Analysis
-
max time kernel
73s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
09-05-2023 08:08
General
-
Target
aurora.exe
-
Size
5.6MB
-
MD5
2072ab80f4f0b576590d6e2f66bc12a3
-
SHA1
92b9c99e858cd242983fad131e25028c9197a10f
-
SHA256
7e284862240837599b6916df7747947d45d8fa44979ff4bcf57703971e75c14b
-
SHA512
1f2fcf07f41af804aa94cdb3bd97cb7af35d12ba10f9e795052d1d68720f96933bb3a64c9397f1142c26ba392b6f988ac569ebfcddb5b5da85d82339a80bdeec
-
SSDEEP
49152:8ugM5SSiHPRpy67X9g31TGsev6imuMmS5cNDw7wBVAAp5ESxRlMmCaCfAm5K6Q0+:DMTlK1+gcEiMeCom5Kaw
Malware Config
Extracted
aurora
94.142.138.71:456
Signatures
-
Aurora
Aurora is a crypto wallet stealer written in Golang.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 4 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\aurora.exe"C:\Users\Admin\AppData\Local\Temp\aurora.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {A8E515F4-D452-4204-93A2-933FFB1F34C2} S-1-5-21-2961826002-3968192592-354541192-1000:HVMHZIYD\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exeC:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exeC:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exeFilesize
14.1MB
MD5481bac73aa2a379d04b8cdcb2644d5e0
SHA1863a3b1579c6a9fb39fd5a64daa49c932ec278a0
SHA256295ddfdbb0e47cb9f25c541b9691b589b4bd84f3826f057f7ca0c0ec3b7d57c6
SHA5120573efedbe03899d040a34584d959b2cb3429735aba187a167952d520cacb39ca9511f98994ce5d0c8354811e670cfa367fd9d9fe37f417131a54a57b5ef49dd
-
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exeFilesize
10.9MB
MD572d6eacf302edd9d2a66bbe935dbc2c3
SHA186a4db673fd4abcc07fe0389a4ab1cbe6750fe07
SHA256697426f9b168a6aa6bf9c49fc44a743552f8f72ff4c4046d7303123a274386b6
SHA512fe600c61d3c870a1f0efa614544809e8fc478988dd9eefcf6f5462229a22faac1684af97ed5542b6201d177d70b78d2b57d0256eebbc66553f1f854489b49c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD53f4021e5403751fc1fd9a65325f58237
SHA1fa9c52600fa11bc9f0162f92157808a53933f4de
SHA256e7e19d6750fe33f43c408fb7ac45fdac5eda73ae38d9e8bb7051722ee9b65d98
SHA512bc59252ef900795d2757d551437a311fe3f5d08976844eac9f7b92ef3035e29ccb2ed5e266966836c4a7bf4a75147b7eb51c4a4d7e899426f46bb9a50d16f730
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ENIG9ODVR2FDZUADGSUB.tempFilesize
7KB
MD53f4021e5403751fc1fd9a65325f58237
SHA1fa9c52600fa11bc9f0162f92157808a53933f4de
SHA256e7e19d6750fe33f43c408fb7ac45fdac5eda73ae38d9e8bb7051722ee9b65d98
SHA512bc59252ef900795d2757d551437a311fe3f5d08976844eac9f7b92ef3035e29ccb2ed5e266966836c4a7bf4a75147b7eb51c4a4d7e899426f46bb9a50d16f730
-
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exeFilesize
510.2MB
MD5f0f3ebbfda11cdcec136db6578d950c7
SHA142929a6437d61f4036af8efd92310e3b0c55a32e
SHA25691c8665354e4cb83a8695740824341b87a9072eec8a541b689a6ecc6133505b4
