Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
143s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
15/01/2025, 01:42 UTC
General
-
Target
OrcusLauncher.exe
-
Size
839KB
-
MD5
b931bd63c8f3fbed9812df37a55c50f8
-
SHA1
471352d83479f815e64b8fdedca6a243bb176514
-
SHA256
2c770ee8abfe03bbf7206c9a72f252378fe22b06c88a4788464eb2d8eecdd447
-
SHA512
3a169ccf14f1b78db7116c3e8b709e1e3aed0585036812e98e6813b799e556a917da7c39c2b14b6ba6e96a27c0ded65ea9217c9dad62ff2c619b8a0c0a97b3c7
-
SSDEEP
24576:lmIS04YNEMuExDiU6E5R9s8xY/2l/detnIbt+rb:oQ4auS+UjfU2TedIbt+r
Malware Config
Extracted
orcus
hi-tin.gl.at.ply.gg
e1739ca6803f4a20a3dfac72cfbc1100
-
administration_rights_required
false
-
anti_debugger
false
-
anti_tcp_analyzer
false
-
antivm
false
-
autostart_method
1
-
change_creation_date
false
-
force_installer_administrator_privileges
false
-
hide_file
false
-
install
false
-
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
-
installservice
false
-
keylogger_enabled
false
-
newcreationdate
01/14/2025 22:12:00
-
plugins
AgEAAA==
-
reconnect_delay
10000
-
registry_autostart_keyname
Audio HD Driver
-
registry_hidden_autostart
false
-
set_admin_flag
false
-
tasksch_name
Audio HD Driver
-
tasksch_request_highest_privileges
false
-
try_other_autostart_onfail
false
Signatures
-
Orcus family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000\Control Panel\International\Geo\Nation OrcusLauncher.exe -
Executes dropped EXE 1 IoCs
pid Process 4524 AudioDriver.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini OrcusLauncher.exe File opened for modification C:\Windows\assembly\Desktop.ini OrcusLauncher.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly OrcusLauncher.exe File created C:\Windows\assembly\Desktop.ini OrcusLauncher.exe File opened for modification C:\Windows\assembly\Desktop.ini OrcusLauncher.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OrcusLauncher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AudioDriver.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe 4524 AudioDriver.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 672 Process not Found -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4524 AudioDriver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4524 AudioDriver.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4524 AudioDriver.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 552 wrote to memory of 4524 552 OrcusLauncher.exe 82 PID 552 wrote to memory of 4524 552 OrcusLauncher.exe 82 PID 552 wrote to memory of 4524 552 OrcusLauncher.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\OrcusLauncher.exe"C:\Users\Admin\AppData\Local\Temp\OrcusLauncher.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4524
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request72.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request167.173.78.104.in-addr.arpaIN PTRResponse167.173.78.104.in-addr.arpaIN PTRa104-78-173-167deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requesthi-tin.gl.at.ply.ggIN AResponsehi-tin.gl.at.ply.ggIN A147.185.221.25
-
Remote address:8.8.8.8:53Request25.221.185.147.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request76.246.100.95.in-addr.arpaIN PTRResponse76.246.100.95.in-addr.arpaIN PTRa95-100-246-76deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request56.163.245.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesthi-tin.gl.at.ply.ggIN AResponsehi-tin.gl.at.ply.ggIN A147.185.221.25
-
Remote address:8.8.8.8:53Request8.153.16.2.in-addr.arpaIN PTRResponse8.153.16.2.in-addr.arpaIN PTRa2-16-153-8deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
518 B 172 B 4 4
-
728 B 172 B 5 4
-
518 B 172 B 4 4
-
728 B 172 B 5 4
-
518 B 172 B 4 4
-
728 B 172 B 5 4
-
518 B 172 B 4 4
-
728 B 172 B 5 4
-
728 B 172 B 5 4
-
728 B 172 B 5 4
-
728 B 172 B 5 4
-
518 B 172 B 4 4
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
72.32.126.40.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
167.173.78.104.in-addr.arpa
-
65 B 81 B 1 1
DNS Request
hi-tin.gl.at.ply.gg
DNS Response
147.185.221.25
-
73 B 130 B 1 1
DNS Request
25.221.185.147.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
76.246.100.95.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
56.163.245.4.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
65 B 81 B 1 1
DNS Request
hi-tin.gl.at.ply.gg
DNS Response
147.185.221.25
-
69 B 131 B 1 1
DNS Request
8.153.16.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
19.229.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
839KB
MD5b931bd63c8f3fbed9812df37a55c50f8
SHA1471352d83479f815e64b8fdedca6a243bb176514
SHA2562c770ee8abfe03bbf7206c9a72f252378fe22b06c88a4788464eb2d8eecdd447
SHA5123a169ccf14f1b78db7116c3e8b709e1e3aed0585036812e98e6813b799e556a917da7c39c2b14b6ba6e96a27c0ded65ea9217c9dad62ff2c619b8a0c0a97b3c7