Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

OrcusLauncher.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    143s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    15/01/2025, 01:42 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OrcusLauncher.exe

  • Size

    839KB

  • MD5

    b931bd63c8f3fbed9812df37a55c50f8

  • SHA1

    471352d83479f815e64b8fdedca6a243bb176514

  • SHA256

    2c770ee8abfe03bbf7206c9a72f252378fe22b06c88a4788464eb2d8eecdd447

  • SHA512

    3a169ccf14f1b78db7116c3e8b709e1e3aed0585036812e98e6813b799e556a917da7c39c2b14b6ba6e96a27c0ded65ea9217c9dad62ff2c619b8a0c0a97b3c7

  • SSDEEP

    24576:lmIS04YNEMuExDiU6E5R9s8xY/2l/detnIbt+rb:oQ4auS+UjfU2TedIbt+r

Score
10/10
orcusdiscoveryratspywarestealer

Malware Config

Extracted

Family

orcus

C2

hi-tin.gl.at.ply.gg

Mutex

e1739ca6803f4a20a3dfac72cfbc1100

Attributes
  • administration_rights_required

    false

  • anti_debugger

    false

  • anti_tcp_analyzer

    false

  • antivm

    false

  • autostart_method

    1

  • change_creation_date

    false

  • force_installer_administrator_privileges

    false

  • hide_file

    false

  • install

    false

  • installation_folder

    %appdata%\Microsoft\Speech\AudioDriver.exe

  • installservice

    false

  • keylogger_enabled

    false

  • newcreationdate

    01/14/2025 22:12:00

  • plugins

    AgEAAA==

  • reconnect_delay

    10000

  • registry_autostart_keyname

    Audio HD Driver

  • registry_hidden_autostart

    false

  • set_admin_flag

    false

  • tasksch_name

    Audio HD Driver

  • tasksch_request_highest_privileges

    false

  • try_other_autostart_onfail

    false

aes.plain
1
CrackedByWardow

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcus family
    orcus
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OrcusLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\OrcusLauncher.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4524

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    72.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    167.173.78.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.173.78.104.in-addr.arpa
    IN PTR
    Response
    167.173.78.104.in-addr.arpa
    IN PTR
    a104-78-173-167deploystaticakamaitechnologiescom
  • flag-us
    DNS
    hi-tin.gl.at.ply.gg
    AudioDriver.exe
    Remote address:
    8.8.8.8:53
    Request
    hi-tin.gl.at.ply.gg
    IN A
    Response
    hi-tin.gl.at.ply.gg
    IN A
    147.185.221.25
  • flag-us
    DNS
    25.221.185.147.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    25.221.185.147.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    76.246.100.95.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.246.100.95.in-addr.arpa
    IN PTR
    Response
    76.246.100.95.in-addr.arpa
    IN PTR
    a95-100-246-76deploystaticakamaitechnologiescom
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    hi-tin.gl.at.ply.gg
    AudioDriver.exe
    Remote address:
    8.8.8.8:53
    Request
    hi-tin.gl.at.ply.gg
    IN A
    Response
    hi-tin.gl.at.ply.gg
    IN A
    147.185.221.25
  • flag-us
    DNS
    8.153.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.153.16.2.in-addr.arpa
    IN PTR
    Response
    8.153.16.2.in-addr.arpa
    IN PTR
    a2-16-153-8deploystaticakamaitechnologiescom
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 147.185.221.25:14413
    AMJXFSPC
    tls
    AudioDriver.exe
    518 B
     172 B
     4
    4
  • 147.185.221.25:14413
    AMJXFSPC
    tls
    AudioDriver.exe
    728 B
     172 B
     5
    4
  • 147.185.221.25:14413
    AMJXFSPC
    tls
    AudioDriver.exe
    518 B
     172 B
     4
    4
  • 147.185.221.25:14413
    AMJXFSPC
    tls
    AudioDriver.exe
    728 B
     172 B
     5
    4
  • 147.185.221.25:14413
    AMJXFSPC
    tls
    AudioDriver.exe
    518 B
     172 B
     4
    4
  • 147.185.221.25:14413
    AMJXFSPC
    tls
    AudioDriver.exe
    728 B
     172 B
     5
    4
  • 147.185.221.25:14413
    AMJXFSPC
    tls
    AudioDriver.exe
    518 B
     172 B
     4
    4
  • 147.185.221.25:14413
    AMJXFSPC
    tls
    AudioDriver.exe
    728 B
     172 B
     5
    4
  • 147.185.221.25:14413
    AMJXFSPC
    tls
    AudioDriver.exe
    728 B
     172 B
     5
    4
  • 147.185.221.25:14413
    AMJXFSPC
    tls
    AudioDriver.exe
    728 B
     172 B
     5
    4
  • 147.185.221.25:14413
    AMJXFSPC
    tls
    AudioDriver.exe
    728 B
     172 B
     5
    4
  • 147.185.221.25:14413
    AMJXFSPC
    tls
    AudioDriver.exe
    518 B
     172 B
     4
    4
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    72.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    72.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    167.173.78.104.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    167.173.78.104.in-addr.arpa

  • 8.8.8.8:53
    hi-tin.gl.at.ply.gg
    dns
    AudioDriver.exe
    65 B
     81 B
     1
    1

    DNS Request

    hi-tin.gl.at.ply.gg

    DNS Response

    147.185.221.25

  • 8.8.8.8:53
    25.221.185.147.in-addr.arpa
    dns
    73 B
     130 B
     1
    1

    DNS Request

    25.221.185.147.in-addr.arpa

  • 8.8.8.8:53
    76.246.100.95.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    76.246.100.95.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    hi-tin.gl.at.ply.gg
    dns
    AudioDriver.exe
    65 B
     81 B
     1
    1

    DNS Request

    hi-tin.gl.at.ply.gg

    DNS Response

    147.185.221.25

  • 8.8.8.8:53
    8.153.16.2.in-addr.arpa
    dns
    69 B
     131 B
     1
    1

    DNS Request

    8.153.16.2.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
    Filesize

    839KB

    MD5

    b931bd63c8f3fbed9812df37a55c50f8

    SHA1

    471352d83479f815e64b8fdedca6a243bb176514

    SHA256

    2c770ee8abfe03bbf7206c9a72f252378fe22b06c88a4788464eb2d8eecdd447

    SHA512

    3a169ccf14f1b78db7116c3e8b709e1e3aed0585036812e98e6813b799e556a917da7c39c2b14b6ba6e96a27c0ded65ea9217c9dad62ff2c619b8a0c0a97b3c7

    Download Submit

  • memory/552-0-0x0000000074432000-0x0000000074433000-memory.dmp

    Filesize

    4KB

    Download

  • memory/552-1-0x0000000074430000-0x00000000749E1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/552-2-0x0000000074430000-0x00000000749E1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/552-7-0x0000000074430000-0x00000000749E1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4524-8-0x0000000074430000-0x00000000749E1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4524-9-0x0000000074430000-0x00000000749E1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4524-10-0x0000000074430000-0x00000000749E1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4524-11-0x0000000074430000-0x00000000749E1000-memory.dmp

    Filesize

    5.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.