Malware Analysis Report

2025-03-15 06:45

Sample ID 250120-bc7h8strgj
Target 49959dde61d60467f69a81253006ef7f23b9e5dc6f6bb714180240c3e50b57b4
SHA256 49959dde61d60467f69a81253006ef7f23b9e5dc6f6bb714180240c3e50b57b4
Tags
discovery rat orcus spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

49959dde61d60467f69a81253006ef7f23b9e5dc6f6bb714180240c3e50b57b4

Threat Level: Known bad

The file 49959dde61d60467f69a81253006ef7f23b9e5dc6f6bb714180240c3e50b57b4 was found to be: Known bad.

Malicious Activity Summary

discovery rat orcus spyware stealer

Orcus

Orcus family

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops desktop.ini file(s)

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-20 01:01

Signatures

Orcus family

orcus

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-20 01:01

Reported

2025-01-20 01:03

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49959dde61d60467f69a81253006ef7f23b9e5dc6f6bb714180240c3e50b57b4.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\49959dde61d60467f69a81253006ef7f23b9e5dc6f6bb714180240c3e50b57b4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\49959dde61d60467f69a81253006ef7f23b9e5dc6f6bb714180240c3e50b57b4.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\49959dde61d60467f69a81253006ef7f23b9e5dc6f6bb714180240c3e50b57b4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\49959dde61d60467f69a81253006ef7f23b9e5dc6f6bb714180240c3e50b57b4.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\49959dde61d60467f69a81253006ef7f23b9e5dc6f6bb714180240c3e50b57b4.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\49959dde61d60467f69a81253006ef7f23b9e5dc6f6bb714180240c3e50b57b4.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\49959dde61d60467f69a81253006ef7f23b9e5dc6f6bb714180240c3e50b57b4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\49959dde61d60467f69a81253006ef7f23b9e5dc6f6bb714180240c3e50b57b4.exe

"C:\Users\Admin\AppData\Local\Temp\49959dde61d60467f69a81253006ef7f23b9e5dc6f6bb714180240c3e50b57b4.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
N/A 127.0.0.1:1000 tcp
N/A 127.0.0.1:1000 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
N/A 127.0.0.1:1000 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 127.0.0.1:1000 tcp
N/A 127.0.0.1:1000 tcp
US 8.8.8.8:53 131.50.22.2.in-addr.arpa udp
N/A 127.0.0.1:1000 tcp
N/A 127.0.0.1:1000 tcp
N/A 127.0.0.1:1000 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
N/A 127.0.0.1:1000 tcp
N/A 127.0.0.1:1000 tcp
N/A 127.0.0.1:1000 tcp
N/A 127.0.0.1:1000 tcp
N/A 127.0.0.1:1000 tcp

Files

memory/3440-0-0x0000000075502000-0x0000000075503000-memory.dmp

memory/3440-2-0x0000000075500000-0x0000000075AB1000-memory.dmp

memory/3440-1-0x0000000075500000-0x0000000075AB1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

MD5 948ec552784ee8ccb45b56b5ae7d7916
SHA1 1cdb1221c268721c8741f5f63ab197d850f62073
SHA256 49959dde61d60467f69a81253006ef7f23b9e5dc6f6bb714180240c3e50b57b4
SHA512 c7055d1cdb5f7a988730a821a15d110ba8d1dec8ea6773d50116df4a32a0e481a365e58b447b95a1bff1466f3398036131a869a2bb194d26d8f90d4af8da5d44

memory/2680-19-0x0000000075500000-0x0000000075AB1000-memory.dmp

memory/3440-18-0x0000000075500000-0x0000000075AB1000-memory.dmp

memory/2680-20-0x0000000075500000-0x0000000075AB1000-memory.dmp

memory/2680-21-0x0000000075500000-0x0000000075AB1000-memory.dmp

memory/2680-22-0x0000000075500000-0x0000000075AB1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-20 01:01

Reported

2025-01-20 01:03

Platform

win7-20240903-en

Max time kernel

146s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\49959dde61d60467f69a81253006ef7f23b9e5dc6f6bb714180240c3e50b57b4.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus family

orcus

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\49959dde61d60467f69a81253006ef7f23b9e5dc6f6bb714180240c3e50b57b4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\49959dde61d60467f69a81253006ef7f23b9e5dc6f6bb714180240c3e50b57b4.exe

"C:\Users\Admin\AppData\Local\Temp\49959dde61d60467f69a81253006ef7f23b9e5dc6f6bb714180240c3e50b57b4.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:1000 tcp
N/A 127.0.0.1:1000 tcp
N/A 127.0.0.1:1000 tcp
N/A 127.0.0.1:1000 tcp
N/A 127.0.0.1:1000 tcp
N/A 127.0.0.1:1000 tcp
N/A 127.0.0.1:1000 tcp
N/A 127.0.0.1:1000 tcp
N/A 127.0.0.1:1000 tcp
N/A 127.0.0.1:1000 tcp
N/A 127.0.0.1:1000 tcp
N/A 127.0.0.1:1000 tcp
N/A 127.0.0.1:1000 tcp
N/A 127.0.0.1:1000 tcp

Files

memory/1508-0-0x00000000745D1000-0x00000000745D2000-memory.dmp

memory/1508-1-0x00000000745D0000-0x0000000074B7B000-memory.dmp

memory/1508-2-0x00000000745D0000-0x0000000074B7B000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe

MD5 948ec552784ee8ccb45b56b5ae7d7916
SHA1 1cdb1221c268721c8741f5f63ab197d850f62073
SHA256 49959dde61d60467f69a81253006ef7f23b9e5dc6f6bb714180240c3e50b57b4
SHA512 c7055d1cdb5f7a988730a821a15d110ba8d1dec8ea6773d50116df4a32a0e481a365e58b447b95a1bff1466f3398036131a869a2bb194d26d8f90d4af8da5d44

memory/2192-12-0x00000000745D0000-0x0000000074B7B000-memory.dmp

memory/1508-11-0x00000000745D0000-0x0000000074B7B000-memory.dmp

memory/2192-13-0x00000000745D0000-0x0000000074B7B000-memory.dmp

memory/2192-14-0x00000000745D0000-0x0000000074B7B000-memory.dmp

memory/2192-15-0x00000000745D0000-0x0000000074B7B000-memory.dmp