General
-
Target
0321be602a40fb4526ed4c494716043895e02f8bb2c84dae5b62429e4ecec754
-
Size
839KB
-
Sample
250127-bf48aatnhl
-
MD5
f8fbd7b9f090423f8851529e647a64ef
-
SHA1
177dc6e93a4808fa1fb7e1dcd9235ce4559dbc8b
-
SHA256
0321be602a40fb4526ed4c494716043895e02f8bb2c84dae5b62429e4ecec754
-
SHA512
f6b173d1952bf663188c80b8c7c05b4e854d708aa561a4e490cb33840295105c3871121196bec5ad66fdc421d6f4c77e3aaf55e33dda3136dacfac00d0239db9
-
SSDEEP
24576:wFS04YNEMuExDiU6E5R9s8xY/2l/drtnIbt+r5:w34auS+UjfU2TrdIbt+r
Behavioral task
behavioral1
Sample
0321be602a40fb4526ed4c494716043895e02f8bb2c84dae5b62429e4ecec754.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
0321be602a40fb4526ed4c494716043895e02f8bb2c84dae5b62429e4ecec754.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
orcus
192.168.2.7
131f2624515a483697ab2414836891bb
-
administration_rights_required
false
-
anti_debugger
false
-
anti_tcp_analyzer
false
-
antivm
false
-
autostart_method
1
-
change_creation_date
false
-
force_installer_administrator_privileges
false
-
hide_file
false
-
install
false
-
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
-
installservice
false
-
keylogger_enabled
false
-
newcreationdate
01/25/2025 18:29:37
-
plugins
AgEAAA==
-
reconnect_delay
10000
-
registry_autostart_keyname
Audio HD Driver
-
registry_hidden_autostart
false
-
set_admin_flag
false
-
tasksch_name
Audio HD Driver
-
tasksch_request_highest_privileges
false
-
try_other_autostart_onfail
false
Targets
-
-
Target
0321be602a40fb4526ed4c494716043895e02f8bb2c84dae5b62429e4ecec754
-
Size
839KB
-
MD5
f8fbd7b9f090423f8851529e647a64ef
-
SHA1
177dc6e93a4808fa1fb7e1dcd9235ce4559dbc8b
-
SHA256
0321be602a40fb4526ed4c494716043895e02f8bb2c84dae5b62429e4ecec754
-
SHA512
f6b173d1952bf663188c80b8c7c05b4e854d708aa561a4e490cb33840295105c3871121196bec5ad66fdc421d6f4c77e3aaf55e33dda3136dacfac00d0239db9
-
SSDEEP
24576:wFS04YNEMuExDiU6E5R9s8xY/2l/drtnIbt+r5:w34auS+UjfU2TrdIbt+r
-
Orcus family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-