Analysis
-
max time kernel
68s -
max time network
175s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
20/01/2023, 22:17
Static task
static1
Behavioral task
behavioral1
Sample
ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe
Resource
win7-20221111-en
3 signatures
300 seconds
General
-
Target
ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe
-
Size
268KB
-
MD5
50a3cdeb5ecd78be788dd9232db6fa79
-
SHA1
baef08dfe4b9ec5abc00aefa81d3656952e07b37
-
SHA256
ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc
-
SHA512
255bb8133a62a9bc49fea8933217639fb3191648c5403cb4972865ecc53cccda4f1a3f90278a9e08d78e7cc3376047472cfae364184b8ef8b9d420f10a7aaf3d
-
SSDEEP
3072:gpE5D8eEcnqm7h+UpV4Uqdd84sIDSQKyYyPuev/9LmAx7wAoBtgsWrYkgx1IPP:twcnqpU0dduIDAyPug/9LmAx7wRH1IPP
Malware Config
Extracted
Family
aurora
C2
45.15.156.242:8081
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 6 4176 powershell.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
pid Process 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4176 set thread context of 3164 4176 powershell.exe 69 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4176 powershell.exe Token: SeIncreaseQuotaPrivilege 824 wmic.exe Token: SeSecurityPrivilege 824 wmic.exe Token: SeTakeOwnershipPrivilege 824 wmic.exe Token: SeLoadDriverPrivilege 824 wmic.exe Token: SeSystemProfilePrivilege 824 wmic.exe Token: SeSystemtimePrivilege 824 wmic.exe Token: SeProfSingleProcessPrivilege 824 wmic.exe Token: SeIncBasePriorityPrivilege 824 wmic.exe Token: SeCreatePagefilePrivilege 824 wmic.exe Token: SeBackupPrivilege 824 wmic.exe Token: SeRestorePrivilege 824 wmic.exe Token: SeShutdownPrivilege 824 wmic.exe Token: SeDebugPrivilege 824 wmic.exe Token: SeSystemEnvironmentPrivilege 824 wmic.exe Token: SeRemoteShutdownPrivilege 824 wmic.exe Token: SeUndockPrivilege 824 wmic.exe Token: SeManageVolumePrivilege 824 wmic.exe Token: 33 824 wmic.exe Token: 34 824 wmic.exe Token: 35 824 wmic.exe Token: 36 824 wmic.exe Token: SeIncreaseQuotaPrivilege 824 wmic.exe Token: SeSecurityPrivilege 824 wmic.exe Token: SeTakeOwnershipPrivilege 824 wmic.exe Token: SeLoadDriverPrivilege 824 wmic.exe Token: SeSystemProfilePrivilege 824 wmic.exe Token: SeSystemtimePrivilege 824 wmic.exe Token: SeProfSingleProcessPrivilege 824 wmic.exe Token: SeIncBasePriorityPrivilege 824 wmic.exe Token: SeCreatePagefilePrivilege 824 wmic.exe Token: SeBackupPrivilege 824 wmic.exe Token: SeRestorePrivilege 824 wmic.exe Token: SeShutdownPrivilege 824 wmic.exe Token: SeDebugPrivilege 824 wmic.exe Token: SeSystemEnvironmentPrivilege 824 wmic.exe Token: SeRemoteShutdownPrivilege 824 wmic.exe Token: SeUndockPrivilege 824 wmic.exe Token: SeManageVolumePrivilege 824 wmic.exe Token: 33 824 wmic.exe Token: 34 824 wmic.exe Token: 35 824 wmic.exe Token: 36 824 wmic.exe Token: SeIncreaseQuotaPrivilege 2772 WMIC.exe Token: SeSecurityPrivilege 2772 WMIC.exe Token: SeTakeOwnershipPrivilege 2772 WMIC.exe Token: SeLoadDriverPrivilege 2772 WMIC.exe Token: SeSystemProfilePrivilege 2772 WMIC.exe Token: SeSystemtimePrivilege 2772 WMIC.exe Token: SeProfSingleProcessPrivilege 2772 WMIC.exe Token: SeIncBasePriorityPrivilege 2772 WMIC.exe Token: SeCreatePagefilePrivilege 2772 WMIC.exe Token: SeBackupPrivilege 2772 WMIC.exe Token: SeRestorePrivilege 2772 WMIC.exe Token: SeShutdownPrivilege 2772 WMIC.exe Token: SeDebugPrivilege 2772 WMIC.exe Token: SeSystemEnvironmentPrivilege 2772 WMIC.exe Token: SeRemoteShutdownPrivilege 2772 WMIC.exe Token: SeUndockPrivilege 2772 WMIC.exe Token: SeManageVolumePrivilege 2772 WMIC.exe Token: 33 2772 WMIC.exe Token: 34 2772 WMIC.exe Token: 35 2772 WMIC.exe Token: 36 2772 WMIC.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 328 wrote to memory of 4176 328 ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe 67 PID 328 wrote to memory of 4176 328 ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe 67 PID 328 wrote to memory of 4176 328 ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe 67 PID 4176 wrote to memory of 3164 4176 powershell.exe 69 PID 4176 wrote to memory of 3164 4176 powershell.exe 69 PID 4176 wrote to memory of 3164 4176 powershell.exe 69 PID 4176 wrote to memory of 3164 4176 powershell.exe 69 PID 4176 wrote to memory of 3164 4176 powershell.exe 69 PID 4176 wrote to memory of 3164 4176 powershell.exe 69 PID 4176 wrote to memory of 3164 4176 powershell.exe 69 PID 4176 wrote to memory of 3164 4176 powershell.exe 69 PID 4176 wrote to memory of 3164 4176 powershell.exe 69 PID 4176 wrote to memory of 3164 4176 powershell.exe 69 PID 4176 wrote to memory of 3164 4176 powershell.exe 69 PID 3164 wrote to memory of 824 3164 aspnet_compiler.exe 70 PID 3164 wrote to memory of 824 3164 aspnet_compiler.exe 70 PID 3164 wrote to memory of 824 3164 aspnet_compiler.exe 70 PID 3164 wrote to memory of 2360 3164 aspnet_compiler.exe 73 PID 3164 wrote to memory of 2360 3164 aspnet_compiler.exe 73 PID 3164 wrote to memory of 2360 3164 aspnet_compiler.exe 73 PID 2360 wrote to memory of 2772 2360 cmd.exe 75 PID 2360 wrote to memory of 2772 2360 cmd.exe 75 PID 2360 wrote to memory of 2772 2360 cmd.exe 75 PID 3164 wrote to memory of 2320 3164 aspnet_compiler.exe 76 PID 3164 wrote to memory of 2320 3164 aspnet_compiler.exe 76 PID 3164 wrote to memory of 2320 3164 aspnet_compiler.exe 76 PID 2320 wrote to memory of 3080 2320 cmd.exe 78 PID 2320 wrote to memory of 3080 2320 cmd.exe 78 PID 2320 wrote to memory of 3080 2320 cmd.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe"C:\Users\Admin\AppData\Local\Temp\ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
PID:824
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"4⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"4⤵
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name5⤵PID:3080
-
-
-
-