Analysis Overview
SHA256
b02e067313bfd301eaf819b06f413a2cbc9e90b16bf70c887c7862195800c345
Threat Level: Known bad
The file b02e067313bfd301eaf819b06f413a2cbc9e90b16bf70c887c7862195800c345 was found to be: Known bad.
Malicious Activity Summary
Orcus family
Orcus
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-22 01:13
Signatures
Orcus family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-22 01:13
Reported
2025-01-22 01:15
Platform
win7-20241010-en
Max time kernel
150s
Max time network
125s
Command Line
Signatures
Orcus
Orcus family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b02e067313bfd301eaf819b06f413a2cbc9e90b16bf70c887c7862195800c345.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b02e067313bfd301eaf819b06f413a2cbc9e90b16bf70c887c7862195800c345.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WindowsInput.exe | C:\Users\Admin\AppData\Local\Temp\b02e067313bfd301eaf819b06f413a2cbc9e90b16bf70c887c7862195800c345.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsInput.InstallLog | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.InstallState | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b02e067313bfd301eaf819b06f413a2cbc9e90b16bf70c887c7862195800c345.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b02e067313bfd301eaf819b06f413a2cbc9e90b16bf70c887c7862195800c345.exe
"C:\Users\Admin\AppData\Local\Temp\b02e067313bfd301eaf819b06f413a2cbc9e90b16bf70c887c7862195800c345.exe"
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp |
Files
memory/2060-0-0x000000007479E000-0x000000007479F000-memory.dmp
memory/2060-1-0x0000000000F70000-0x00000000010A4000-memory.dmp
memory/2060-2-0x00000000003B0000-0x00000000003BA000-memory.dmp
memory/2060-3-0x0000000074790000-0x0000000074E7E000-memory.dmp
memory/2060-4-0x0000000000960000-0x00000000009AC000-memory.dmp
memory/2060-5-0x00000000006B0000-0x00000000006B8000-memory.dmp
memory/2060-6-0x00000000009F0000-0x00000000009F8000-memory.dmp
memory/2060-7-0x0000000005650000-0x0000000005708000-memory.dmp
memory/2060-8-0x0000000000A40000-0x0000000000A4C000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.exe
| MD5 | e854a4636afc652b320e12e50ba4080e |
| SHA1 | 8a4ac6ecc22ee5f3a8ec846d38b41ff18c641fdc |
| SHA256 | 94b9c78c6fa2bf61fba20a08ad4563f7dd2f5668c28eff227965ce0a2032d5d5 |
| SHA512 | 30aabd5079b6ed0948eb70fd18e9166096e4ba5d1d47fc35b7270f931d19bbe6cd929b6010f70297bf5272dc5a79e2523721354d211c4080d68ad8d17e316118 |
memory/2956-15-0x000007FEF5EDE000-0x000007FEF5EDF000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.InstallLog
| MD5 | e469dda91ae810a1f94c96060f3f8a65 |
| SHA1 | 0b4b3b0f6f937016b1e045ce5313ee2a65a38630 |
| SHA256 | d42fee8db8eb0e047ca53ad59b1c9bc69fe04993be36fec502e3532371908842 |
| SHA512 | 2eb4037361c03e195c642a53f55a3182a6df19903db503060e366f2394750e64ae04fdaace61ef5a6dba649defc88322d78edd2928bc53ebd1ce11d68cc88dac |
memory/2956-26-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp
memory/2956-29-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.InstallLog
| MD5 | c2291863df7c2d3038ce3c22fa276506 |
| SHA1 | 7b7d2bc07a6c35523807342c747c9b6a19f3184e |
| SHA256 | 14504199bede3f46129969dbd2b7680f2e5b7fcd73a3e427ce1bb6217a6d13da |
| SHA512 | 00bf40174a67e3e663d18a887c5b461a1e5ead0b27f0a139d87969158c58f4ca72cfa5a731dda239356192ca4cb5ac6ae2b0e37401d534e686cabacd3cbee8fa |
memory/2956-42-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp
