Malware Analysis Report

2025-03-15 06:47

Sample ID 250116-yjv54swrbp
Target ez.exe
SHA256 77292a87fddf2428dd2505c2106a2e70e9e083f2d9c057728552d0d6122ba277
Tags
rat orcus discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

77292a87fddf2428dd2505c2106a2e70e9e083f2d9c057728552d0d6122ba277

Threat Level: Known bad

The file ez.exe was found to be: Known bad.

Malicious Activity Summary

rat orcus discovery spyware stealer

Orcus family

Orcus

Checks computer location settings

Executes dropped EXE

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-16 19:49

Signatures

Orcus family

orcus

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-16 19:49

Reported

2025-01-16 20:04

Platform

win10ltsc2021-20250113-en

Max time kernel

893s

Max time network

895s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ez.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ez.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ez.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ez.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 6.tcp.ngrok.io N/A N/A
N/A 6.tcp.ngrok.io N/A N/A
N/A 6.tcp.ngrok.io N/A N/A
N/A 6.tcp.ngrok.io N/A N/A
N/A 6.tcp.ngrok.io N/A N/A
N/A 6.tcp.ngrok.io N/A N/A
N/A 6.tcp.ngrok.io N/A N/A
N/A 6.tcp.ngrok.io N/A N/A
N/A 6.tcp.ngrok.io N/A N/A
N/A 6.tcp.ngrok.io N/A N/A
N/A 6.tcp.ngrok.io N/A N/A
N/A 6.tcp.ngrok.io N/A N/A
N/A 6.tcp.ngrok.io N/A N/A
N/A 6.tcp.ngrok.io N/A N/A
N/A 6.tcp.ngrok.io N/A N/A
N/A 6.tcp.ngrok.io N/A N/A
N/A 6.tcp.ngrok.io N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\ez.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ez.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ez.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ez.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ez.exe

