Analysis
-
max time kernel
64s -
max time network
182s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
21/01/2023, 04:47
Static task
static1
Behavioral task
behavioral1
Sample
ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe
Resource
win7-20220812-en
3 signatures
300 seconds
General
-
Target
ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe
-
Size
268KB
-
MD5
50a3cdeb5ecd78be788dd9232db6fa79
-
SHA1
baef08dfe4b9ec5abc00aefa81d3656952e07b37
-
SHA256
ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc
-
SHA512
255bb8133a62a9bc49fea8933217639fb3191648c5403cb4972865ecc53cccda4f1a3f90278a9e08d78e7cc3376047472cfae364184b8ef8b9d420f10a7aaf3d
-
SSDEEP
3072:gpE5D8eEcnqm7h+UpV4Uqdd84sIDSQKyYyPuev/9LmAx7wAoBtgsWrYkgx1IPP:twcnqpU0dduIDAyPug/9LmAx7wRH1IPP
Malware Config
Extracted
Family
aurora
C2
45.15.156.242:8081
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 6 1592 powershell.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
pid Process 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1592 set thread context of 4424 1592 powershell.exe 70 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe 1592 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1592 powershell.exe Token: SeIncreaseQuotaPrivilege 588 wmic.exe Token: SeSecurityPrivilege 588 wmic.exe Token: SeTakeOwnershipPrivilege 588 wmic.exe Token: SeLoadDriverPrivilege 588 wmic.exe Token: SeSystemProfilePrivilege 588 wmic.exe Token: SeSystemtimePrivilege 588 wmic.exe Token: SeProfSingleProcessPrivilege 588 wmic.exe Token: SeIncBasePriorityPrivilege 588 wmic.exe Token: SeCreatePagefilePrivilege 588 wmic.exe Token: SeBackupPrivilege 588 wmic.exe Token: SeRestorePrivilege 588 wmic.exe Token: SeShutdownPrivilege 588 wmic.exe Token: SeDebugPrivilege 588 wmic.exe Token: SeSystemEnvironmentPrivilege 588 wmic.exe Token: SeRemoteShutdownPrivilege 588 wmic.exe Token: SeUndockPrivilege 588 wmic.exe Token: SeManageVolumePrivilege 588 wmic.exe Token: 33 588 wmic.exe Token: 34 588 wmic.exe Token: 35 588 wmic.exe Token: 36 588 wmic.exe Token: SeIncreaseQuotaPrivilege 588 wmic.exe Token: SeSecurityPrivilege 588 wmic.exe Token: SeTakeOwnershipPrivilege 588 wmic.exe Token: SeLoadDriverPrivilege 588 wmic.exe Token: SeSystemProfilePrivilege 588 wmic.exe Token: SeSystemtimePrivilege 588 wmic.exe Token: SeProfSingleProcessPrivilege 588 wmic.exe Token: SeIncBasePriorityPrivilege 588 wmic.exe Token: SeCreatePagefilePrivilege 588 wmic.exe Token: SeBackupPrivilege 588 wmic.exe Token: SeRestorePrivilege 588 wmic.exe Token: SeShutdownPrivilege 588 wmic.exe Token: SeDebugPrivilege 588 wmic.exe Token: SeSystemEnvironmentPrivilege 588 wmic.exe Token: SeRemoteShutdownPrivilege 588 wmic.exe Token: SeUndockPrivilege 588 wmic.exe Token: SeManageVolumePrivilege 588 wmic.exe Token: 33 588 wmic.exe Token: 34 588 wmic.exe Token: 35 588 wmic.exe Token: 36 588 wmic.exe Token: SeIncreaseQuotaPrivilege 2496 WMIC.exe Token: SeSecurityPrivilege 2496 WMIC.exe Token: SeTakeOwnershipPrivilege 2496 WMIC.exe Token: SeLoadDriverPrivilege 2496 WMIC.exe Token: SeSystemProfilePrivilege 2496 WMIC.exe Token: SeSystemtimePrivilege 2496 WMIC.exe Token: SeProfSingleProcessPrivilege 2496 WMIC.exe Token: SeIncBasePriorityPrivilege 2496 WMIC.exe Token: SeCreatePagefilePrivilege 2496 WMIC.exe Token: SeBackupPrivilege 2496 WMIC.exe Token: SeRestorePrivilege 2496 WMIC.exe Token: SeShutdownPrivilege 2496 WMIC.exe Token: SeDebugPrivilege 2496 WMIC.exe Token: SeSystemEnvironmentPrivilege 2496 WMIC.exe Token: SeRemoteShutdownPrivilege 2496 WMIC.exe Token: SeUndockPrivilege 2496 WMIC.exe Token: SeManageVolumePrivilege 2496 WMIC.exe Token: 33 2496 WMIC.exe Token: 34 2496 WMIC.exe Token: 35 2496 WMIC.exe Token: 36 2496 WMIC.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2708 wrote to memory of 1592 2708 ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe 67 PID 2708 wrote to memory of 1592 2708 ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe 67 PID 2708 wrote to memory of 1592 2708 ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe 67 PID 1592 wrote to memory of 3588 1592 powershell.exe 69 PID 1592 wrote to memory of 3588 1592 powershell.exe 69 PID 1592 wrote to memory of 3588 1592 powershell.exe 69 PID 1592 wrote to memory of 4424 1592 powershell.exe 70 PID 1592 wrote to memory of 4424 1592 powershell.exe 70 PID 1592 wrote to memory of 4424 1592 powershell.exe 70 PID 1592 wrote to memory of 4424 1592 powershell.exe 70 PID 1592 wrote to memory of 4424 1592 powershell.exe 70 PID 1592 wrote to memory of 4424 1592 powershell.exe 70 PID 1592 wrote to memory of 4424 1592 powershell.exe 70 PID 1592 wrote to memory of 4424 1592 powershell.exe 70 PID 1592 wrote to memory of 4424 1592 powershell.exe 70 PID 1592 wrote to memory of 4424 1592 powershell.exe 70 PID 1592 wrote to memory of 4424 1592 powershell.exe 70 PID 4424 wrote to memory of 588 4424 aspnet_compiler.exe 71 PID 4424 wrote to memory of 588 4424 aspnet_compiler.exe 71 PID 4424 wrote to memory of 588 4424 aspnet_compiler.exe 71 PID 4424 wrote to memory of 1352 4424 aspnet_compiler.exe 74 PID 4424 wrote to memory of 1352 4424 aspnet_compiler.exe 74 PID 4424 wrote to memory of 1352 4424 aspnet_compiler.exe 74 PID 1352 wrote to memory of 2496 1352 cmd.exe 76 PID 1352 wrote to memory of 2496 1352 cmd.exe 76 PID 1352 wrote to memory of 2496 1352 cmd.exe 76 PID 4424 wrote to memory of 4860 4424 aspnet_compiler.exe 77 PID 4424 wrote to memory of 4860 4424 aspnet_compiler.exe 77 PID 4424 wrote to memory of 4860 4424 aspnet_compiler.exe 77 PID 4860 wrote to memory of 3404 4860 cmd.exe 79 PID 4860 wrote to memory of 3404 4860 cmd.exe 79 PID 4860 wrote to memory of 3404 4860 cmd.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe"C:\Users\Admin\AppData\Local\Temp\ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe3⤵PID:3588
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
PID:588
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"4⤵
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"4⤵
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name5⤵PID:3404
-
-
-
-