Analysis
-
max time kernel
144s -
max time network
180s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
21/01/2023, 22:18
Static task
static1
Behavioral task
behavioral1
Sample
ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe
Resource
win7-20221111-en
3 signatures
300 seconds
General
-
Target
ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe
-
Size
268KB
-
MD5
50a3cdeb5ecd78be788dd9232db6fa79
-
SHA1
baef08dfe4b9ec5abc00aefa81d3656952e07b37
-
SHA256
ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc
-
SHA512
255bb8133a62a9bc49fea8933217639fb3191648c5403cb4972865ecc53cccda4f1a3f90278a9e08d78e7cc3376047472cfae364184b8ef8b9d420f10a7aaf3d
-
SSDEEP
3072:gpE5D8eEcnqm7h+UpV4Uqdd84sIDSQKyYyPuev/9LmAx7wAoBtgsWrYkgx1IPP:twcnqpU0dduIDAyPug/9LmAx7wRH1IPP
Malware Config
Extracted
Family
aurora
C2
45.15.156.242:8081
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 6 2876 powershell.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs
pid Process 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2876 set thread context of 2348 2876 powershell.exe 69 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe 2876 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2876 powershell.exe Token: SeIncreaseQuotaPrivilege 2688 wmic.exe Token: SeSecurityPrivilege 2688 wmic.exe Token: SeTakeOwnershipPrivilege 2688 wmic.exe Token: SeLoadDriverPrivilege 2688 wmic.exe Token: SeSystemProfilePrivilege 2688 wmic.exe Token: SeSystemtimePrivilege 2688 wmic.exe Token: SeProfSingleProcessPrivilege 2688 wmic.exe Token: SeIncBasePriorityPrivilege 2688 wmic.exe Token: SeCreatePagefilePrivilege 2688 wmic.exe Token: SeBackupPrivilege 2688 wmic.exe Token: SeRestorePrivilege 2688 wmic.exe Token: SeShutdownPrivilege 2688 wmic.exe Token: SeDebugPrivilege 2688 wmic.exe Token: SeSystemEnvironmentPrivilege 2688 wmic.exe Token: SeRemoteShutdownPrivilege 2688 wmic.exe Token: SeUndockPrivilege 2688 wmic.exe Token: SeManageVolumePrivilege 2688 wmic.exe Token: 33 2688 wmic.exe Token: 34 2688 wmic.exe Token: 35 2688 wmic.exe Token: 36 2688 wmic.exe Token: SeIncreaseQuotaPrivilege 2688 wmic.exe Token: SeSecurityPrivilege 2688 wmic.exe Token: SeTakeOwnershipPrivilege 2688 wmic.exe Token: SeLoadDriverPrivilege 2688 wmic.exe Token: SeSystemProfilePrivilege 2688 wmic.exe Token: SeSystemtimePrivilege 2688 wmic.exe Token: SeProfSingleProcessPrivilege 2688 wmic.exe Token: SeIncBasePriorityPrivilege 2688 wmic.exe Token: SeCreatePagefilePrivilege 2688 wmic.exe Token: SeBackupPrivilege 2688 wmic.exe Token: SeRestorePrivilege 2688 wmic.exe Token: SeShutdownPrivilege 2688 wmic.exe Token: SeDebugPrivilege 2688 wmic.exe Token: SeSystemEnvironmentPrivilege 2688 wmic.exe Token: SeRemoteShutdownPrivilege 2688 wmic.exe Token: SeUndockPrivilege 2688 wmic.exe Token: SeManageVolumePrivilege 2688 wmic.exe Token: 33 2688 wmic.exe Token: 34 2688 wmic.exe Token: 35 2688 wmic.exe Token: 36 2688 wmic.exe Token: SeIncreaseQuotaPrivilege 4844 WMIC.exe Token: SeSecurityPrivilege 4844 WMIC.exe Token: SeTakeOwnershipPrivilege 4844 WMIC.exe Token: SeLoadDriverPrivilege 4844 WMIC.exe Token: SeSystemProfilePrivilege 4844 WMIC.exe Token: SeSystemtimePrivilege 4844 WMIC.exe Token: SeProfSingleProcessPrivilege 4844 WMIC.exe Token: SeIncBasePriorityPrivilege 4844 WMIC.exe Token: SeCreatePagefilePrivilege 4844 WMIC.exe Token: SeBackupPrivilege 4844 WMIC.exe Token: SeRestorePrivilege 4844 WMIC.exe Token: SeShutdownPrivilege 4844 WMIC.exe Token: SeDebugPrivilege 4844 WMIC.exe Token: SeSystemEnvironmentPrivilege 4844 WMIC.exe Token: SeRemoteShutdownPrivilege 4844 WMIC.exe Token: SeUndockPrivilege 4844 WMIC.exe Token: SeManageVolumePrivilege 4844 WMIC.exe Token: 33 4844 WMIC.exe Token: 34 4844 WMIC.exe Token: 35 4844 WMIC.exe Token: 36 4844 WMIC.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4944 wrote to memory of 2876 4944 ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe 68 PID 4944 wrote to memory of 2876 4944 ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe 68 PID 4944 wrote to memory of 2876 4944 ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe 68 PID 2876 wrote to memory of 2348 2876 powershell.exe 69 PID 2876 wrote to memory of 2348 2876 powershell.exe 69 PID 2876 wrote to memory of 2348 2876 powershell.exe 69 PID 2876 wrote to memory of 2348 2876 powershell.exe 69 PID 2876 wrote to memory of 2348 2876 powershell.exe 69 PID 2876 wrote to memory of 2348 2876 powershell.exe 69 PID 2876 wrote to memory of 2348 2876 powershell.exe 69 PID 2876 wrote to memory of 2348 2876 powershell.exe 69 PID 2876 wrote to memory of 2348 2876 powershell.exe 69 PID 2876 wrote to memory of 2348 2876 powershell.exe 69 PID 2876 wrote to memory of 2348 2876 powershell.exe 69 PID 2348 wrote to memory of 2688 2348 aspnet_compiler.exe 70 PID 2348 wrote to memory of 2688 2348 aspnet_compiler.exe 70 PID 2348 wrote to memory of 2688 2348 aspnet_compiler.exe 70 PID 2348 wrote to memory of 2740 2348 aspnet_compiler.exe 73 PID 2348 wrote to memory of 2740 2348 aspnet_compiler.exe 73 PID 2348 wrote to memory of 2740 2348 aspnet_compiler.exe 73 PID 2740 wrote to memory of 4844 2740 cmd.exe 75 PID 2740 wrote to memory of 4844 2740 cmd.exe 75 PID 2740 wrote to memory of 4844 2740 cmd.exe 75 PID 2348 wrote to memory of 1736 2348 aspnet_compiler.exe 76 PID 2348 wrote to memory of 1736 2348 aspnet_compiler.exe 76 PID 2348 wrote to memory of 1736 2348 aspnet_compiler.exe 76 PID 1736 wrote to memory of 4768 1736 cmd.exe 78 PID 1736 wrote to memory of 4768 1736 cmd.exe 78 PID 1736 wrote to memory of 4768 1736 cmd.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe"C:\Users\Admin\AppData\Local\Temp\ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"4⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4844
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"4⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name5⤵PID:4768
-
-
-
-