Overview

overview

9

Static

static

1

Trojan-Ran...ra.exe

windows7-x64

9

Trojan-Ran...ra.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    184s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06-11-2022 12:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Trojan-Ransom.Win32.Aura.exe

  • Size

    146KB

  • MD5

    3d78c641051fbdbb8bc5824d9aa8e000

  • SHA1

    5111128541687de386e426e8767b25e05fc2c4fa

  • SHA256

    0b0493f79ccafb9affef92f4224fb0a3dc280b3216c9ca7e95be4df68471fe62

  • SHA512

    646a11530a4b2dded02adbce85bc983ab4393439d492c280fb7d7f3b02d98435d8b556f93f78a933c82727c6b9659dfe7100aee58d21f9d1d0f34e5926480da3

  • SSDEEP

    3072:5wJ52Y7ZoH5XJatWmnqEDwyjgTXhzKdQbBgvJ9n791C5sY:5wHysscE5ThXbB27h1qsY

Score
9/10
evasion

Malware Config

Signatures

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Aura.exe
    "C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Aura.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Aura.exe
      "C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Aura.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:612

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nse981D.tmp\tracheitis.dll
    Filesize

    56KB

    MD5

    68cc96d103292595ba0da7f932536dca

    SHA1

    a7328e604c0018e449f022318e1ee24f639f8bcd

    SHA256

    9cdb58cd1516f1a7aab5e912491c74f1c2730af1944e7e3868d249cc47c6198e

    SHA512

    3108d42f2ee65ff32055c5c43be5bcac85cd15161cf58509a38180e5e5f9adbe0c8d64b09b57c3913d229e279916ed7ecc2200dd7983c8e692069738a124c62b

    Download Submit

  • memory/612-56-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/612-57-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/612-59-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/612-61-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/612-63-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/612-64-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/612-65-0x000000000040F3C4-mapping.dmp

    Download

  • memory/612-67-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/612-68-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1756-54-0x0000000076171000-0x0000000076173000-memory.dmp

    Filesize

    8KB

    Download