memory/2060-46-0x00000000049A0000-0x00000000049EE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
| MD5 | 31ad36a69481db1bf5a276a89b984467 |
| SHA1 | 3c28622264f13eb14e9b61b7ec7d35ed85a851bf |
| SHA256 | b02e067313bfd301eaf819b06f413a2cbc9e90b16bf70c887c7862195800c345 |
| SHA512 | f0e6e4fbb60f657b9d051494ececedfbedcfee9c0b3fde12b4b074c0ddbcebdda8d801336ea29332eddd903b59390715519a8b6f6e003fdeedf1ea85f5832d4d |
memory/2712-53-0x0000000001030000-0x0000000001164000-memory.dmp
memory/2060-54-0x0000000074790000-0x0000000074E7E000-memory.dmp
memory/2712-55-0x0000000000AE0000-0x0000000000AF0000-memory.dmp
\Users\Admin\AppData\Roaming\GamerView\sqlite3.dll
| MD5 | d8aec01ff14e3e7ad43a4b71e30482e4 |
| SHA1 | e3015f56f17d845ec7eef11d41bbbc28cc16d096 |
| SHA256 | da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e |
| SHA512 | f5b2f4bda0cc13e1d1c541fb0caea14081ee4daffd497e31a3d4d55d5f9d85a61158b4891a6527efe623b2f32b697ac912320d9be5c0303812ca98dcc8866fcf |
memory/2712-63-0x0000000060900000-0x0000000060992000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-22 01:13
Reported
2025-01-22 01:15
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
146s
Command Line
Signatures
Orcus
Orcus family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b02e067313bfd301eaf819b06f413a2cbc9e90b16bf70c887c7862195800c345.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WindowsInput.exe | C:\Users\Admin\AppData\Local\Temp\b02e067313bfd301eaf819b06f413a2cbc9e90b16bf70c887c7862195800c345.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsInput.InstallLog | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.InstallState | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b02e067313bfd301eaf819b06f413a2cbc9e90b16bf70c887c7862195800c345.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 220 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\b02e067313bfd301eaf819b06f413a2cbc9e90b16bf70c887c7862195800c345.exe | C:\Windows\SysWOW64\WindowsInput.exe |
| PID 220 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\b02e067313bfd301eaf819b06f413a2cbc9e90b16bf70c887c7862195800c345.exe | C:\Windows\SysWOW64\WindowsInput.exe |
| PID 220 wrote to memory of 5000 | N/A | C:\Users\Admin\AppData\Local\Temp\b02e067313bfd301eaf819b06f413a2cbc9e90b16bf70c887c7862195800c345.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 220 wrote to memory of 5000 | N/A | C:\Users\Admin\AppData\Local\Temp\b02e067313bfd301eaf819b06f413a2cbc9e90b16bf70c887c7862195800c345.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 220 wrote to memory of 5000 | N/A | C:\Users\Admin\AppData\Local\Temp\b02e067313bfd301eaf819b06f413a2cbc9e90b16bf70c887c7862195800c345.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b02e067313bfd301eaf819b06f413a2cbc9e90b16bf70c887c7862195800c345.exe
"C:\Users\Admin\AppData\Local\Temp\b02e067313bfd301eaf819b06f413a2cbc9e90b16bf70c887c7862195800c345.exe"
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.63.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.231.24.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp |
Files
memory/220-0-0x000000007462E000-0x000000007462F000-memory.dmp
memory/220-1-0x00000000004B0000-0x00000000005E4000-memory.dmp
memory/220-2-0x0000000004E00000-0x0000000004E0A000-memory.dmp
memory/220-3-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/220-4-0x0000000005470000-0x0000000005A14000-memory.dmp
memory/220-5-0x0000000005320000-0x00000000053B2000-memory.dmp
