aurora | 24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4

Analysis

max time kernel
6s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bz7KfahvU.exe
Size

5.4MB
MD5

e0d2634fe2b085685f0b71e66ac91ec9
SHA1

c03d6b2218ffff1957a91f64d15ee1cbb57726fd
SHA256

24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4
SHA512

48e72eccb385e282b419fe7116d6a0c7c0a6cd5ca482e57ae7b1b52440e347833d0aa9c15097bdeec8074b9a60d90843a5d4f20e4ce9d0595f3dc0a38b6fdde8
SSDEEP

49152:pyWMOEmrU4VWLP6zev05oej0EL9gCegK/efy5d8A45EG273LCV0UOQJUh9q101GF:Eq6PQn4/9GEp32VLV+h9sF

Score

10^/10

aurora persistence stealer

Malware Config

Extracted

Family

aurora

167.235.58.189:456

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1bz7KfahvU.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtime_1 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\config\\runtime.exe"	1bz7KfahvU.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1484 schtasks.exe
4660 schtasks.exe
3780 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4256 powershell.exe
4256 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4256 powershell.exe

pid	process
1484	schtasks.exe
4660	schtasks.exe
3780	schtasks.exe

pid	process
4256	powershell.exe
4256	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4256	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

1bz7KfahvU.exe

description	pid	process	target process
PID 3660 wrote to memory of 4256	3660	1bz7KfahvU.exe	powershell.exe
PID 3660 wrote to memory of 4256	3660	1bz7KfahvU.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\1bz7KfahvU.exe
"C:\Users\Admin\AppData\Local\Temp\1bz7KfahvU.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
3⤵
- Creates scheduled task(s)
PID:1484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe"
2⤵
PID:3364

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
3⤵
- Creates scheduled task(s)
PID:4660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe"
2⤵
PID:1180

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
3⤵
- Creates scheduled task(s)
PID:3780

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:464

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:2232

C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
1⤵
PID:5112

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:4508

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:1952

C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
1⤵
PID:2020

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:3124

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
1⤵
PID:1672

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:4552

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:3148

C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
1⤵
PID:2644

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:5020

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:1052

C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
1⤵
PID:3888

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:2248

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
1⤵
PID:3700

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:400

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:1796

C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
1⤵
PID:3652

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:4024

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:4852

C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
1⤵
PID:2536

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:3756

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:3660

C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
1⤵
PID:2380

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:4956

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:3144

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
Filesize
29.6MB

MD5
c2f91d2d368978c0d879ed1448b3c9e3

SHA1
9831e4455375574746cedcb438f0e4aa3a2177ad

SHA256
fbcb0767b76dce0ad19c4cd1094bcd3e3b8c28d55b885ba1912d6b999841ba70

SHA512
8b96b71ec19ad5e91b0422bdab05e7760903a5e67929641e49b642f4f944d48b492e7afe8e19465155acf381cc429829504b2cbf44e67378a129758410da391e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
Filesize
31.4MB

MD5
a2e04d11a2a3842e26b47423b34495e5

SHA1
e8831407872577fc8a224611750a2a59cfab8950

SHA256
76373d2b46ba77d2fa76d1e5ba92c7dde2008e06a52ad25c7efb388def743abb

SHA512
a188b45879a31e57d4b0285fa847489b879ed08248d0501bb906dc49464aeaf1a5eae48a3ca34330ec37bef0b45d44e5d33b9470dd15d09d7c2b19cb9d29d70a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
Filesize
25.9MB

MD5
cf9474e9ee1af0a8f064047e4f8c9099

SHA1
9d9f9e5eb4238f8b7cde8871c5173434731b7c32

SHA256
7c03508a02f4e29afa5aaa4a2170bfb54b344a458e9424da2f438816234d5a51

SHA512
10dbfe30992e958d1abbf14feae283d68338d47debb31c1050c6a17040e91912fcc21e0941adb4ed55d234f67c15974a45ce8cdbffd55fc744aed20e141cbc05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
Filesize
9.1MB

MD5
0dfe71a523edd62b20d18bb160abc4be

SHA1
6e4e77c42abb01c378266c118d6ab3dbf0b82a00

SHA256
8663ad7b4dc0f01116ac3ab1ed75141be3e077823d7f51e12b82faa0475c81e6

SHA512
d99b573c671a1819410dbcf92926a55593f80e46e8146e6750d6f647b393304d5079ff7b124672daa2fc8a5888afc84629965ee3dff24247c8fee273566f5f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
43.3MB

MD5
303ca97721332e8e9b31340131c462f5

SHA1
aca10c987c9d49cac8edb7c3c23bd335ef37f349

SHA256
a7c0f171abf459d109af8179b1c21c7ba397c3490760edac062a660b244d6ebb

SHA512
d310e85a085f7cd85aedb65d7cfaec1cf71674cee6cdfb1e64c44ca0e1dc10c12fe4f7397edea4b57c73314dc49d233e415ca6fc920930c92840b5be20ed9345

