Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
143s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
-
submitted
15/01/2025, 01:42
General
-
Target
OrcusLauncher.exe
-
Size
839KB
-
MD5
b931bd63c8f3fbed9812df37a55c50f8
-
SHA1
471352d83479f815e64b8fdedca6a243bb176514
-
SHA256
2c770ee8abfe03bbf7206c9a72f252378fe22b06c88a4788464eb2d8eecdd447
-
SHA512
3a169ccf14f1b78db7116c3e8b709e1e3aed0585036812e98e6813b799e556a917da7c39c2b14b6ba6e96a27c0ded65ea9217c9dad62ff2c619b8a0c0a97b3c7
-
SSDEEP
24576:lmIS04YNEMuExDiU6E5R9s8xY/2l/detnIbt+rb:oQ4auS+UjfU2TedIbt+r
Malware Config
Extracted
orcus
hi-tin.gl.at.ply.gg
e1739ca6803f4a20a3dfac72cfbc1100
-
administration_rights_required
false
-
anti_debugger
false
-
anti_tcp_analyzer
false
-
antivm
false
-
autostart_method
1
-
change_creation_date
false
-
force_installer_administrator_privileges
false
-
hide_file
false
-
install
false
-
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
-
installservice
false
-
keylogger_enabled
false
-
newcreationdate
01/14/2025 22:12:00
-
plugins
AgEAAA==
-
reconnect_delay
10000
-
registry_autostart_keyname
Audio HD Driver
-
registry_hidden_autostart
false
-
set_admin_flag
false
-
tasksch_name
Audio HD Driver
-
tasksch_request_highest_privileges
false
-
try_other_autostart_onfail
false
Signatures
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
-
Suspicious behavior: LoadsDriver 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\OrcusLauncher.exe"C:\Users\Admin\AppData\Local\Temp\OrcusLauncher.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
839KB
MD5b931bd63c8f3fbed9812df37a55c50f8
SHA1471352d83479f815e64b8fdedca6a243bb176514
SHA2562c770ee8abfe03bbf7206c9a72f252378fe22b06c88a4788464eb2d8eecdd447
SHA5123a169ccf14f1b78db7116c3e8b709e1e3aed0585036812e98e6813b799e556a917da7c39c2b14b6ba6e96a27c0ded65ea9217c9dad62ff2c619b8a0c0a97b3c7
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB