Analysis Overview
SHA256
77292a87fddf2428dd2505c2106a2e70e9e083f2d9c057728552d0d6122ba277
Threat Level: Known bad
The file ez.exe was found to be: Known bad.
Malicious Activity Summary
Orcus family
Orcus
Checks computer location settings
Executes dropped EXE
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-16 19:49
Signatures
Orcus family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-16 19:49
Reported
2025-01-16 20:04
Platform
win10ltsc2021-20250113-en
Max time kernel
893s
Max time network
895s
Command Line
Signatures
Orcus
Orcus family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ez.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ez.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ez.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 6.tcp.ngrok.io | N/A | N/A |
| N/A | 6.tcp.ngrok.io | N/A | N/A |
| N/A | 6.tcp.ngrok.io | N/A | N/A |
| N/A | 6.tcp.ngrok.io | N/A | N/A |
| N/A | 6.tcp.ngrok.io | N/A | N/A |
| N/A | 6.tcp.ngrok.io | N/A | N/A |
| N/A | 6.tcp.ngrok.io | N/A | N/A |
| N/A | 6.tcp.ngrok.io | N/A | N/A |
| N/A | 6.tcp.ngrok.io | N/A | N/A |
| N/A | 6.tcp.ngrok.io | N/A | N/A |
| N/A | 6.tcp.ngrok.io | N/A | N/A |
| N/A | 6.tcp.ngrok.io | N/A | N/A |
| N/A | 6.tcp.ngrok.io | N/A | N/A |
| N/A | 6.tcp.ngrok.io | N/A | N/A |
| N/A | 6.tcp.ngrok.io | N/A | N/A |
| N/A | 6.tcp.ngrok.io | N/A | N/A |
| N/A | 6.tcp.ngrok.io | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\ez.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ez.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ez.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ez.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4724 wrote to memory of 1720 | N/A | C:\Users\Admin\AppData\Local\Temp\ez.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 4724 wrote to memory of 1720 | N/A | C:\Users\Admin\AppData\Local\Temp\ez.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 4724 wrote to memory of 1720 | N/A | C:\Users\Admin\AppData\Local\Temp\ez.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ez.exe
"C:\Users\Admin\AppData\Local\Temp\ez.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.tcp.ngrok.io | udp |
| US | 3.132.159.158:12654 | 6.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 7.98.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.159.132.3.in-addr.arpa | udp |
| US | 3.132.159.158:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.132.159.158:12654 | 6.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 3.132.159.158:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.132.159.158:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.132.159.158:12654 | 6.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.ngrok.io | udp |
| US | 3.140.223.7:12654 | 6.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 7.223.140.3.in-addr.arpa | udp |
| US | 3.140.223.7:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:12654 | 6.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 3.140.223.7:12654 | 6.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 3.140.223.7:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:12654 | 6.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.ngrok.io | udp |
| US | 3.141.142.211:12654 | 6.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 211.142.141.3.in-addr.arpa | udp |
| US | 3.141.142.211:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:12654 | 6.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |
| US | 3.141.142.211:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:12654 | 6.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.ngrok.io | udp |
| US | 3.141.210.37:12654 | 6.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 37.210.141.3.in-addr.arpa | udp |
| US | 3.141.210.37:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.210.37:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.210.37:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.210.37:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.210.37:12654 | 6.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.ngrok.io | udp |
| US | 3.141.210.37:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.210.37:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.210.37:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.210.37:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.210.37:12654 | 6.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.ngrok.io | udp |
| US | 3.141.142.211:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:12654 | 6.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.ngrok.io | udp |
| US | 3.140.223.7:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:12654 | 6.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.ngrok.io | udp |
| US | 3.141.177.1:12654 | 6.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 1.177.141.3.in-addr.arpa | udp |
| US | 3.141.177.1:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:12654 | 6.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.ngrok.io | udp |
| US | 3.141.142.211:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:12654 | 6.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.ngrok.io | udp |
| US | 18.189.106.45:12654 | 6.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 45.106.189.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.tcp.ngrok.io | udp |
| US | 3.140.223.7:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:12654 | 6.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.ngrok.io | udp |
| US | 3.141.177.1:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:12654 | 6.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.ngrok.io | udp |
| US | 3.141.177.1:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:12654 | 6.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.ngrok.io | udp |
| US | 3.141.177.1:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.177.1:12654 | 6.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.ngrok.io | udp |
| US | 3.132.159.158:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.132.159.158:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.132.159.158:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.132.159.158:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.132.159.158:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.132.159.158:12654 | 6.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.ngrok.io | udp |
| US | 3.141.142.211:12654 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:12654 | 6.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 6.tcp.ngrok.io | udp |
| US | 3.141.210.37:12654 | 6.tcp.ngrok.io | tcp |
Files
memory/4724-0-0x0000000075502000-0x0000000075503000-memory.dmp
memory/4724-1-0x0000000075500000-0x0000000075AB1000-memory.dmp
memory/4724-2-0x0000000075500000-0x0000000075AB1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
| MD5 | 6aca765d73fd8e716389d96b482bb455 |
| SHA1 | 7b68d71c8fb5cd95d0a8c42ec74787a0c5dbb679 |
| SHA256 | 77292a87fddf2428dd2505c2106a2e70e9e083f2d9c057728552d0d6122ba277 |
| SHA512 | 069e8d03fe604e118d3884a9bba5cadd061effc0dae18d4606dbb76fb02a18f0a3d5b0ea1be0cc14d6d8a54057a1a6c7d956ef487ae96d9aa10a7ce78283bc7e |
memory/1720-7-0x0000000075500000-0x0000000075AB1000-memory.dmp
memory/1720-9-0x0000000075500000-0x0000000075AB1000-memory.dmp
memory/4724-8-0x0000000075500000-0x0000000075AB1000-memory.dmp
memory/1720-10-0x0000000075500000-0x0000000075AB1000-memory.dmp