Analysis
-
max time kernel
91s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2023, 20:56
Static task
static1
Behavioral task
behavioral1
Sample
Screenshot Map.exe
Resource
win7-20221111-en
3 signatures
150 seconds
General
-
Target
Screenshot Map.exe
-
Size
293KB
-
MD5
0b916c1bb37ac75ef96d827e662a164c
-
SHA1
05c06be84c9f61c123e1c35e2004e15c05b5f28a
-
SHA256
ee8ae89f2f8a6e6804c3772181a889ec77fce227a31b12d9a409259f86b48702
-
SHA512
54f32e9a9435340cd0a3fc6e28c1637e15a6c261d87d19317cf7b4fe01efbabdad2c848b68f9b35cf2000a0a2a9e0037e160604b29be49538499160c9ef8c754
-
SSDEEP
6144:8G/M39DFekGOj/+HgS0P4mKHMN5/B4FL:zMdwkvS0PLKHM7qZ
Malware Config
Extracted
Family
aurora
C2
95.217.235.8:8081
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 13 2352 powershell.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs
pid Process 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2352 set thread context of 5068 2352 powershell.exe 93 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2352 powershell.exe Token: SeIncreaseQuotaPrivilege 3896 wmic.exe Token: SeSecurityPrivilege 3896 wmic.exe Token: SeTakeOwnershipPrivilege 3896 wmic.exe Token: SeLoadDriverPrivilege 3896 wmic.exe Token: SeSystemProfilePrivilege 3896 wmic.exe Token: SeSystemtimePrivilege 3896 wmic.exe Token: SeProfSingleProcessPrivilege 3896 wmic.exe Token: SeIncBasePriorityPrivilege 3896 wmic.exe Token: SeCreatePagefilePrivilege 3896 wmic.exe Token: SeBackupPrivilege 3896 wmic.exe Token: SeRestorePrivilege 3896 wmic.exe Token: SeShutdownPrivilege 3896 wmic.exe Token: SeDebugPrivilege 3896 wmic.exe Token: SeSystemEnvironmentPrivilege 3896 wmic.exe Token: SeRemoteShutdownPrivilege 3896 wmic.exe Token: SeUndockPrivilege 3896 wmic.exe Token: SeManageVolumePrivilege 3896 wmic.exe Token: 33 3896 wmic.exe Token: 34 3896 wmic.exe Token: 35 3896 wmic.exe Token: 36 3896 wmic.exe Token: SeIncreaseQuotaPrivilege 3896 wmic.exe Token: SeSecurityPrivilege 3896 wmic.exe Token: SeTakeOwnershipPrivilege 3896 wmic.exe Token: SeLoadDriverPrivilege 3896 wmic.exe Token: SeSystemProfilePrivilege 3896 wmic.exe Token: SeSystemtimePrivilege 3896 wmic.exe Token: SeProfSingleProcessPrivilege 3896 wmic.exe Token: SeIncBasePriorityPrivilege 3896 wmic.exe Token: SeCreatePagefilePrivilege 3896 wmic.exe Token: SeBackupPrivilege 3896 wmic.exe Token: SeRestorePrivilege 3896 wmic.exe Token: SeShutdownPrivilege 3896 wmic.exe Token: SeDebugPrivilege 3896 wmic.exe Token: SeSystemEnvironmentPrivilege 3896 wmic.exe Token: SeRemoteShutdownPrivilege 3896 wmic.exe Token: SeUndockPrivilege 3896 wmic.exe Token: SeManageVolumePrivilege 3896 wmic.exe Token: 33 3896 wmic.exe Token: 34 3896 wmic.exe Token: 35 3896 wmic.exe Token: 36 3896 wmic.exe Token: SeIncreaseQuotaPrivilege 4752 WMIC.exe Token: SeSecurityPrivilege 4752 WMIC.exe Token: SeTakeOwnershipPrivilege 4752 WMIC.exe Token: SeLoadDriverPrivilege 4752 WMIC.exe Token: SeSystemProfilePrivilege 4752 WMIC.exe Token: SeSystemtimePrivilege 4752 WMIC.exe Token: SeProfSingleProcessPrivilege 4752 WMIC.exe Token: SeIncBasePriorityPrivilege 4752 WMIC.exe Token: SeCreatePagefilePrivilege 4752 WMIC.exe Token: SeBackupPrivilege 4752 WMIC.exe Token: SeRestorePrivilege 4752 WMIC.exe Token: SeShutdownPrivilege 4752 WMIC.exe Token: SeDebugPrivilege 4752 WMIC.exe Token: SeSystemEnvironmentPrivilege 4752 WMIC.exe Token: SeRemoteShutdownPrivilege 4752 WMIC.exe Token: SeUndockPrivilege 4752 WMIC.exe Token: SeManageVolumePrivilege 4752 WMIC.exe Token: 33 4752 WMIC.exe Token: 34 4752 WMIC.exe Token: 35 4752 WMIC.exe Token: 36 4752 WMIC.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4092 wrote to memory of 2352 4092 Screenshot Map.exe 84 PID 4092 wrote to memory of 2352 4092 Screenshot Map.exe 84 PID 4092 wrote to memory of 2352 4092 Screenshot Map.exe 84 PID 2352 wrote to memory of 5068 2352 powershell.exe 93 PID 2352 wrote to memory of 5068 2352 powershell.exe 93 PID 2352 wrote to memory of 5068 2352 powershell.exe 93 PID 2352 wrote to memory of 5068 2352 powershell.exe 93 PID 2352 wrote to memory of 5068 2352 powershell.exe 93 PID 2352 wrote to memory of 5068 2352 powershell.exe 93 PID 2352 wrote to memory of 5068 2352 powershell.exe 93 PID 2352 wrote to memory of 5068 2352 powershell.exe 93 PID 2352 wrote to memory of 5068 2352 powershell.exe 93 PID 2352 wrote to memory of 5068 2352 powershell.exe 93 PID 2352 wrote to memory of 5068 2352 powershell.exe 93 PID 5068 wrote to memory of 3896 5068 aspnet_compiler.exe 94 PID 5068 wrote to memory of 3896 5068 aspnet_compiler.exe 94 PID 5068 wrote to memory of 3896 5068 aspnet_compiler.exe 94 PID 5068 wrote to memory of 4384 5068 aspnet_compiler.exe 96 PID 5068 wrote to memory of 4384 5068 aspnet_compiler.exe 96 PID 5068 wrote to memory of 4384 5068 aspnet_compiler.exe 96 PID 4384 wrote to memory of 4752 4384 cmd.exe 98 PID 4384 wrote to memory of 4752 4384 cmd.exe 98 PID 4384 wrote to memory of 4752 4384 cmd.exe 98 PID 5068 wrote to memory of 3128 5068 aspnet_compiler.exe 99 PID 5068 wrote to memory of 3128 5068 aspnet_compiler.exe 99 PID 5068 wrote to memory of 3128 5068 aspnet_compiler.exe 99 PID 3128 wrote to memory of 2628 3128 cmd.exe 101 PID 3128 wrote to memory of 2628 3128 cmd.exe 101 PID 3128 wrote to memory of 2628 3128 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\Screenshot Map.exe"C:\Users\Admin\AppData\Local\Temp\Screenshot Map.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe3⤵
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3896
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"4⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"4⤵
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name5⤵PID:2628
-
-
-
-