Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
31-12-2022 20:21
General
-
Target
cf70b739c8248dd6c8a69bd9fdc1610b2a590a6cf03fa2cd1e80901f7892da0d.exe
-
Size
255KB
-
MD5
bf7a1064534e4a982fd046500aeac179
-
SHA1
dac39c83c573a5ab56bfcd996f59a2e5c41e2588
-
SHA256
cf70b739c8248dd6c8a69bd9fdc1610b2a590a6cf03fa2cd1e80901f7892da0d
-
SHA512
dd80625d646c1d22121019e8a9d676c53b48883dba7e31b88df51ceb4142b9fe89dcdce2db4aecf64ba61e6f6493e6d16b813473904832343011569fcde45b8e
-
SSDEEP
3072:o5aX4uYV1LUkJaSKmRC67c0yKLTuZjD/8pX5EkcEUIymqfh8mJH27hZY:F4JLUzSK967Ny8CZjDS5Ek8CKmmkZY
Malware Config
Extracted
aurora
45.15.156.97:8081
Signatures
-
Aurora
Aurora is a crypto wallet stealer written in Golang.
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf70b739c8248dd6c8a69bd9fdc1610b2a590a6cf03fa2cd1e80901f7892da0d.exe"C:\Users\Admin\AppData\Local\Temp\cf70b739c8248dd6c8a69bd9fdc1610b2a590a6cf03fa2cd1e80901f7892da0d.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\D46C.exeC:\Users\Admin\AppData\Local\Temp\D46C.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\D71C.exeC:\Users\Admin\AppData\Local\Temp\D71C.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\D9FB.exeC:\Users\Admin\AppData\Local\Temp\D9FB.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\DECF.exeC:\Users\Admin\AppData\Local\Temp\DECF.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 8682⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\E44E.exeC:\Users\Admin\AppData\Local\Temp\E44E.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2072 -ip 20721⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
Filesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
Filesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
Filesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
Filesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
Filesize
4KB
MD59748489855d9dd82ab09da5e3e55b19e
SHA16ed2bf6a1a53a59cd2137812cb43b5032817f6a1
SHA25605bdd09d934144589f7b90ac4ef6e8d7743c35f551219d98bc7fc933f98a157b
SHA5127eebbc3e42aad1af304ba38ca0c74e5f2293a630d98d4cfd48957f5f288bcb52cf323421c2b166e3b459450d5ef024167f8729b7b4b66651a34c3c3d4581a2be
-
Filesize
391KB
MD532ff11fcbf02b62dcad355079d5e16bc
SHA19aba77828bad17c19be8241272ff245878baef72
SHA2568a96b82fcd6dd526678e4cec01dae6ee403a033594822ab487ced1b571094be2
SHA5124f2766aed94ca825c585f7c89bf332ed46ccf1aff4b4923fd32464f321dd9ffc7c2b34bc95154378e238d9988811a8d869f2c30e0b74cd3bd97229be0223724d
-
Filesize
391KB
MD532ff11fcbf02b62dcad355079d5e16bc
SHA19aba77828bad17c19be8241272ff245878baef72
SHA2568a96b82fcd6dd526678e4cec01dae6ee403a033594822ab487ced1b571094be2
SHA5124f2766aed94ca825c585f7c89bf332ed46ccf1aff4b4923fd32464f321dd9ffc7c2b34bc95154378e238d9988811a8d869f2c30e0b74cd3bd97229be0223724d
-
Filesize
960KB
MD5fb2021ecab72d6199c4125078070e0b9
SHA126f496166498db29ef8981057b6cc82a5677e4cc
SHA25619ff750819058dbeb6888e6ad508f181c9e7aa97bd0f40b7f9784f464dd8722c
SHA512a49637cb25d394a119b3dc7ffa77211f6f3cce3d1b304edcbfac2b8c676854d61f632bc805e4b36cfddf30f4a77398511672917169f5e7ee44c35c67803ddf48
-
Filesize
960KB
MD5fb2021ecab72d6199c4125078070e0b9
SHA126f496166498db29ef8981057b6cc82a5677e4cc
SHA25619ff750819058dbeb6888e6ad508f181c9e7aa97bd0f40b7f9784f464dd8722c
SHA512a49637cb25d394a119b3dc7ffa77211f6f3cce3d1b304edcbfac2b8c676854d61f632bc805e4b36cfddf30f4a77398511672917169f5e7ee44c35c67803ddf48
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
512KB
-
Filesize
116KB
-
Filesize
512KB
-
Filesize
160KB
-
Filesize
16.0MB
-
Filesize
160KB
-
Filesize
208KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
3.5MB
-
Filesize
3.5MB
-
Filesize
52KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
32KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
10.8MB
-
Filesize
36KB
-
Filesize
372KB
-
Filesize
64KB
-
Filesize
372KB
-
Filesize
10.8MB