Analysis
-
max time kernel
156s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
16-03-2023 16:25
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
General
-
Target
file.exe
-
Size
5.0MB
-
MD5
4f253477a36850490e31add375d9cdad
-
SHA1
0bbd876a81e43746595da1b71285ef6978ceb162
-
SHA256
9d46f656238d21c07a1d280b8a23171d05ae87dbb136d4c0efefa578132058cf
-
SHA512
c3fd8354070103f423b937f0dbe8d4a1285494ea14e4a5748b4b9936d019a4b38dd65d447a3471a8ba41f21275c33800e756666c9ba450276c7cd0f7b420b8b8
-
SSDEEP
98304:UJbMKqBTZlgY5FlcBfclcPi7LO049CDZe:MMKslMBfcc67LrHD8
Malware Config
Extracted
aurora
138.201.198.8:8081
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation file.exe -
Executes dropped EXE 1 IoCs
Processes:
build.exepid process 3656 build.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 228 552 WerFault.exe file.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
file.exepid process 552 file.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
file.exewmic.exeWMIC.exedescription pid process Token: SeDebugPrivilege 552 file.exe Token: SeIncreaseQuotaPrivilege 3948 wmic.exe Token: SeSecurityPrivilege 3948 wmic.exe Token: SeTakeOwnershipPrivilege 3948 wmic.exe Token: SeLoadDriverPrivilege 3948 wmic.exe Token: SeSystemProfilePrivilege 3948 wmic.exe Token: SeSystemtimePrivilege 3948 wmic.exe Token: SeProfSingleProcessPrivilege 3948 wmic.exe Token: SeIncBasePriorityPrivilege 3948 wmic.exe Token: SeCreatePagefilePrivilege 3948 wmic.exe Token: SeBackupPrivilege 3948 wmic.exe Token: SeRestorePrivilege 3948 wmic.exe Token: SeShutdownPrivilege 3948 wmic.exe Token: SeDebugPrivilege 3948 wmic.exe Token: SeSystemEnvironmentPrivilege 3948 wmic.exe Token: SeRemoteShutdownPrivilege 3948 wmic.exe Token: SeUndockPrivilege 3948 wmic.exe Token: SeManageVolumePrivilege 3948 wmic.exe Token: 33 3948 wmic.exe Token: 34 3948 wmic.exe Token: 35 3948 wmic.exe Token: 36 3948 wmic.exe Token: SeIncreaseQuotaPrivilege 3948 wmic.exe Token: SeSecurityPrivilege 3948 wmic.exe Token: SeTakeOwnershipPrivilege 3948 wmic.exe Token: SeLoadDriverPrivilege 3948 wmic.exe Token: SeSystemProfilePrivilege 3948 wmic.exe Token: SeSystemtimePrivilege 3948 wmic.exe Token: SeProfSingleProcessPrivilege 3948 wmic.exe Token: SeIncBasePriorityPrivilege 3948 wmic.exe Token: SeCreatePagefilePrivilege 3948 wmic.exe Token: SeBackupPrivilege 3948 wmic.exe Token: SeRestorePrivilege 3948 wmic.exe Token: SeShutdownPrivilege 3948 wmic.exe Token: SeDebugPrivilege 3948 wmic.exe Token: SeSystemEnvironmentPrivilege 3948 wmic.exe Token: SeRemoteShutdownPrivilege 3948 wmic.exe Token: SeUndockPrivilege 3948 wmic.exe Token: SeManageVolumePrivilege 3948 wmic.exe Token: 33 3948 wmic.exe Token: 34 3948 wmic.exe Token: 35 3948 wmic.exe Token: 36 3948 wmic.exe Token: SeIncreaseQuotaPrivilege 2948 WMIC.exe Token: SeSecurityPrivilege 2948 WMIC.exe Token: SeTakeOwnershipPrivilege 2948 WMIC.exe Token: SeLoadDriverPrivilege 2948 WMIC.exe Token: SeSystemProfilePrivilege 2948 WMIC.exe Token: SeSystemtimePrivilege 2948 WMIC.exe Token: SeProfSingleProcessPrivilege 2948 WMIC.exe Token: SeIncBasePriorityPrivilege 2948 WMIC.exe Token: SeCreatePagefilePrivilege 2948 WMIC.exe Token: SeBackupPrivilege 2948 WMIC.exe Token: SeRestorePrivilege 2948 WMIC.exe Token: SeShutdownPrivilege 2948 WMIC.exe Token: SeDebugPrivilege 2948 WMIC.exe Token: SeSystemEnvironmentPrivilege 2948 WMIC.exe Token: SeRemoteShutdownPrivilege 2948 WMIC.exe Token: SeUndockPrivilege 2948 WMIC.exe Token: SeManageVolumePrivilege 2948 WMIC.exe Token: 33 2948 WMIC.exe Token: 34 2948 WMIC.exe Token: 35 2948 WMIC.exe Token: 36 2948 WMIC.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
