Analysis
-
max time kernel
99s -
max time network
175s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
22/01/2023, 04:49
Static task
static1
Behavioral task
behavioral1
Sample
ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe
Resource
win7-20221111-en
3 signatures
300 seconds
General
-
Target
ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe
-
Size
268KB
-
MD5
50a3cdeb5ecd78be788dd9232db6fa79
-
SHA1
baef08dfe4b9ec5abc00aefa81d3656952e07b37
-
SHA256
ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc
-
SHA512
255bb8133a62a9bc49fea8933217639fb3191648c5403cb4972865ecc53cccda4f1a3f90278a9e08d78e7cc3376047472cfae364184b8ef8b9d420f10a7aaf3d
-
SSDEEP
3072:gpE5D8eEcnqm7h+UpV4Uqdd84sIDSQKyYyPuev/9LmAx7wAoBtgsWrYkgx1IPP:twcnqpU0dduIDAyPug/9LmAx7wRH1IPP
Malware Config
Extracted
Family
aurora
C2
45.15.156.242:8081
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 7 4272 powershell.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs
pid Process 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4272 set thread context of 4248 4272 powershell.exe 70 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe 4272 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4272 powershell.exe Token: SeIncreaseQuotaPrivilege 4808 wmic.exe Token: SeSecurityPrivilege 4808 wmic.exe Token: SeTakeOwnershipPrivilege 4808 wmic.exe Token: SeLoadDriverPrivilege 4808 wmic.exe Token: SeSystemProfilePrivilege 4808 wmic.exe Token: SeSystemtimePrivilege 4808 wmic.exe Token: SeProfSingleProcessPrivilege 4808 wmic.exe Token: SeIncBasePriorityPrivilege 4808 wmic.exe Token: SeCreatePagefilePrivilege 4808 wmic.exe Token: SeBackupPrivilege 4808 wmic.exe Token: SeRestorePrivilege 4808 wmic.exe Token: SeShutdownPrivilege 4808 wmic.exe Token: SeDebugPrivilege 4808 wmic.exe Token: SeSystemEnvironmentPrivilege 4808 wmic.exe Token: SeRemoteShutdownPrivilege 4808 wmic.exe Token: SeUndockPrivilege 4808 wmic.exe Token: SeManageVolumePrivilege 4808 wmic.exe Token: 33 4808 wmic.exe Token: 34 4808 wmic.exe Token: 35 4808 wmic.exe Token: 36 4808 wmic.exe Token: SeIncreaseQuotaPrivilege 4808 wmic.exe Token: SeSecurityPrivilege 4808 wmic.exe Token: SeTakeOwnershipPrivilege 4808 wmic.exe Token: SeLoadDriverPrivilege 4808 wmic.exe Token: SeSystemProfilePrivilege 4808 wmic.exe Token: SeSystemtimePrivilege 4808 wmic.exe Token: SeProfSingleProcessPrivilege 4808 wmic.exe Token: SeIncBasePriorityPrivilege 4808 wmic.exe Token: SeCreatePagefilePrivilege 4808 wmic.exe Token: SeBackupPrivilege 4808 wmic.exe Token: SeRestorePrivilege 4808 wmic.exe Token: SeShutdownPrivilege 4808 wmic.exe Token: SeDebugPrivilege 4808 wmic.exe Token: SeSystemEnvironmentPrivilege 4808 wmic.exe Token: SeRemoteShutdownPrivilege 4808 wmic.exe Token: SeUndockPrivilege 4808 wmic.exe Token: SeManageVolumePrivilege 4808 wmic.exe Token: 33 4808 wmic.exe Token: 34 4808 wmic.exe Token: 35 4808 wmic.exe Token: 36 4808 wmic.exe Token: SeIncreaseQuotaPrivilege 1824 WMIC.exe Token: SeSecurityPrivilege 1824 WMIC.exe Token: SeTakeOwnershipPrivilege 1824 WMIC.exe Token: SeLoadDriverPrivilege 1824 WMIC.exe Token: SeSystemProfilePrivilege 1824 WMIC.exe Token: SeSystemtimePrivilege 1824 WMIC.exe Token: SeProfSingleProcessPrivilege 1824 WMIC.exe Token: SeIncBasePriorityPrivilege 1824 WMIC.exe Token: SeCreatePagefilePrivilege 1824 WMIC.exe Token: SeBackupPrivilege 1824 WMIC.exe Token: SeRestorePrivilege 1824 WMIC.exe Token: SeShutdownPrivilege 1824 WMIC.exe Token: SeDebugPrivilege 1824 WMIC.exe Token: SeSystemEnvironmentPrivilege 1824 WMIC.exe Token: SeRemoteShutdownPrivilege 1824 WMIC.exe Token: SeUndockPrivilege 1824 WMIC.exe Token: SeManageVolumePrivilege 1824 WMIC.exe Token: 33 1824 WMIC.exe Token: 34 1824 WMIC.exe Token: 35 1824 WMIC.exe Token: 36 1824 WMIC.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2124 wrote to memory of 4272 2124 ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe 67 PID 2124 wrote to memory of 4272 2124 ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe 67 PID 2124 wrote to memory of 4272 2124 ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe 67 PID 4272 wrote to memory of 4784 4272 powershell.exe 69 PID 4272 wrote to memory of 4784 4272 powershell.exe 69 PID 4272 wrote to memory of 4784 4272 powershell.exe 69 PID 4272 wrote to memory of 4248 4272 powershell.exe 70 PID 4272 wrote to memory of 4248 4272 powershell.exe 70 PID 4272 wrote to memory of 4248 4272 powershell.exe 70 PID 4272 wrote to memory of 4248 4272 powershell.exe 70 PID 4272 wrote to memory of 4248 4272 powershell.exe 70 PID 4272 wrote to memory of 4248 4272 powershell.exe 70 PID 4272 wrote to memory of 4248 4272 powershell.exe 70 PID 4272 wrote to memory of 4248 4272 powershell.exe 70 PID 4272 wrote to memory of 4248 4272 powershell.exe 70 PID 4272 wrote to memory of 4248 4272 powershell.exe 70 PID 4272 wrote to memory of 4248 4272 powershell.exe 70 PID 4248 wrote to memory of 4808 4248 aspnet_compiler.exe 71 PID 4248 wrote to memory of 4808 4248 aspnet_compiler.exe 71 PID 4248 wrote to memory of 4808 4248 aspnet_compiler.exe 71 PID 4248 wrote to memory of 2920 4248 aspnet_compiler.exe 74 PID 4248 wrote to memory of 2920 4248 aspnet_compiler.exe 74 PID 4248 wrote to memory of 2920 4248 aspnet_compiler.exe 74 PID 2920 wrote to memory of 1824 2920 cmd.exe 76 PID 2920 wrote to memory of 1824 2920 cmd.exe 76 PID 2920 wrote to memory of 1824 2920 cmd.exe 76 PID 4248 wrote to memory of 4900 4248 aspnet_compiler.exe 77 PID 4248 wrote to memory of 4900 4248 aspnet_compiler.exe 77 PID 4248 wrote to memory of 4900 4248 aspnet_compiler.exe 77 PID 4900 wrote to memory of 3056 4900 cmd.exe 79 PID 4900 wrote to memory of 3056 4900 cmd.exe 79 PID 4900 wrote to memory of 3056 4900 cmd.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe"C:\Users\Admin\AppData\Local\Temp\ad64a6e6e563e0aa8afcf4ce2e001363a20d8fcd5b6f6b0003329ce1f543f5bc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe3⤵PID:4784
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4808
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"4⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1824
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"4⤵
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name5⤵PID:3056
-
-
-
-