Malware Analysis Report

2025-03-15 06:47

Sample ID 250115-y4tssatmfv
Target ezz.exe
SHA256 7b7b51a0b246edc07ce106ecd362d46565e16018635160a6394b5aa47bb9e14b
Tags
rat orcus discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7b7b51a0b246edc07ce106ecd362d46565e16018635160a6394b5aa47bb9e14b

Threat Level: Known bad

The file ezz.exe was found to be: Known bad.

Malicious Activity Summary

rat orcus discovery spyware stealer

Orcus

Orcus family

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-15 20:20

Signatures

Orcus family

orcus

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-15 20:20

Reported

2025-01-15 20:23

Platform

win10ltsc2021-20250113-en

Max time kernel

98s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ezz.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ezz.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsInput.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\Speech\AudioDriver.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ezz.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ezz.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 0.tcp.ngrok.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\ezz.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsInput.InstallLog C:\Windows\SysWOW64\WindowsInput.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ezz.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ezz.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\ezz.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ezz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\Speech\AudioDriver.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ezz.exe

"C:\Users\Admin\AppData\Local\Temp\ezz.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Users\Admin\AppData\Local\Temp\Microsoft\Speech\AudioDriver.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft\Speech\AudioDriver.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.ngrok.io udp
US 3.12.245.36:19843 0.tcp.ngrok.io tcp
US 8.8.8.8:53 36.245.12.3.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
FR 20.74.47.205:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp

Files

memory/2856-0-0x00000000748E2000-0x00000000748E3000-memory.dmp

memory/2856-1-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/2856-2-0x00000000748E0000-0x0000000074E91000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e854a4636afc652b320e12e50ba4080e
SHA1 8a4ac6ecc22ee5f3a8ec846d38b41ff18c641fdc
SHA256 94b9c78c6fa2bf61fba20a08ad4563f7dd2f5668c28eff227965ce0a2032d5d5
SHA512 30aabd5079b6ed0948eb70fd18e9166096e4ba5d1d47fc35b7270f931d19bbe6cd929b6010f70297bf5272dc5a79e2523721354d211c4080d68ad8d17e316118

memory/3256-19-0x00007FF8054C5000-0x00007FF8054C6000-memory.dmp

memory/3256-21-0x000000001B620000-0x000000001B640000-memory.dmp

memory/3256-20-0x000000001B5E0000-0x000000001B5F8000-memory.dmp

memory/3256-22-0x00007FF805210000-0x00007FF805BB1000-memory.dmp

memory/3256-23-0x00007FF805210000-0x00007FF805BB1000-memory.dmp

memory/3256-26-0x000000001B940000-0x000000001B964000-memory.dmp

memory/3256-34-0x000000001C2A0000-0x000000001C76E000-memory.dmp

memory/3256-35-0x000000001C810000-0x000000001C8AC000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.InstallLog

MD5 c2291863df7c2d3038ce3c22fa276506
SHA1 7b7d2bc07a6c35523807342c747c9b6a19f3184e
SHA256 14504199bede3f46129969dbd2b7680f2e5b7fcd73a3e427ce1bb6217a6d13da
SHA512 00bf40174a67e3e663d18a887c5b461a1e5ead0b27f0a139d87969158c58f4ca72cfa5a731dda239356192ca4cb5ac6ae2b0e37401d534e686cabacd3cbee8fa

memory/3256-52-0x00007FF805210000-0x00007FF805BB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Microsoft\Speech\AudioDriver.exe

MD5 a9a2e25c8246f12b57772f3bf80a21e3
SHA1 364f350fded32f413889da44ed1bb8ad6a1e59c0
SHA256 7b7b51a0b246edc07ce106ecd362d46565e16018635160a6394b5aa47bb9e14b
SHA512 badd84614356c1599abcd4d702bbb8a01332325a38859888f53cb39174d928f8029bc342af267552bda56ba11e4d81c8cdd03570ac1128eae61b6be96149b46c

memory/1304-56-0x00000000748E2000-0x00000000748E3000-memory.dmp

memory/2856-55-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/1304-58-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/1304-57-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/1304-59-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/1304-60-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/1304-61-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/1304-63-0x00000000748E0000-0x0000000074E91000-memory.dmp