Analysis
-
max time kernel
73s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
09-05-2023 08:08
Behavioral task
behavioral1
Sample
aurora.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
aurora.exe
Resource
win10v2004-20230220-en
General
-
Target
aurora.exe
-
Size
5.6MB
-
MD5
2072ab80f4f0b576590d6e2f66bc12a3
-
SHA1
92b9c99e858cd242983fad131e25028c9197a10f
-
SHA256
7e284862240837599b6916df7747947d45d8fa44979ff4bcf57703971e75c14b
-
SHA512
1f2fcf07f41af804aa94cdb3bd97cb7af35d12ba10f9e795052d1d68720f96933bb3a64c9397f1142c26ba392b6f988ac569ebfcddb5b5da85d82339a80bdeec
-
SSDEEP
49152:8ugM5SSiHPRpy67X9g31TGsev6imuMmS5cNDw7wBVAAp5ESxRlMmCaCfAm5K6Q0+:DMTlK1+gcEiMeCom5Kaw
Malware Config
Extracted
aurora
94.142.138.71:456
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
runtime.exeruntime.exepid process 984 runtime.exe 1644 runtime.exe -
Loads dropped DLL 4 IoCs
Processes:
taskeng.exepid process 900 taskeng.exe 900 taskeng.exe 900 taskeng.exe 900 taskeng.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
aurora.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtime_1 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\config\\runtime.exe" aurora.exe Set value (str) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtime_2 = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\config\\runtime.exe" aurora.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1472 schtasks.exe 1100 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 240 powershell.exe 1760 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 240 powershell.exe Token: SeDebugPrivilege 1760 powershell.exe Token: SeIncreaseQuotaPrivilege 1976 WMIC.exe Token: SeSecurityPrivilege 1976 WMIC.exe Token: SeTakeOwnershipPrivilege 1976 WMIC.exe Token: SeLoadDriverPrivilege 1976 WMIC.exe Token: SeSystemProfilePrivilege 1976 WMIC.exe Token: SeSystemtimePrivilege 1976 WMIC.exe Token: SeProfSingleProcessPrivilege 1976 WMIC.exe Token: SeIncBasePriorityPrivilege 1976 WMIC.exe Token: SeCreatePagefilePrivilege 1976 WMIC.exe Token: SeBackupPrivilege 1976 WMIC.exe Token: SeRestorePrivilege 1976 WMIC.exe Token: SeShutdownPrivilege 1976 WMIC.exe Token: SeDebugPrivilege 1976 WMIC.exe Token: SeSystemEnvironmentPrivilege 1976 WMIC.exe Token: SeRemoteShutdownPrivilege 1976 WMIC.exe Token: SeUndockPrivilege 1976 WMIC.exe Token: SeManageVolumePrivilege 1976 WMIC.exe Token: 33 1976 WMIC.exe Token: 34 1976 WMIC.exe Token: 35 1976 WMIC.exe Token: SeIncreaseQuotaPrivilege 1976 WMIC.exe Token: SeSecurityPrivilege 1976 WMIC.exe Token: SeTakeOwnershipPrivilege 1976 WMIC.exe Token: SeLoadDriverPrivilege 1976 WMIC.exe Token: SeSystemProfilePrivilege 1976 WMIC.exe Token: SeSystemtimePrivilege 1976 WMIC.exe Token: SeProfSingleProcessPrivilege 1976 WMIC.exe Token: SeIncBasePriorityPrivilege 1976 WMIC.exe Token: SeCreatePagefilePrivilege 1976 WMIC.exe Token: SeBackupPrivilege 1976 WMIC.exe Token: SeRestorePrivilege 1976 WMIC.exe Token: SeShutdownPrivilege 1976 WMIC.exe Token: SeDebugPrivilege 1976 WMIC.exe Token: SeSystemEnvironmentPrivilege 1976 WMIC.exe Token: SeRemoteShutdownPrivilege 1976 WMIC.exe Token: SeUndockPrivilege 1976 WMIC.exe Token: SeManageVolumePrivilege 1976 WMIC.exe Token: 33 1976 WMIC.exe Token: 34 1976 WMIC.exe Token: 35 1976 WMIC.exe Token: SeIncreaseQuotaPrivilege 808 WMIC.exe Token: SeSecurityPrivilege 808 WMIC.exe Token: SeTakeOwnershipPrivilege 808 WMIC.exe Token: SeLoadDriverPrivilege 808 WMIC.exe Token: SeSystemProfilePrivilege 808 WMIC.exe Token: SeSystemtimePrivilege 808 WMIC.exe Token: SeProfSingleProcessPrivilege 808 WMIC.exe Token: SeIncBasePriorityPrivilege 808 WMIC.exe Token: SeCreatePagefilePrivilege 808 WMIC.exe Token: SeBackupPrivilege 808 WMIC.exe Token: SeRestorePrivilege 808 WMIC.exe Token: SeShutdownPrivilege 808 WMIC.exe Token: SeDebugPrivilege 808 WMIC.exe Token: SeSystemEnvironmentPrivilege 808 WMIC.exe Token: SeRemoteShutdownPrivilege 808 WMIC.exe Token: SeUndockPrivilege 808 WMIC.exe Token: SeManageVolumePrivilege 808 WMIC.exe Token: 33 808 WMIC.exe Token: 34 808 WMIC.exe Token: 35 808 WMIC.exe Token: SeIncreaseQuotaPrivilege 808 WMIC.exe Token: SeSecurityPrivilege 808 WMIC.