Analysis Overview
SHA256
b60cfa1815fa9efe3e68b8e69e6bfb289771b3fd88e8b86f0bdaff7e645c85fd
Threat Level: Known bad
The file b60cfa1815fa9efe3e68b8e69e6bfb289771b3fd88e8b86f0bdaff7e645c85fd was found to be: Known bad.
Malicious Activity Summary
Orcus family
Orcus
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-26 01:05
Signatures
Orcus family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-26 01:05
Reported
2025-01-26 01:07
Platform
win7-20240903-en
Max time kernel
147s
Max time network
123s
Command Line
Signatures
Orcus
Orcus family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b60cfa1815fa9efe3e68b8e69e6bfb289771b3fd88e8b86f0bdaff7e645c85fd.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b60cfa1815fa9efe3e68b8e69e6bfb289771b3fd88e8b86f0bdaff7e645c85fd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1768 wrote to memory of 3040 | N/A | C:\Users\Admin\AppData\Local\Temp\b60cfa1815fa9efe3e68b8e69e6bfb289771b3fd88e8b86f0bdaff7e645c85fd.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 1768 wrote to memory of 3040 | N/A | C:\Users\Admin\AppData\Local\Temp\b60cfa1815fa9efe3e68b8e69e6bfb289771b3fd88e8b86f0bdaff7e645c85fd.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 1768 wrote to memory of 3040 | N/A | C:\Users\Admin\AppData\Local\Temp\b60cfa1815fa9efe3e68b8e69e6bfb289771b3fd88e8b86f0bdaff7e645c85fd.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 1768 wrote to memory of 3040 | N/A | C:\Users\Admin\AppData\Local\Temp\b60cfa1815fa9efe3e68b8e69e6bfb289771b3fd88e8b86f0bdaff7e645c85fd.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b60cfa1815fa9efe3e68b8e69e6bfb289771b3fd88e8b86f0bdaff7e645c85fd.exe
"C:\Users\Admin\AppData\Local\Temp\b60cfa1815fa9efe3e68b8e69e6bfb289771b3fd88e8b86f0bdaff7e645c85fd.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp |
Files
memory/1768-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp
memory/1768-1-0x0000000000E00000-0x0000000000ED8000-memory.dmp
memory/1768-2-0x00000000001F0000-0x00000000001FA000-memory.dmp
memory/1768-3-0x0000000074A80000-0x000000007516E000-memory.dmp
memory/1768-4-0x0000000000D00000-0x0000000000D4C000-memory.dmp
memory/1768-7-0x0000000004420000-0x000000000446E000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
| MD5 | f7f107a2c4c837253f60c06159f25e66 |
| SHA1 | 76726e798bfb1101596b37fa048a2d76b88c20e1 |
| SHA256 | b60cfa1815fa9efe3e68b8e69e6bfb289771b3fd88e8b86f0bdaff7e645c85fd |
| SHA512 | 1ec94604fea2793b527d17a103ebee5e38aef333d9696c4571f2e7075fc8bc8cec24c3f7e227d37798f0d4939cb0aa97d3482dc51ee6fd169044faca8aeb8a67 |
memory/3040-16-0x0000000074A80000-0x000000007516E000-memory.dmp
memory/3040-15-0x0000000000390000-0x0000000000468000-memory.dmp
memory/3040-17-0x0000000074A80000-0x000000007516E000-memory.dmp
memory/1768-14-0x0000000074A80000-0x000000007516E000-memory.dmp
memory/3040-18-0x0000000000600000-0x0000000000610000-memory.dmp
memory/3040-19-0x0000000074A80000-0x000000007516E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-26 01:05
Reported
2025-01-26 01:07
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Orcus
Orcus family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b60cfa1815fa9efe3e68b8e69e6bfb289771b3fd88e8b86f0bdaff7e645c85fd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b60cfa1815fa9efe3e68b8e69e6bfb289771b3fd88e8b86f0bdaff7e645c85fd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3808 wrote to memory of 4044 | N/A | C:\Users\Admin\AppData\Local\Temp\b60cfa1815fa9efe3e68b8e69e6bfb289771b3fd88e8b86f0bdaff7e645c85fd.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 3808 wrote to memory of 4044 | N/A | C:\Users\Admin\AppData\Local\Temp\b60cfa1815fa9efe3e68b8e69e6bfb289771b3fd88e8b86f0bdaff7e645c85fd.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
| PID 3808 wrote to memory of 4044 | N/A | C:\Users\Admin\AppData\Local\Temp\b60cfa1815fa9efe3e68b8e69e6bfb289771b3fd88e8b86f0bdaff7e645c85fd.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b60cfa1815fa9efe3e68b8e69e6bfb289771b3fd88e8b86f0bdaff7e645c85fd.exe
"C:\Users\Admin\AppData\Local\Temp\b60cfa1815fa9efe3e68b8e69e6bfb289771b3fd88e8b86f0bdaff7e645c85fd.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.110.86.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:10134 | tcp | |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:10134 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:10134 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| US | 8.8.8.8:53 | 202.110.86.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| N/A | 127.0.0.1:10134 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 127.0.0.1:10134 | tcp |
Files
memory/3808-0-0x000000007503E000-0x000000007503F000-memory.dmp
memory/3808-1-0x0000000000440000-0x0000000000518000-memory.dmp
memory/3808-2-0x00000000029B0000-0x00000000029BA000-memory.dmp
memory/3808-3-0x0000000075030000-0x00000000757E0000-memory.dmp
memory/3808-4-0x00000000054E0000-0x0000000005A84000-memory.dmp
memory/3808-5-0x0000000005390000-0x0000000005422000-memory.dmp
memory/3808-6-0x00000000052F0000-0x000000000533C000-memory.dmp
memory/3808-9-0x0000000005430000-0x000000000547E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\AudioDriver.exe
| MD5 | f7f107a2c4c837253f60c06159f25e66 |
| SHA1 | 76726e798bfb1101596b37fa048a2d76b88c20e1 |
| SHA256 | b60cfa1815fa9efe3e68b8e69e6bfb289771b3fd88e8b86f0bdaff7e645c85fd |
| SHA512 | 1ec94604fea2793b527d17a103ebee5e38aef333d9696c4571f2e7075fc8bc8cec24c3f7e227d37798f0d4939cb0aa97d3482dc51ee6fd169044faca8aeb8a67 |
memory/4044-22-0x0000000075030000-0x00000000757E0000-memory.dmp
memory/3808-21-0x0000000075030000-0x00000000757E0000-memory.dmp
memory/4044-23-0x0000000075030000-0x00000000757E0000-memory.dmp
memory/4044-24-0x0000000005AF0000-0x0000000005CB2000-memory.dmp
memory/4044-25-0x0000000005330000-0x0000000005340000-memory.dmp
memory/4044-26-0x0000000005DC0000-0x0000000005DCA000-memory.dmp
memory/4044-27-0x0000000075030000-0x00000000757E0000-memory.dmp