memory/220-6-0x0000000005280000-0x00000000052CC000-memory.dmp
memory/220-7-0x0000000005A20000-0x0000000005A86000-memory.dmp
memory/220-9-0x0000000005C90000-0x0000000005C98000-memory.dmp
memory/220-8-0x0000000005450000-0x0000000005458000-memory.dmp
memory/220-10-0x0000000005CB0000-0x0000000005D68000-memory.dmp
memory/220-12-0x0000000005D90000-0x0000000005D9C000-memory.dmp
memory/220-11-0x0000000005DB0000-0x0000000005DD2000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.exe
| MD5 | e854a4636afc652b320e12e50ba4080e |
| SHA1 | 8a4ac6ecc22ee5f3a8ec846d38b41ff18c641fdc |
| SHA256 | 94b9c78c6fa2bf61fba20a08ad4563f7dd2f5668c28eff227965ce0a2032d5d5 |
| SHA512 | 30aabd5079b6ed0948eb70fd18e9166096e4ba5d1d47fc35b7270f931d19bbe6cd929b6010f70297bf5272dc5a79e2523721354d211c4080d68ad8d17e316118 |
memory/2816-24-0x00007FFEE7005000-0x00007FFEE7006000-memory.dmp
memory/2816-25-0x0000000000C50000-0x0000000000C68000-memory.dmp
memory/2816-26-0x000000001AFD0000-0x000000001AFF0000-memory.dmp
memory/2816-27-0x00007FFEE6D50000-0x00007FFEE76F1000-memory.dmp
memory/2816-28-0x00007FFEE6D50000-0x00007FFEE76F1000-memory.dmp
memory/2816-31-0x000000001B2F0000-0x000000001B314000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.InstallLog
| MD5 | e469dda91ae810a1f94c96060f3f8a65 |
| SHA1 | 0b4b3b0f6f937016b1e045ce5313ee2a65a38630 |
| SHA256 | d42fee8db8eb0e047ca53ad59b1c9bc69fe04993be36fec502e3532371908842 |
| SHA512 | 2eb4037361c03e195c642a53f55a3182a6df19903db503060e366f2394750e64ae04fdaace61ef5a6dba649defc88322d78edd2928bc53ebd1ce11d68cc88dac |
memory/2816-40-0x000000001C1C0000-0x000000001C25C000-memory.dmp
memory/2816-39-0x000000001BC50000-0x000000001C11E000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.InstallLog
| MD5 | c2291863df7c2d3038ce3c22fa276506 |
| SHA1 | 7b7d2bc07a6c35523807342c747c9b6a19f3184e |
| SHA256 | 14504199bede3f46129969dbd2b7680f2e5b7fcd73a3e427ce1bb6217a6d13da |
| SHA512 | 00bf40174a67e3e663d18a887c5b461a1e5ead0b27f0a139d87969158c58f4ca72cfa5a731dda239356192ca4cb5ac6ae2b0e37401d534e686cabacd3cbee8fa |
memory/2816-57-0x00007FFEE6D50000-0x00007FFEE76F1000-memory.dmp
memory/220-61-0x0000000006570000-0x00000000065BE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
| MD5 | 31ad36a69481db1bf5a276a89b984467 |
| SHA1 | 3c28622264f13eb14e9b61b7ec7d35ed85a851bf |
| SHA256 | b02e067313bfd301eaf819b06f413a2cbc9e90b16bf70c887c7862195800c345 |
| SHA512 | f0e6e4fbb60f657b9d051494ececedfbedcfee9c0b3fde12b4b074c0ddbcebdda8d801336ea29332eddd903b59390715519a8b6f6e003fdeedf1ea85f5832d4d |
memory/220-74-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/5000-73-0x000000007462E000-0x000000007462F000-memory.dmp
memory/5000-75-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/5000-76-0x00000000069A0000-0x0000000006B62000-memory.dmp
memory/5000-77-0x0000000006790000-0x00000000067A0000-memory.dmp
C:\Users\Admin\AppData\Roaming\GamerView\sqlite3.dll
| MD5 | d8aec01ff14e3e7ad43a4b71e30482e4 |
| SHA1 | e3015f56f17d845ec7eef11d41bbbc28cc16d096 |
| SHA256 | da1d608be064555ab3d3d35e6db64527b8c44f3fa5ddd7c3ec723f80fc99736e |
| SHA512 | f5b2f4bda0cc13e1d1c541fb0caea14081ee4daffd497e31a3d4d55d5f9d85a61158b4891a6527efe623b2f32b697ac912320d9be5c0303812ca98dcc8866fcf |
memory/5000-86-0x0000000007020000-0x000000000702A000-memory.dmp
memory/5000-87-0x000000007462E000-0x000000007462F000-memory.dmp
memory/5000-88-0x0000000060900000-0x0000000060992000-memory.dmp
memory/5000-89-0x0000000074620000-0x0000000074DD0000-memory.dmp