Malware Analysis Report

2024-11-13 17:10

Sample ID 230321-rv1fmsda7v
Target 9d46f656238d21c07a1d280b8a23171d05ae87dbb136d4c0efefa578132058cf.zip
SHA256 596d6ceb355c1fba06021419bca0bbf62f02ee9d5fe859459d3bcf2b5f0ceced
Tags
aurora spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

596d6ceb355c1fba06021419bca0bbf62f02ee9d5fe859459d3bcf2b5f0ceced

Threat Level: Known bad

The file 9d46f656238d21c07a1d280b8a23171d05ae87dbb136d4c0efefa578132058cf.zip was found to be: Known bad.

Malicious Activity Summary

aurora spyware stealer

Aurora

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-21 14:31

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-21 14:31

Reported

2023-03-21 14:34

Platform

win10v2004-20230220-en

Max time kernel

79s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d46f656238d21c07a1d280b8a23171d05ae87dbb136d4c0efefa578132058cf.exe"

Signatures

Aurora

stealer aurora

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9d46f656238d21c07a1d280b8a23171d05ae87dbb136d4c0efefa578132058cf.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d46f656238d21c07a1d280b8a23171d05ae87dbb136d4c0efefa578132058cf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9d46f656238d21c07a1d280b8a23171d05ae87dbb136d4c0efefa578132058cf.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3272 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\9d46f656238d21c07a1d280b8a23171d05ae87dbb136d4c0efefa578132058cf.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe
PID 3272 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\9d46f656238d21c07a1d280b8a23171d05ae87dbb136d4c0efefa578132058cf.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe
PID 2836 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe C:\Windows\System32\Wbem\wmic.exe
PID 2836 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe C:\Windows\System32\Wbem\wmic.exe
PID 2836 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe C:\Windows\system32\cmd.exe
PID 2836 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe C:\Windows\system32\cmd.exe
PID 4640 wrote to memory of 3648 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4640 wrote to memory of 3648 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2836 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe C:\Windows\system32\cmd.exe
PID 2836 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe C:\Windows\system32\cmd.exe
PID 2604 wrote to memory of 4092 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2604 wrote to memory of 4092 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9d46f656238d21c07a1d280b8a23171d05ae87dbb136d4c0efefa578132058cf.exe

"C:\Users\Admin\AppData\Local\Temp\9d46f656238d21c07a1d280b8a23171d05ae87dbb136d4c0efefa578132058cf.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3272 -ip 3272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 2388

C:\Windows\System32\Wbem\wmic.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

Network

Country Destination Domain Proto
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 i.ibb.co udp
US 172.96.160.210:443 i.ibb.co tcp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 210.160.96.172.in-addr.arpa udp
US 8.8.8.8:53 58.104.205.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
DE 138.201.198.8:8081 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 8.198.201.138.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 131.17.126.40.in-addr.arpa udp
IE 13.69.239.74:443 tcp
US 52.152.108.96:443 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
NL 8.238.179.126:80 tcp
NL 8.238.179.126:80 tcp
NL 173.223.113.164:443 tcp

Files

memory/3272-133-0x00000000003A0000-0x0000000000896000-memory.dmp

memory/3272-134-0x00000000056A0000-0x0000000005C44000-memory.dmp

memory/3272-135-0x0000000005010000-0x00000000050A2000-memory.dmp

memory/3272-136-0x00000000050F0000-0x000000000518C000-memory.dmp

memory/3272-137-0x0000000002910000-0x000000000291A000-memory.dmp

memory/3272-138-0x0000000005380000-0x0000000005390000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe

MD5 a22f4f4fd882dc77ae4adcf180d34f1a
SHA1 b630ffa68e2fe05f60dec473368354e8c07a53c5
SHA256 a7e18f8334187302d07b411518c03f7b472b7ba17751e6f5d239541105aedd36
SHA512 1f1e5cb83dc8b95630702faea3107ffd6929dcbad1b30b5b7d77d5b7284d883a60fac0d802e7b9b624b45ee0362af08d5d8426b5d010e0f71cc1bd01c46a329e

memory/3272-144-0x0000000005380000-0x0000000005390000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe

MD5 a22f4f4fd882dc77ae4adcf180d34f1a
SHA1 b630ffa68e2fe05f60dec473368354e8c07a53c5
SHA256 a7e18f8334187302d07b411518c03f7b472b7ba17751e6f5d239541105aedd36
SHA512 1f1e5cb83dc8b95630702faea3107ffd6929dcbad1b30b5b7d77d5b7284d883a60fac0d802e7b9b624b45ee0362af08d5d8426b5d010e0f71cc1bd01c46a329e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\build.exe

MD5 a22f4f4fd882dc77ae4adcf180d34f1a
SHA1 b630ffa68e2fe05f60dec473368354e8c07a53c5
SHA256 a7e18f8334187302d07b411518c03f7b472b7ba17751e6f5d239541105aedd36
SHA512 1f1e5cb83dc8b95630702faea3107ffd6929dcbad1b30b5b7d77d5b7284d883a60fac0d802e7b9b624b45ee0362af08d5d8426b5d010e0f71cc1bd01c46a329e

C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj

MD5 386c014d0948d4fc41afa98cfca9022e
SHA1 786cc52d9b962f55f92202c7d50c3707eb62607b
SHA256 448b329f3a10bbe3e8f86cd91509c2783b63d28a375231eb23724f5e141420f2
SHA512 13d46209c6b052977d6242763b54ac5e35b389e765c82ba773b520ebf5eacabdfdc22b642cb9760e39ad59dd82fa40a31a8d41fd6dd7ea9c9ad08c57b7d8150f

C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL

MD5 77e31b1123e94ce5720ceb729a425798
SHA1 2b65c95f27d8dca23864a3ed4f78490039ae27bf
SHA256 68cafb091d3642a1ad2440bdb51834086945ded836ea25c8f75de7e5fc568d85
SHA512 9c660381b859040e20745a1cf42646af3bd3780e2795a5ff3cedc61db9877b608d1fc431a1bd3ba3f25dd3643898b1c0f2abfc067c6634e4ce65de2d4c0c724a

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-21 14:31

Reported

2023-03-21 14:34

Platform

win7-20230220-en

Max time kernel

28s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d46f656238d21c07a1d280b8a23171d05ae87dbb136d4c0efefa578132058cf.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9d46f656238d21c07a1d280b8a23171d05ae87dbb136d4c0efefa578132058cf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9d46f656238d21c07a1d280b8a23171d05ae87dbb136d4c0efefa578132058cf.exe

"C:\Users\Admin\AppData\Local\Temp\9d46f656238d21c07a1d280b8a23171d05ae87dbb136d4c0efefa578132058cf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 i.ibb.co udp
US 172.96.160.222:443 i.ibb.co tcp

Files

memory/2044-54-0x0000000000BE0000-0x00000000010D6000-memory.dmp

memory/2044-55-0x0000000005150000-0x0000000005190000-memory.dmp