Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    6c725c9af0d72f9c5ece6e22ba20f774453b07fc7179d40e8f88c8de7b6dc3a3

  • Size

    4.0MB

  • Sample

    250111-bwqptsxkdx

  • MD5

    341bb9754d9ae93a140cc8da97f5fe0f

  • SHA1

    a71cfd0c63665f495ad4f8c682ce8998e542c4a2

  • SHA256

    6c725c9af0d72f9c5ece6e22ba20f774453b07fc7179d40e8f88c8de7b6dc3a3

  • SHA512

    e45804100ee6ba4968f66f37b1d69e6d8c0aaf1913f84e84bc9a1805aa64bbca2aa9c9a6feb7e0afd708fac4ca1a1bad603820f3a36508b362d16d6af443c3dc

  • SSDEEP

    24576:u2S04YNEMuExDiU6E5R9s8xY/2l/d0J5dtsPxNGfa9Ibt+rM:uS4auS+UjfU2Tg5XDy9Ibt+r

Malware Config

Extracted

Family

orcus

C2

127.0.0.1

Mutex

d543f791f4b249e29f48001cbf4f7464

Attributes
  • administration_rights_required

    false

  • anti_debugger

    false

  • anti_tcp_analyzer

    false

  • antivm

    false

  • autostart_method

    1

  • change_creation_date

    false

  • force_installer_administrator_privileges

    false

  • hide_file

    false

  • install

    false

  • installation_folder

    %appdata%\Microsoft\Speech\AudioDriver.exe

  • installservice

    false

  • keylogger_enabled

    false

  • newcreationdate

    01/10/2025 13:05:29

  • plugins

    AgUFl6aNkQPXkQKOmwKLvFcpr24sKCsVRABpAHMAYQBiAGwAZQAgAFcAZQBiAGMAYQBtACAATABpAGcAaAB0AHMABwMxAC4AMABBIDAAZABhAGMAOQBjAGUAYwBhADEAMQBmADQANQA3ADQAYgAwADYAYwAwADMAOQA1ADUAOAA5ADcANAA1AGQAOQABBcjswb8CldcC3rcCqMa3DYpVf2wVCkcAYQBtAGUAcgAgAFYAaQBlAHcABwMxAC4AMgBBIDYAMwAxADUAYgA5ADEAMgBiADcAYgA5ADQAYgBhADUAYgBiAGMAYgAwADAAOQBlADAANgA3ADAAMQBjAGQAOQACAAAEBA==

  • reconnect_delay

    10000

  • registry_autostart_keyname

    Audio HD Driver

  • registry_hidden_autostart

    false

  • set_admin_flag

    false

  • tasksch_name

    Audio HD Driver

  • tasksch_request_highest_privileges

    false

  • try_other_autostart_onfail

    false

aes.plain
1
CrackedByWardow

Targets

    • Target

      6c725c9af0d72f9c5ece6e22ba20f774453b07fc7179d40e8f88c8de7b6dc3a3

    • Size

      4.0MB

    • MD5

      341bb9754d9ae93a140cc8da97f5fe0f

    • SHA1

      a71cfd0c63665f495ad4f8c682ce8998e542c4a2

    • SHA256

      6c725c9af0d72f9c5ece6e22ba20f774453b07fc7179d40e8f88c8de7b6dc3a3

    • SHA512

      e45804100ee6ba4968f66f37b1d69e6d8c0aaf1913f84e84bc9a1805aa64bbca2aa9c9a6feb7e0afd708fac4ca1a1bad603820f3a36508b362d16d6af443c3dc

    • SSDEEP

      24576:u2S04YNEMuExDiU6E5R9s8xY/2l/d0J5dtsPxNGfa9Ibt+rM:uS4auS+UjfU2Tg5XDy9Ibt+r

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.