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
30.4MB

MD5
b5a7793028fedadd629825e26c87f778

SHA1
5859c7a4c1799ccfa391d6dafc133988d6b03481

SHA256
1be1cdd6fb71a470cd4ce580f2deb44ef2098ead61fb5cba4dfe2206bcee80c9

SHA512
974ab63b54b965e6546ffd372c46efec6bd80934b4ed7850ed520fe2ebfd1706a65a0f2ee78894c675d9e11ea6e4e56cb37ce569cbc6a2d391ee34b07d42b028

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
29.9MB

MD5
90095052e4192f2757906faf54c21cf3

SHA1
f4248318234648faadcd96452caacf5374b32bca

SHA256
f0d6f9dc1f35ed9da7bc3fe9314cf8ce5c2e7ae26804cd316b892797d3e8f8c7

SHA512
2c3b76941582fae2f209a2dae6028d10366c657b50b5fab3ac95127b730870414e7f27dff005498824092cb2dd06208d0a146d8b63f3b344b93b29edb843b2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
27.1MB

MD5
6883dbd9c58261191e44cd025159fbff

SHA1
f3ab7c4b3f1995e3ec02336ba8cb7807e5200247

SHA256
d37f7ebccadb722c99cc906420b496c847758e81e028d3000bb3822a5d803ef6

SHA512
440e52082feab4c1a1ca5dba0cecec29f87bbbead52bcec809104fbb72189e126c9430bb2dcf315ac7a82fafb46c738ae74bc62c274adab40fac304a2e1f3602

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
9.9MB

MD5
96907db72cb44ae6517b1d9770c1cb7a

SHA1
8b89e16ff7a8211c0d38ac325e7f0be0f97aeee5

SHA256
de96f98891cac437a60ffbd55fe7c5cee9586aa5f95c1475e8cf6a1130d819ec

SHA512
26711e68ccfd24e563d6507326a553585949755b4c08738788306234bd51befd6db308e82a49c187ba345fe5c686c2968ec6e39fab380d943e7cdb9cee70c6bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uew41g3l.xdz.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
Filesize
31.9MB

MD5
995a8918349867253187f5d9f56c117e

SHA1
cc1ac2250784b350b1ca6d97d18892a576c8621c

SHA256
707aa20e9e3f44f9911f9db8d51b987930ad0ea70575150f2a3a818b571d2d3e

SHA512
bbd679bb7485ef11547ee5a9edcdf05e23e56d9224f39ac313373a64b2966b12360f7ba2e11b6040b7e170fabbe4a19fede2c00ad8fb54fabf96dfe0a6f79ba5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
Filesize
29.4MB

MD5
2561d6b223aaf8a03b7e913957e9441f

SHA1
06150a36bff3575441dd8f5e05fe5d244f7b4608

SHA256
60d85fc0035d01c780fe6bc2d3309f88bd7cf8fad9b10af10e2691256b090939

SHA512
838b4f4760133fefed36362111d5fa961a39367d36062c6b3d5f0b07e898da6a33e3516d43040f4bc4a23b882cfbc7a7f1255e09198361e0324a65c106323eaf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
Filesize
25.6MB

MD5
168216749f9e11097a24492c95fc5c8e

SHA1
e3ec306b4686c73ee985625133d1e3ec002c55cd

SHA256
1e8a346950f8d2881be20e8e095ff1352ea6326826864f5c4ddd51328d417655

SHA512
f75587fc72d5ba223b0e4417c18cd88ad0b1e760aadc96e2f43864b314b7720043cbdf53f77d7a76997fc95e021fdfa1bae85272414d1c4acfb622aeb4626768

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
Filesize
9.1MB

MD5
09cd4b8307cd0f2b04f8872d989b1bc4

SHA1
1168e920d5d02962f49481c825bae7e372164ac9

SHA256
5a8836e3a4c0652b640cfe2c9d98e2b3cba7a351bff2172a2aa0cb8cfdab7d78

SHA512
6c408ba0e0e52773e05905f9bf74890ad1cf37432117d4d546ea559db256bebef9c2e8238b0170e4dbf729a3562866c7660740ccc3c6217ddbccae1aca93a980

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1180-178-0x0000023539E90000-0x0000023539EA0000-memory.dmp

Filesize
64KB

Download
memory/1180-180-0x0000023539E90000-0x0000023539EA0000-memory.dmp

Filesize
64KB

Download
memory/1180-179-0x0000023539E90000-0x0000023539EA0000-memory.dmp

Filesize
64KB

Download
memory/3364-163-0x00000223FD470000-0x00000223FD480000-memory.dmp

Filesize
64KB

Download
memory/3364-162-0x00000223FD470000-0x00000223FD480000-memory.dmp

Filesize
64KB

Download
memory/4256-135-0x000002A5F5D20000-0x000002A5F5D30000-memory.dmp

Filesize
64KB

Download
memory/4256-147-0x000002A5F5D20000-0x000002A5F5D30000-memory.dmp

Filesize
64KB

Download
memory/4256-136-0x000002A5F5D20000-0x000002A5F5D30000-memory.dmp

Filesize
64KB

Download
memory/4256-146-0x000002A5F5CF0000-0x000002A5F5D12000-memory.dmp

Filesize
136KB

Download