Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
20-01-2025 01:06
General
-
Target
1f1a5f729de96c4f5d3f317ba1254ca8b2ccbc4538e0a9664326a57e613eed64.exe
-
Size
843KB
-
MD5
787b41af9d28bb93bb3b8e574f06a4cf
-
SHA1
9fca5a5fcbd4c1e38e9b1fa52a6af916c3267cd7
-
SHA256
1f1a5f729de96c4f5d3f317ba1254ca8b2ccbc4538e0a9664326a57e613eed64
-
SHA512
51663df1670c6da11d262e654fb3cd700b10d1fac2398ff900ff7be84673f6120dbe0290d877b9e07adb53633d5118ed29c5f585d2494a445070c4517e80c740
-
SSDEEP
24576:0xYS04YNEMuExDiU6E5R9s8xY/2l/dWLbB83xIbt+rl:0xA4auS+UjfU2TEb63xIbt+r
Malware Config
Extracted
orcus
10.0.0.121
6aebdc717ef740fcabd44e1b97100532
-
administration_rights_required
false
-
anti_debugger
false
-
anti_tcp_analyzer
false
-
antivm
false
-
autostart_method
1
-
change_creation_date
false
-
force_installer_administrator_privileges
false
-
hide_file
false
-
install
false
-
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
-
installservice
false
-
keylogger_enabled
false
-
newcreationdate
01/19/2025 15:32:55
-
plugins
AgUFl6aNkQPXkQKOmwKLvFcpr24sKCsVRABpAHMAYQBiAGwAZQAgAFcAZQBiAGMAYQBtACAATABpAGcAaAB0AHMABwMxAC4AMABBIGMAOABmADEAMgBlADgAMwA0ADQAZQA5ADQAOABkAGQAOQA2AGUAMAA1AGQANABmAGYAZgAwAGMAMAA4ADQANgABAAAAAgI=
-
reconnect_delay
10000
-
registry_autostart_keyname
Audio HD Driver
-
registry_hidden_autostart
false
-
set_admin_flag
false
-
tasksch_name
Audio HD Driver
-
tasksch_request_highest_privileges
false
-
try_other_autostart_onfail
false
Signatures
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus family
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f1a5f729de96c4f5d3f317ba1254ca8b2ccbc4538e0a9664326a57e613eed64.exe"C:\Users\Admin\AppData\Local\Temp\1f1a5f729de96c4f5d3f317ba1254ca8b2ccbc4538e0a9664326a57e613eed64.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
843KB
MD5787b41af9d28bb93bb3b8e574f06a4cf
SHA19fca5a5fcbd4c1e38e9b1fa52a6af916c3267cd7
SHA2561f1a5f729de96c4f5d3f317ba1254ca8b2ccbc4538e0a9664326a57e613eed64
SHA51251663df1670c6da11d262e654fb3cd700b10d1fac2398ff900ff7be84673f6120dbe0290d877b9e07adb53633d5118ed29c5f585d2494a445070c4517e80c740
-
Filesize
312KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
304KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
872KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
872KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
6.9MB