Analysis Overview
SHA256
b0df124ba2d378320fc76b7a94d7846ea6f74491b435bc6b5bf8cf0b7589731c
Threat Level: Known bad
The file b0df124ba2d378320fc76b7a94d7846ea6f74491b435bc6b5bf8cf0b7589731c was found to be: Known bad.
Malicious Activity Summary
Orcus
Orcus family
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-22 01:07
Signatures
Orcus family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-22 01:07
Reported
2025-01-22 01:09
Platform
win7-20240903-en
Max time kernel
138s
Max time network
140s
Command Line
Signatures
Orcus
Orcus family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b0df124ba2d378320fc76b7a94d7846ea6f74491b435bc6b5bf8cf0b7589731c.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b0df124ba2d378320fc76b7a94d7846ea6f74491b435bc6b5bf8cf0b7589731c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 768 wrote to memory of 2860 | N/A | C:\Users\Admin\AppData\Local\Temp\b0df124ba2d378320fc76b7a94d7846ea6f74491b435bc6b5bf8cf0b7589731c.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 768 wrote to memory of 2860 | N/A | C:\Users\Admin\AppData\Local\Temp\b0df124ba2d378320fc76b7a94d7846ea6f74491b435bc6b5bf8cf0b7589731c.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 768 wrote to memory of 2860 | N/A | C:\Users\Admin\AppData\Local\Temp\b0df124ba2d378320fc76b7a94d7846ea6f74491b435bc6b5bf8cf0b7589731c.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 768 wrote to memory of 2860 | N/A | C:\Users\Admin\AppData\Local\Temp\b0df124ba2d378320fc76b7a94d7846ea6f74491b435bc6b5bf8cf0b7589731c.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b0df124ba2d378320fc76b7a94d7846ea6f74491b435bc6b5bf8cf0b7589731c.exe
"C:\Users\Admin\AppData\Local\Temp\b0df124ba2d378320fc76b7a94d7846ea6f74491b435bc6b5bf8cf0b7589731c.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 10.128.0.3:8080 | tcp | |
| US | 35.202.161.174:8080 | tcp | |
| N/A | 10.128.0.3:8080 | tcp | |
| US | 35.202.161.174:8080 | tcp | |
| N/A | 10.128.0.3:8080 | tcp | |
| US | 35.202.161.174:8080 | tcp | |
| N/A | 10.128.0.3:8080 | tcp | |
| US | 35.202.161.174:8080 | tcp | |
| N/A | 10.128.0.3:8080 | tcp | |
| US | 35.202.161.174:8080 | tcp | |
| N/A | 10.128.0.3:8080 | tcp | |
| US | 35.202.161.174:8080 | tcp |
Files
memory/768-0-0x0000000074C1E000-0x0000000074C1F000-memory.dmp
memory/768-1-0x0000000000C10000-0x0000000000CE8000-memory.dmp
memory/768-2-0x0000000000380000-0x000000000038A000-memory.dmp
memory/768-3-0x0000000074C10000-0x00000000752FE000-memory.dmp
memory/768-4-0x00000000004F0000-0x000000000053C000-memory.dmp
memory/768-7-0x0000000004DF0000-0x0000000004E3E000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
| MD5 | b2648c3b0be804c000a64bddd0c4270e |
| SHA1 | 4f40acb4c874299c8c9159750f2b707aa6cc40e8 |
| SHA256 | b0df124ba2d378320fc76b7a94d7846ea6f74491b435bc6b5bf8cf0b7589731c |
| SHA512 | 3b4f7f801645e367e2b27251c79950cee60a410ddb7affd5f3519dfa53f57996246b16368dcb487e8ce8bf35362cc9a92699116f38e75da4c5bfbeb0662f2c9b |
memory/2860-14-0x0000000074C10000-0x00000000752FE000-memory.dmp
memory/2860-16-0x0000000000940000-0x0000000000A18000-memory.dmp
memory/2860-17-0x0000000074C10000-0x00000000752FE000-memory.dmp
memory/768-15-0x0000000074C10000-0x00000000752FE000-memory.dmp
memory/2860-18-0x0000000000440000-0x0000000000450000-memory.dmp
