Analysis

  • max time kernel
    30s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    21/01/2023, 20:10

General

  • Target

    Tradingview_Plus_cln.exe

  • Size

    11.9MB

  • MD5

    12c55a2c344ec1c33daf7ae427b7c5e5

  • SHA1

    f1e6680e7591180cbb2d56b17b60a328d155042e

  • SHA256

    cff56386e4dcfec706cfd98b2590109589904ec8404160fa4b890d3106f2e339

  • SHA512

    904e3ec7110d5da938be5748abc2d7694e5d1f46eda45a9b64434d7b5c5bd1bc632448e066b8e8d37c75154d89203b1c3fe5d1d363dd204197f97a153c859b0a

  • SSDEEP

    98304:zB2WCqo07EZxOCKQJNR05epDuhY7Nv7j3RxOzPcDY8dmme54bcL9iA:zIWpT7EiQJP05epDvv7j3S0jdKL9d

Score
10/10

Malware Config

Signatures

  • Aurora

    Aurora is a crypto wallet stealer written in Golang.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Tradingview_Plus_cln.exe
    "C:\Users\Admin\AppData\Local\Temp\Tradingview_Plus_cln.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe
      "C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1852
      • C:\Windows\System32\Wbem\wmic.exe
        wmic os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1016
      • C:\Windows\system32\cmd.exe
        cmd /C "wmic path win32_VideoController get name"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:804
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic path win32_VideoController get name
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1692
      • C:\Windows\system32\cmd.exe
        cmd /C "wmic cpu get name"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1640
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic cpu get name
          4⤵
            PID:904

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\sakjdhasdkj.exe

      Filesize

      4.4MB

      MD5

      9b6a95488caf9f998ee001cf188d50ca

      SHA1

      bcb8ff47e4d23a90519f5c7feee5a9ad4df8429f

      SHA256

      fc3729982b726e43ede73556c12d9211ecc249608a0ac938eda6fac43b0e5190

      SHA512

      d3d769b8bae56122e39e571699ff16071c3d469c65022c48575c93ed4deb48712b9ff79a6fde38dd050b125af5196b984161b63e12d6cf11079be4bdb9c84598

    • \Users\Admin\AppData\Roaming\sakjdhasdkj.exe

      Filesize

      4.4MB

      MD5

      9b6a95488caf9f998ee001cf188d50ca

      SHA1

      bcb8ff47e4d23a90519f5c7feee5a9ad4df8429f

      SHA256

      fc3729982b726e43ede73556c12d9211ecc249608a0ac938eda6fac43b0e5190

      SHA512

      d3d769b8bae56122e39e571699ff16071c3d469c65022c48575c93ed4deb48712b9ff79a6fde38dd050b125af5196b984161b63e12d6cf11079be4bdb9c84598

    • \Users\Admin\AppData\Roaming\sakjdhasdkj.exe

      Filesize

      4.4MB

      MD5

      9b6a95488caf9f998ee001cf188d50ca

      SHA1

      bcb8ff47e4d23a90519f5c7feee5a9ad4df8429f

      SHA256

      fc3729982b726e43ede73556c12d9211ecc249608a0ac938eda6fac43b0e5190

      SHA512

      d3d769b8bae56122e39e571699ff16071c3d469c65022c48575c93ed4deb48712b9ff79a6fde38dd050b125af5196b984161b63e12d6cf11079be4bdb9c84598

    • memory/1488-54-0x0000000001020000-0x0000000001C12000-memory.dmp

      Filesize

      11.9MB

    • memory/1488-55-0x000007FEFC101000-0x000007FEFC103000-memory.dmp

      Filesize

      8KB