SHA5124685e94e8fa307c0a4820bc4bc4d33b9cf7f4742df149de79403687dd4059cda780ffc93a92ba199cbb944b598043d02db910c746b6e566aab84ac50bc51d029
-
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exeFilesize
481.8MB
MD541b39f808b30380e13e3d428c9be9a37
SHA1da2b84acf93ca69d910910a6110959221ecd87e4
SHA2566e6e64e5f434df57d570e8034c20c246278a367e467c8d152d890ac2ee2c065b
SHA5123c867db85ef1b166fe6854535ae13ba86a0581111a17e6776819a50d54e1fa6d7a693697e7a16dcc6753dd7a617aae3a891c7327dfa9f5e40eb0a5006f316951
-
\Users\Admin\AppData\Local\Microsoft\config\runtime.exeFilesize
15.1MB
MD5ae5d05ac0b0220574bc8319a930bc3ff
SHA1502b51e5cdcf1f0402c6932c47ac4a06141b72cd
SHA2560e149b9d526b500c16c62b77278869ca3d956e195b09dc84027f109a19ed9158
SHA5123626b40d3b5259152fe08a159896dcb9d66a41cbbd39896a7239903a22d443279eb3192dd60153ba0719f747bdb357f99c64f598712998d30fc9c16f765143f5
-
\Users\Admin\AppData\Local\Microsoft\config\runtime.exeFilesize
14.3MB
MD51e2f9189a73d3d126b3ca9a110f70fc9
SHA11ef9607250b12385f15b6bcbc5c28b1a0cfd207d
SHA256c336258dfe9cde61a9f27ce2b24878ce1e8b8e2bfaf8de84df76fa1e58dfd95e
SHA5127eb9da9ed349ffa0295a5b7a12052d8a1a4c15e6efb9dec66a52f61fe43cca0b044c2936dce3c8f3890439b82dc41c542c2c1a89774ca2dade962f7de7e440f3
-
\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exeFilesize
520.4MB
MD530ae2ed4953f537de44ab93890b060fb
SHA194ee9c3093698d24675a2e739b9418f01bc07037
SHA256a86ec665ae77f6c9b5e2158be418fe1de70e0f1801a9d8576310f2740511398d
SHA5126f45177e417c69e92c0304093a07bc2ca3f7829b0bd85f0c59a37ba0e724f458842c96494b0b2de7fd972d12d8dc9b6046aa0f38714af7bbd41420e027c65515
-
\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exeFilesize
427.9MB
MD515b03f695bdba22893a44cf6ef705fdc
SHA10faa2aa0c6286065d7e904d709e10c50c790370b
SHA2566f4982c583a332704cb0203438aaf14ae67f2a39602c6792508e53398720813b
SHA512e37c4abbafc31b7d32ab3bba819ef7237cc30d385d57d85a6480229b22a9ba1770fc10bd1adbde7ff1ddf2e1faaf1696b5f6a0e151f39947efe98a4a6c116b2d
-
memory/240-60-0x000000001B390000-0x000000001B672000-memory.dmpFilesize
2.9MB
-
memory/240-64-0x00000000028D0000-0x0000000002950000-memory.dmpFilesize
512KB
-
memory/240-63-0x00000000028D0000-0x0000000002950000-memory.dmpFilesize
512KB
-
memory/240-62-0x00000000028D0000-0x0000000002950000-memory.dmpFilesize
512KB
-
memory/240-61-0x0000000001DE0000-0x0000000001DE8000-memory.dmpFilesize
32KB
-
memory/1760-73-0x0000000001ED0000-0x0000000001ED8000-memory.dmpFilesize
32KB
-
memory/1760-72-0x000000001B350000-0x000000001B632000-memory.dmpFilesize
2.9MB
-
memory/1760-78-0x0000000002750000-0x00000000027D0000-memory.dmpFilesize
512KB
-
memory/1760-79-0x0000000002750000-0x00000000027D0000-memory.dmpFilesize
512KB
-
memory/1760-80-0x0000000002750000-0x00000000027D0000-memory.dmpFilesize
512KB