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
aurora.exepowershell.exetaskeng.exepowershell.execmd.execmd.exedescription pid process target process PID 1688 wrote to memory of 240 1688 aurora.exe powershell.exe PID 1688 wrote to memory of 240 1688 aurora.exe powershell.exe PID 1688 wrote to memory of 240 1688 aurora.exe powershell.exe PID 240 wrote to memory of 1472 240 powershell.exe schtasks.exe PID 240 wrote to memory of 1472 240 powershell.exe schtasks.exe PID 240 wrote to memory of 1472 240 powershell.exe schtasks.exe PID 1688 wrote to memory of 1760 1688 aurora.exe powershell.exe PID 1688 wrote to memory of 1760 1688 aurora.exe powershell.exe PID 1688 wrote to memory of 1760 1688 aurora.exe powershell.exe PID 900 wrote to memory of 984 900 taskeng.exe runtime.exe PID 900 wrote to memory of 984 900 taskeng.exe runtime.exe PID 900 wrote to memory of 984 900 taskeng.exe runtime.exe PID 1760 wrote to memory of 1100 1760 powershell.exe schtasks.exe PID 1760 wrote to memory of 1100 1760 powershell.exe schtasks.exe PID 1760 wrote to memory of 1100 1760 powershell.exe schtasks.exe PID 1688 wrote to memory of 932 1688 aurora.exe cmd.exe PID 1688 wrote to memory of 932 1688 aurora.exe cmd.exe PID 1688 wrote to memory of 932 1688 aurora.exe cmd.exe PID 932 wrote to memory of 1976 932 cmd.exe WMIC.exe PID 932 wrote to memory of 1976 932 cmd.exe WMIC.exe PID 932 wrote to memory of 1976 932 cmd.exe WMIC.exe PID 900 wrote to memory of 1644 900 taskeng.exe runtime.exe PID 900 wrote to memory of 1644 900 taskeng.exe runtime.exe PID 900 wrote to memory of 1644 900 taskeng.exe runtime.exe PID 1688 wrote to memory of 1172 1688 aurora.exe cmd.exe PID 1688 wrote to memory of 1172 1688 aurora.exe cmd.exe PID 1688 wrote to memory of 1172 1688 aurora.exe cmd.exe PID 1172 wrote to memory of 808 1172 cmd.exe WMIC.exe PID 1172 wrote to memory of 808 1172 cmd.exe WMIC.exe PID 1172 wrote to memory of 808 1172 cmd.exe WMIC.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\aurora.exe"C:\Users\Admin\AppData\Local\Temp\aurora.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe /c "wmic csproduct get uuid"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {A8E515F4-D452-4204-93A2-933FFB1F34C2} S-1-5-21-2961826002-3968192592-354541192-1000:HVMHZIYD\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exeC:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exeC:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exeFilesize
14.1MB
MD5481bac73aa2a379d04b8cdcb2644d5e0
SHA1863a3b1579c6a9fb39fd5a64daa49c932ec278a0
SHA256295ddfdbb0e47cb9f25c541b9691b589b4bd84f3826f057f7ca0c0ec3b7d57c6
SHA5120573efedbe03899d040a34584d959b2cb3429735aba187a167952d520cacb39ca9511f98994ce5d0c8354811e670cfa367fd9d9fe37f417131a54a57b5ef49dd
-
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exeFilesize
10.9MB
MD572d6eacf302edd9d2a66bbe935dbc2c3
SHA186a4db673fd4abcc07fe0389a4ab1cbe6750fe07
SHA256697426f9b168a6aa6bf9c49fc44a743552f8f72ff4c4046d7303123a274386b6
SHA512fe600c61d3c870a1f0efa614544809e8fc478988dd9eefcf6f5462229a22faac1684af97ed5542b6201d177d70b78d2b57d0256eebbc66553f1f854489b49c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD53f4021e5403751fc1fd9a65325f58237
