c0d879d8cc33e2cc416d1417278632209d19411f02e2f371351678de498d940d66a491a3a374648e465a36541c2df9172f562ad5dc63785f |
memory/1672-12-0x0000000074890000-0x0000000074E3B000-memory.dmp
memory/2568-11-0x0000000074890000-0x0000000074E3B000-memory.dmp
memory/2568-13-0x0000000074890000-0x0000000074E3B000-memory.dmp
memory/2568-14-0x0000000074890000-0x0000000074E3B000-memory.dmp
memory/2568-15-0x0000000074890000-0x0000000074E3B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-11 01:04
Reported
2025-01-11 01:06
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f1c3730640cff981b26a31d45a759bae4339512b63ef57ad310cbe4df8d40a65.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\f1c3730640cff981b26a31d45a759bae4339512b63ef57ad310cbe4df8d40a65.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\f1c3730640cff981b26a31d45a759bae4339512b63ef57ad310cbe4df8d40a65.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\f1c3730640cff981b26a31d45a759bae4339512b63ef57ad310cbe4df8d40a65.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\f1c3730640cff981b26a31d45a759bae4339512b63ef57ad310cbe4df8d40a65.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\f1c3730640cff981b26a31d45a759bae4339512b63ef57ad310cbe4df8d40a65.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f1c3730640cff981b26a31d45a759bae4339512b63ef57ad310cbe4df8d40a65.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2872 wrote to memory of 4084 | N/A | C:\Users\Admin\AppData\Local\Temp\f1c3730640cff981b26a31d45a759bae4339512b63ef57ad310cbe4df8d40a65.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 2872 wrote to memory of 4084 | N/A | C:\Users\Admin\AppData\Local\Temp\f1c3730640cff981b26a31d45a759bae4339512b63ef57ad310cbe4df8d40a65.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 2872 wrote to memory of 4084 | N/A | C:\Users\Admin\AppData\Local\Temp\f1c3730640cff981b26a31d45a759bae4339512b63ef57ad310cbe4df8d40a65.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f1c3730640cff981b26a31d45a759bae4339512b63ef57ad310cbe4df8d40a65.exe
"C:\Users\Admin\AppData\Local\Temp\f1c3730640cff981b26a31d45a759bae4339512b63ef57ad310cbe4df8d40a65.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | make-tools.gl.at.ply.gg | udp |
| US | 147.185.221.25:5012 | make-tools.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 147.185.221.25:5012 | make-tools.gl.at.ply.gg | tcp |
| US | 147.185.221.25:5012 | make-tools.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 147.185.221.25:5012 | make-tools.gl.at.ply.gg | tcp |
| US | 147.185.221.25:5012 | make-tools.gl.at.ply.gg | tcp |
| US | 147.185.221.25:5012 | make-tools.gl.at.ply.gg | tcp |
| US | 147.185.221.25:5012 | make-tools.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 147.185.221.25:5012 | make-tools.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 147.185.221.25:5012 | make-tools.gl.at.ply.gg | tcp |
| US | 147.185.221.25:5012 | make-tools.gl.at.ply.gg | tcp |
| US | 147.185.221.25:5012 | make-tools.gl.at.ply.gg | tcp |
| US | 147.185.221.25:5012 | make-tools.gl.at.ply.gg | tcp |
Files
memory/2872-0-0x00000000750B2000-0x00000000750B3000-memory.dmp
memory/2872-1-0x00000000750B0000-0x0000000075661000-memory.dmp
memory/2872-2-0x00000000750B0000-0x0000000075661000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
| MD5 | b3c2d66e8359f2b7e6a28c82e69ce611 |
| SHA1 | 6449776bcc2b76c5317471689b3e04b6c6183870 |
| SHA256 | f1c3730640cff981b26a31d45a759bae4339512b63ef57ad310cbe4df8d40a65 |
| SHA512 | 8dd801ebe37e68f9c0d879d8cc33e2cc416d1417278632209d19411f02e2f371351678de498d940d66a491a3a374648e465a36541c2df9172f562ad5dc63785f |
memory/4084-18-0x00000000750B0000-0x0000000075661000-memory.dmp
memory/4084-20-0x00000000750B0000-0x0000000075661000-memory.dmp
memory/4084-21-0x00000000750B0000-0x0000000075661000-memory.dmp
memory/2872-19-0x00000000750B0000-0x0000000075661000-memory.dmp
memory/4084-22-0x00000000750B0000-0x0000000075661000-memory.dmp