"C:\Users\Admin\AppData\Local\Temp\ez.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 6.tcp.ngrok.io udp
US 3.132.159.158:12654 6.tcp.ngrok.io tcp
US 8.8.8.8:53 7.98.22.2.in-addr.arpa udp
US 8.8.8.8:53 158.159.132.3.in-addr.arpa udp
US 3.132.159.158:12654 6.tcp.ngrok.io tcp
US 3.132.159.158:12654 6.tcp.ngrok.io tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 3.132.159.158:12654 6.tcp.ngrok.io tcp
US 3.132.159.158:12654 6.tcp.ngrok.io tcp
US 3.132.159.158:12654 6.tcp.ngrok.io tcp
US 8.8.8.8:53 6.tcp.ngrok.io udp
US 3.140.223.7:12654 6.tcp.ngrok.io tcp
US 8.8.8.8:53 7.223.140.3.in-addr.arpa udp
US 3.140.223.7:12654 6.tcp.ngrok.io tcp
US 3.140.223.7:12654 6.tcp.ngrok.io tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 3.140.223.7:12654 6.tcp.ngrok.io tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 3.140.223.7:12654 6.tcp.ngrok.io tcp
US 3.140.223.7:12654 6.tcp.ngrok.io tcp
US 8.8.8.8:53 6.tcp.ngrok.io udp
US 3.141.142.211:12654 6.tcp.ngrok.io tcp
US 8.8.8.8:53 211.142.141.3.in-addr.arpa udp
US 3.141.142.211:12654 6.tcp.ngrok.io tcp
US 3.141.142.211:12654 6.tcp.ngrok.io tcp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp
US 3.141.142.211:12654 6.tcp.ngrok.io tcp
US 3.141.142.211:12654 6.tcp.ngrok.io tcp
US 3.141.142.211:12654 6.tcp.ngrok.io tcp
US 8.8.8.8:53 6.tcp.ngrok.io udp
US 3.141.210.37:12654 6.tcp.ngrok.io tcp
US 8.8.8.8:53 37.210.141.3.in-addr.arpa udp
US 3.141.210.37:12654 6.tcp.ngrok.io tcp
US 3.141.210.37:12654 6.tcp.ngrok.io tcp
US 3.141.210.37:12654 6.tcp.ngrok.io tcp
US 3.141.210.37:12654 6.tcp.ngrok.io tcp
US 3.141.210.37:12654 6.tcp.ngrok.io tcp
US 8.8.8.8:53 6.tcp.ngrok.io udp
US 3.141.210.37:12654 6.tcp.ngrok.io tcp
US 3.141.210.37:12654 6.tcp.ngrok.io tcp
US 3.141.210.37:12654 6.tcp.ngrok.io tcp
US 3.141.210.37:12654 6.tcp.ngrok.io tcp
US 3.141.210.37:12654 6.tcp.ngrok.io tcp
US 8.8.8.8:53 6.tcp.ngrok.io udp
US 3.141.142.211:12654 6.tcp.ngrok.io tcp
US 3.141.142.211:12654 6.tcp.ngrok.io tcp
US 3.141.142.211:12654 6.tcp.ngrok.io tcp
US 3.141.142.211:12654 6.tcp.ngrok.io tcp
US 3.141.142.211:12654 6.tcp.ngrok.io tcp
US 3.141.142.211:12654 6.tcp.ngrok.io tcp
US 8.8.8.8:53 6.tcp.ngrok.io udp
US 3.140.223.7:12654 6.tcp.ngrok.io tcp
US 3.140.223.7:12654 6.tcp.ngrok.io tcp
US 3.140.223.7:12654 6.tcp.ngrok.io tcp
US 3.140.223.7:12654 6.tcp.ngrok.io tcp
US 3.140.223.7:12654 6.tcp.ngrok.io tcp
US 8.8.8.8:53 6.tcp.ngrok.io udp
US 3.141.177.1:12654 6.tcp.ngrok.io tcp
US 8.8.8.8:53 1.177.141.3.in-addr.arpa udp
US 3.141.177.1:12654 6.tcp.ngrok.io tcp
US 3.141.177.1:12654 6.tcp.ngrok.io tcp
US 3.141.177.1:12654 6.tcp.ngrok.io tcp
US 3.141.177.1:12654 6.tcp.ngrok.io tcp
US 3.141.177.1:12654 6.tcp.ngrok.io tcp
US 8.8.8.8:53 6.tcp.ngrok.io udp
US 3.141.142.211:12654 6.tcp.ngrok.io tcp
US 3.141.142.211:12654 6.tcp.ngrok.io tcp
US 3.141.142.211:12654 6.tcp.ngrok.io tcp
US 3.141.142.211:12654 6.tcp.ngrok.io tcp
US 3.141.142.211:12654 6.tcp.ngrok.io tcp
US 3.141.142.211:12654 6.tcp.ngrok.io tcp
US 8.8.8.8:53 6.tcp.ngrok.io udp
US 18.189.106.45:12654 6.tcp.ngrok.io tcp
US 8.8.8.8:53 45.106.189.18.in-addr.arpa udp
US 8.8.8.8:53 6.tcp.ngrok.io udp
US 3.140.223.7:12654 6.tcp.ngrok.io tcp
US 3.140.223.7:12654 6.tcp.ngrok.io tcp
US 3.140.223.7:12654 6.tcp.ngrok.io tcp
US 3.140.223.7:12654 6.tcp.ngrok.io tcp
US 3.140.223.7:12654 6.tcp.ngrok.io tcp
US 3.140.223.7:12654 6.tcp.ngrok.io tcp
US 8.8.8.8:53 6.tcp.ngrok.io udp
US 3.141.177.1:12654 6.tcp.ngrok.io tcp
US 3.141.177.1:12654 6.tcp.ngrok.io tcp
US 3.141.177.1:12654 6.tcp.ngrok.io tcp
US 3.141.177.1:12654 6.tcp.ngrok.io tcp
US 3.141.177.1:12654 6.tcp.ngrok.io tcp
US 3.141.177.1:12654 6.tcp.ngrok.io tcp
US 8.8.8.8:53 6.tcp.ngrok.io udp
US 3.141.177.1:12654 6.tcp.ngrok.io tcp
US 3.141.177.1:12654 6.tcp.ngrok.io tcp
US 3.141.177.1:12654 6.tcp.ngrok.io tcp
US 3.141.177.1:12654 6.tcp.ngrok.io tcp
US 3.141.177.1:12654 6.tcp.ngrok.io tcp
US 3.141.177.1:12654 6.tcp.ngrok.io tcp
US 8.8.8.8:53 6.tcp.ngrok.io udp
US 3.141.177.1:12654 6.tcp.ngrok.io tcp
US 3.141.177.1:12654 6.tcp.ngrok.io tcp
US 3.141.177.1:12654 6.tcp.ngrok.io tcp
US 3.141.177.1:12654 6.tcp.ngrok.io tcp
US 3.141.177.1:12654 6.tcp.ngrok.io tcp
US 3.141.177.1:12654 6.tcp.ngrok.io tcp
US 8.8.8.8:53 6.tcp.ngrok.io udp
US 3.132.159.158:12654 6.tcp.ngrok.io tcp
US 3.132.159.158:12654 6.tcp.ngrok.io tcp
US 3.132.159.158:12654 6.tcp.ngrok.io tcp
US 3.132.159.158:12654 6.tcp.ngrok.io tcp
US 3.132.159.158:12654 6.tcp.ngrok.io tcp
US 3.132.159.158:12654 6.tcp.ngrok.io tcp
US 8.8.8.8:53 6.tcp.ngrok.io udp
US 3.141.142.211:12654 6.tcp.ngrok.io tcp
US 3.141.142.211:12654 6.tcp.ngrok.io tcp
US 8.8.8.8:53 6.tcp.ngrok.io udp
US 3.141.210.37:12654 6.tcp.ngrok.io tcp

Files

memory/4724-0-0x0000000075502000-0x0000000075503000-memory.dmp

memory/4724-1-0x0000000075500000-0x0000000075AB1000-memory.dmp

memory/4724-2-0x0000000075500000-0x0000000075AB1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

MD5 6aca765d73fd8e716389d96b482bb455
SHA1 7b68d71c8fb5cd95d0a8c42ec74787a0c5dbb679
SHA256 77292a87fddf2428dd2505c2106a2e70e9e083f2d9c057728552d0d6122ba277
SHA512 069e8d03fe604e118d3884a9bba5cadd061effc0dae18d4606dbb76fb02a18f0a3d5b0ea1be0cc14d6d8a54057a1a6c7d956ef487ae96d9aa10a7ce78283bc7e

memory/1720-7-0x0000000075500000-0x0000000075AB1000-memory.dmp

memory/1720-9-0x0000000075500000-0x0000000075AB1000-memory.dmp

memory/4724-8-0x0000000075500000-0x0000000075AB1000-memory.dmp

memory/1720-10-0x0000000075500000-0x0000000075AB1000-memory.dmp