Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
172s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
15/12/2022, 17:16
General
-
Target
VirtualBox-7.0.2-154219-Win/VirtualBox-7.0.2-154219-Win.exe
-
Size
677.9MB
-
MD5
670e50d1d17dce3d446919680dd657f0
-
SHA1
fdbba6ab2df85337f8fefec7da04323ba6e42107
-
SHA256
7f43dee28fdf815aca5367694540bcd514c2ad9c1a4c4bc645286403fffb4123
-
SHA512
ed31879ce1867b31b9f0868ff797ec92dfb5284381bada666636ff07eb9b4221f60a9fb549984d0b3272e619674031431c7498451ded735ad98de4db5a53e2ba
-
SSDEEP
3072:eahKyd2n31yS5LvfiP1yaX3KmC5wBCgBCwfjL1c1pcSsP1XBRWf9z:eahOcnHn9BF//1cUJU
Malware Config
Extracted
aurora
79.137.206.138:8081
Signatures
-
Aurora
Aurora is a crypto wallet stealer written in Golang.
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.2-154219-Win\VirtualBox-7.0.2-154219-Win.exe"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.2-154219-Win\VirtualBox-7.0.2-154219-Win.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUSINE~3.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUSINE~3.EXE2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUSINE~3.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUSINE~3.EXE3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name5⤵
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56195a91754effb4df74dbc72cdf4f7a6
SHA1aba262f5726c6d77659fe0d3195e36a85046b427
SHA2563254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5
SHA512ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89
-
Filesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
Filesize
16KB
MD54bb93f9fe7158d24597b3a06abbe2994
SHA15f2cb8edd8f2714059f13d24b7bf84c45d1681aa
SHA256427f3eb6d3c11be4c6d4fe96196c972488d53cc84753580223132f8e7ef09d00
SHA512163fb53001b3677fc57f8877eb241cab73e09cb17c6964fa1560639f7f98cfb6d3e78ae7233f892ba443325678b3e2242179ae1d168ce0e7504f91d9f94ca129
-
Filesize
362.6MB
MD5b57fd565047f69ed9031fe35607bc4de
SHA1a34dcacc6f1915d500d8643a5e9e9b23f6c2eec1
SHA256e7297f5162728d2282bd88f80583bd88d3075f0fbabd7568014a40e856aaa81a
SHA512d9917bf7b8b396324cd0f77335b2fc8b5022376d646c06846e0a6c9f0908e5d4030443188913d6a9e0b1f6f763d8c9330c74d33edb55ee59690a2b5eabb64cd4
-
Filesize
362.6MB
MD5b57fd565047f69ed9031fe35607bc4de
SHA1a34dcacc6f1915d500d8643a5e9e9b23f6c2eec1
SHA256e7297f5162728d2282bd88f80583bd88d3075f0fbabd7568014a40e856aaa81a
SHA512d9917bf7b8b396324cd0f77335b2fc8b5022376d646c06846e0a6c9f0908e5d4030443188913d6a9e0b1f6f763d8c9330c74d33edb55ee59690a2b5eabb64cd4
-
Filesize
362.6MB
MD5b57fd565047f69ed9031fe35607bc4de
SHA1a34dcacc6f1915d500d8643a5e9e9b23f6c2eec1
SHA256e7297f5162728d2282bd88f80583bd88d3075f0fbabd7568014a40e856aaa81a
SHA512d9917bf7b8b396324cd0f77335b2fc8b5022376d646c06846e0a6c9f0908e5d4030443188913d6a9e0b1f6f763d8c9330c74d33edb55ee59690a2b5eabb64cd4
-
Filesize
408KB
-
Filesize
104KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
408KB
-
Filesize
6.5MB
-
Filesize
120KB
-
Filesize
40KB
-
Filesize
136KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
256KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
120KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
56KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
304KB
-
Filesize
200KB