SHA1fa9c52600fa11bc9f0162f92157808a53933f4de
SHA256e7e19d6750fe33f43c408fb7ac45fdac5eda73ae38d9e8bb7051722ee9b65d98
SHA512bc59252ef900795d2757d551437a311fe3f5d08976844eac9f7b92ef3035e29ccb2ed5e266966836c4a7bf4a75147b7eb51c4a4d7e899426f46bb9a50d16f730
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ENIG9ODVR2FDZUADGSUB.tempFilesize
7KB
MD53f4021e5403751fc1fd9a65325f58237
SHA1fa9c52600fa11bc9f0162f92157808a53933f4de
SHA256e7e19d6750fe33f43c408fb7ac45fdac5eda73ae38d9e8bb7051722ee9b65d98
SHA512bc59252ef900795d2757d551437a311fe3f5d08976844eac9f7b92ef3035e29ccb2ed5e266966836c4a7bf4a75147b7eb51c4a4d7e899426f46bb9a50d16f730
-
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exeFilesize
510.2MB
MD5f0f3ebbfda11cdcec136db6578d950c7
SHA142929a6437d61f4036af8efd92310e3b0c55a32e
SHA25691c8665354e4cb83a8695740824341b87a9072eec8a541b689a6ecc6133505b4
SHA5124685e94e8fa307c0a4820bc4bc4d33b9cf7f4742df149de79403687dd4059cda780ffc93a92ba199cbb944b598043d02db910c746b6e566aab84ac50bc51d029
-
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exeFilesize
481.8MB
MD541b39f808b30380e13e3d428c9be9a37
SHA1da2b84acf93ca69d910910a6110959221ecd87e4
SHA2566e6e64e5f434df57d570e8034c20c246278a367e467c8d152d890ac2ee2c065b
SHA5123c867db85ef1b166fe6854535ae13ba86a0581111a17e6776819a50d54e1fa6d7a693697e7a16dcc6753dd7a617aae3a891c7327dfa9f5e40eb0a5006f316951
-
\Users\Admin\AppData\Local\Microsoft\config\runtime.exeFilesize
15.1MB
MD5ae5d05ac0b0220574bc8319a930bc3ff
SHA1502b51e5cdcf1f0402c6932c47ac4a06141b72cd
SHA2560e149b9d526b500c16c62b77278869ca3d956e195b09dc84027f109a19ed9158
SHA5123626b40d3b5259152fe08a159896dcb9d66a41cbbd39896a7239903a22d443279eb3192dd60153ba0719f747bdb357f99c64f598712998d30fc9c16f765143f5
-
\Users\Admin\AppData\Local\Microsoft\config\runtime.exeFilesize
14.3MB
MD51e2f9189a73d3d126b3ca9a110f70fc9
SHA11ef9607250b12385f15b6bcbc5c28b1a0cfd207d
SHA256c336258dfe9cde61a9f27ce2b24878ce1e8b8e2bfaf8de84df76fa1e58dfd95e
SHA5127eb9da9ed349ffa0295a5b7a12052d8a1a4c15e6efb9dec66a52f61fe43cca0b044c2936dce3c8f3890439b82dc41c542c2c1a89774ca2dade962f7de7e440f3
-
\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exeFilesize
520.4MB
MD530ae2ed4953f537de44ab93890b060fb
SHA194ee9c3093698d24675a2e739b9418f01bc07037
SHA256a86ec665ae77f6c9b5e2158be418fe1de70e0f1801a9d8576310f2740511398d
SHA5126f45177e417c69e92c0304093a07bc2ca3f7829b0bd85f0c59a37ba0e724f458842c96494b0b2de7fd972d12d8dc9b6046aa0f38714af7bbd41420e027c65515
-
\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exeFilesize
427.9MB
MD515b03f695bdba22893a44cf6ef705fdc
SHA10faa2aa0c6286065d7e904d709e10c50c790370b
SHA2566f4982c583a332704cb0203438aaf14ae67f2a39602c6792508e53398720813b
SHA512e37c4abbafc31b7d32ab3bba819ef7237cc30d385d57d85a6480229b22a9ba1770fc10bd1adbde7ff1ddf2e1faaf1696b5f6a0e151f39947efe98a4a6c116b2d
-
memory/240-60-0x000000001B390000-0x000000001B672000-memory.dmpFilesize
2.9MB
-
memory/240-64-0x00000000028D0000-0x0000000002950000-memory.dmpFilesize
512KB
-
memory/240-63-0x00000000028D0000-0x0000000002950000-memory.dmpFilesize
512KB
-
memory/240-62-0x00000000028D0000-0x0000000002950000-memory.dmpFilesize
512KB
-
memory/240-61-0x0000000001DE0000-0x0000000001DE8000-memory.dmpFilesize
32KB
-
memory/1760-73-0x0000000001ED0000-0x0000000001ED8000-memory.dmpFilesize
32KB
-
memory/1760-72-0x000000001B350000-0x000000001B632000-memory.dmpFilesize
2.9MB
-
memory/1760-78-0x0000000002750000-0x00000000027D0000-memory.dmpFilesize
512KB
-
memory/1760-79-0x0000000002750000-0x00000000027D0000-memory.dmpFilesize
512KB
-
memory/1760-80-0x0000000002750000-0x00000000027D0000-memory.dmpFilesize
512KB