file.exebuild.execmd.execmd.exedescription pid process target process PID 552 wrote to memory of 3656 552 file.exe build.exe PID 552 wrote to memory of 3656 552 file.exe build.exe PID 3656 wrote to memory of 3948 3656 build.exe wmic.exe PID 3656 wrote to memory of 3948 3656 build.exe wmic.exe PID 3656 wrote to memory of 4032 3656 build.exe cmd.exe PID 3656 wrote to memory of 4032 3656 build.exe cmd.exe PID 4032 wrote to memory of 2948 4032 cmd.exe WMIC.exe PID 4032 wrote to memory of 2948 4032 cmd.exe WMIC.exe PID 3656 wrote to memory of 3724 3656 build.exe cmd.exe PID 3656 wrote to memory of 3724 3656 build.exe cmd.exe PID 3724 wrote to memory of 4900 3724 cmd.exe WMIC.exe PID 3724 wrote to memory of 4900 3724 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 23842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 552 -ip 5521⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaLFilesize
2KB
MD518da5c19d469f921ff9d44f1f17de97b
SHA1bef606053494e1f516431d40f2aca29cf1deeb20
SHA256662f6389650db2471a13412664d05cfed46fef73dd1d30cf16d2c8ceeee33eb0
SHA5129eee1b05c10544813c2eb89c48369d78e5b9260fddd8e90a34f06ac8ea2955860083c6c8ac31089276e97e269b87b4ac0c43e9dcdb7bd6091759dccb4ac0e71d
-
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPjFilesize
71KB
MD546988a922937a39036d6b71e62d0f966
SHA14a997f2a0360274ec7990aac156870a5a7030665
SHA2565954db23a8424f6cb1e933387d0866910c45615f54342aa0f6dd597174393de6
SHA512dd7774668cd24c303e670e7d096794aca67593b8d8a9b3b38aa08c148f67e74c07041f25941465b3ae030bafd76384b4b79d41c1eeebe5bd11d94ab25ef00e9d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exeFilesize
3.0MB
MD5a22f4f4fd882dc77ae4adcf180d34f1a
SHA1b630ffa68e2fe05f60dec473368354e8c07a53c5
SHA256a7e18f8334187302d07b411518c03f7b472b7ba17751e6f5d239541105aedd36
SHA5121f1e5cb83dc8b95630702faea3107ffd6929dcbad1b30b5b7d77d5b7284d883a60fac0d802e7b9b624b45ee0362af08d5d8426b5d010e0f71cc1bd01c46a329e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exeFilesize
3.0MB
MD5a22f4f4fd882dc77ae4adcf180d34f1a
SHA1b630ffa68e2fe05f60dec473368354e8c07a53c5
SHA256a7e18f8334187302d07b411518c03f7b472b7ba17751e6f5d239541105aedd36
SHA5121f1e5cb83dc8b95630702faea3107ffd6929dcbad1b30b5b7d77d5b7284d883a60fac0d802e7b9b624b45ee0362af08d5d8426b5d010e0f71cc1bd01c46a329e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exeFilesize
3.0MB
MD5a22f4f4fd882dc77ae4adcf180d34f1a
SHA1b630ffa68e2fe05f60dec473368354e8c07a53c5
SHA256a7e18f8334187302d07b411518c03f7b472b7ba17751e6f5d239541105aedd36
SHA5121f1e5cb83dc8b95630702faea3107ffd6929dcbad1b30b5b7d77d5b7284d883a60fac0d802e7b9b624b45ee0362af08d5d8426b5d010e0f71cc1bd01c46a329e
-
memory/552-133-0x0000000000480000-0x0000000000976000-memory.dmpFilesize
5.0MB
-
memory/552-134-0x00000000056E0000-0x0000000005C84000-memory.dmpFilesize
5.6MB
-
memory/552-135-0x00000000051D0000-0x0000000005262000-memory.dmpFilesize
584KB
-
memory/552-136-0x0000000005270000-0x000000000530C000-memory.dmpFilesize
624KB
-
memory/552-137-0x00000000053D0000-0x00000000053E0000-memory.dmpFilesize
64KB
-
memory/552-138-0x0000000005160000-0x000000000516A000-memory.dmpFilesize
40KB