memory/2860-19-0x0000000074C10000-0x00000000752FE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-22 01:07
Reported
2025-01-22 01:09
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Orcus
Orcus family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b0df124ba2d378320fc76b7a94d7846ea6f74491b435bc6b5bf8cf0b7589731c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b0df124ba2d378320fc76b7a94d7846ea6f74491b435bc6b5bf8cf0b7589731c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4824 wrote to memory of 2848 | N/A | C:\Users\Admin\AppData\Local\Temp\b0df124ba2d378320fc76b7a94d7846ea6f74491b435bc6b5bf8cf0b7589731c.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 4824 wrote to memory of 2848 | N/A | C:\Users\Admin\AppData\Local\Temp\b0df124ba2d378320fc76b7a94d7846ea6f74491b435bc6b5bf8cf0b7589731c.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 4824 wrote to memory of 2848 | N/A | C:\Users\Admin\AppData\Local\Temp\b0df124ba2d378320fc76b7a94d7846ea6f74491b435bc6b5bf8cf0b7589731c.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b0df124ba2d378320fc76b7a94d7846ea6f74491b435bc6b5bf8cf0b7589731c.exe
"C:\Users\Admin\AppData\Local\Temp\b0df124ba2d378320fc76b7a94d7846ea6f74491b435bc6b5bf8cf0b7589731c.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| N/A | 10.128.0.3:8080 | tcp | |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 35.202.161.174:8080 | tcp | |
| N/A | 10.128.0.3:8080 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 35.202.161.174:8080 | tcp | |
| N/A | 10.128.0.3:8080 | tcp | |
| US | 8.8.8.8:53 | 105.164.16.2.in-addr.arpa | udp |
| US | 35.202.161.174:8080 | tcp | |
| N/A | 10.128.0.3:8080 | tcp | |
| US | 35.202.161.174:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| N/A | 10.128.0.3:8080 | tcp | |
| US | 35.202.161.174:8080 | tcp | |
| N/A | 10.128.0.3:8080 | tcp | |
| US | 35.202.161.174:8080 | tcp | |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
Files
memory/4824-0-0x0000000074DAE000-0x0000000074DAF000-memory.dmp
memory/4824-1-0x00000000005D0000-0x00000000006A8000-memory.dmp
memory/4824-2-0x00000000011A0000-0x00000000011AA000-memory.dmp
memory/4824-3-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/4824-4-0x0000000005720000-0x0000000005CC4000-memory.dmp
memory/4824-5-0x0000000005510000-0x00000000055A2000-memory.dmp
memory/4824-6-0x0000000005480000-0x00000000054CC000-memory.dmp
memory/4824-7-0x0000000005620000-0x0000000005686000-memory.dmp
memory/4824-10-0x0000000005FD0000-0x000000000601E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
| MD5 | b2648c3b0be804c000a64bddd0c4270e |
| SHA1 | 4f40acb4c874299c8c9159750f2b707aa6cc40e8 |
| SHA256 | b0df124ba2d378320fc76b7a94d7846ea6f74491b435bc6b5bf8cf0b7589731c |
| SHA512 | 3b4f7f801645e367e2b27251c79950cee60a410ddb7affd5f3519dfa53f57996246b16368dcb487e8ce8bf35362cc9a92699116f38e75da4c5bfbeb0662f2c9b |
memory/2848-22-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/2848-23-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/2848-24-0x00000000065A0000-0x0000000006762000-memory.dmp
memory/2848-25-0x0000000006520000-0x0000000006530000-memory.dmp
memory/2848-26-0x0000000006570000-0x000000000657A000-memory.dmp
memory/4824-27-0x0000000074DA0000-0x0000000075550000-memory.dmp
memory/2848-28-0x0000000074DA0000-0x0000000075550000-memory.dmp