e4e84e4c05fcabc3248a398ff3b4d14794f0c7591e192b3bfdb4ab3c9c1cd9ab

Analysis

max time kernel
67s
max time network
81s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2023 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aurora/web/bot.html
Size

50KB
MD5

f2ac5f00e667230fde09c37f8c462e2f
SHA1

04822b4470beaff59ddd9820b19c3581f77e6b0c
SHA256

8b1abbb51594b6f1d4e4681204ed97371bd3d60f093e38b80b8035058116ef1d
SHA512

2a80e943662830b4a66e75d86cbdda61e47e1c2a1fd9a0a42f4c79cd0e5e7c2bdf54d3569afed512bb40b506ec29bb2595c49c87102e820c615f339790c2b4a8
SSDEEP

384:ilTId+dEX5/WyAbFE/2kAE1lpFD6l+XqhzpP7OSpEtrri4p+HarVbmQfiJQfiGQD:iTEX4WJI+ZFQWbCFhUIB

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133290171551590451"	chrome.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

chrome.exe

pid process

4344 chrome.exe
4344 chrome.exe
4344 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

4344 chrome.exe
4344 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe
Token: SeShutdownPrivilege	4344	chrome.exe
Token: SeCreatePagefilePrivilege	4344	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe
4344	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4344 wrote to memory of 4756	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 4756	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 3104	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 4144	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 4144	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 112	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 112	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 112	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 112	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 112	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 112	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 112	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 112	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 112	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 112	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 112	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 112	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 112	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 112	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 112	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 112	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 112	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 112	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 112	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 112	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 112	4344	chrome.exe	chrome.exe
PID 4344 wrote to memory of 112	4344	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" C:\Users\Admin\AppData\Local\Temp\Aurora\web\bot.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc38b59758,0x7ffc38b59768,0x7ffc38b59778
2⤵
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1784,i,17064960649906824564,8948345012808172735,131072 /prefetch:2
2⤵
PID:3104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1784,i,17064960649906824564,8948345012808172735,131072 /prefetch:8
2⤵
PID:4144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1784,i,17064960649906824564,8948345012808172735,131072 /prefetch:8
2⤵
PID:112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3148 --field-trial-handle=1784,i,17064960649906824564,8948345012808172735,131072 /prefetch:1
2⤵
PID:1692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3160 --field-trial-handle=1784,i,17064960649906824564,8948345012808172735,131072 /prefetch:1
2⤵
PID:1744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1784,i,17064960649906824564,8948345012808172735,131072 /prefetch:8
2⤵
PID:3680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 --field-trial-handle=1784,i,17064960649906824564,8948345012808172735,131072 /prefetch:8
2⤵
PID:3320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1784,i,17064960649906824564,8948345012808172735,131072 /prefetch:8
2⤵
PID:3500

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
537B

MD5
a5f025d0fd2d2bbdf2be7b3d9ff924dc

SHA1
ed4c9a5a8c6cca6adf92036af25927ff0c27358c

SHA256
4ce8f492e13d023d35c22c7ccb209c311f1276c96b799ee9e84db79dfee0c8dc

SHA512
636243f19175d2e088b020ec1d3abb0765916c1706687dfab741a9f78186bff14a835b236bd3f99da0fd7fdfcd662393fb4599d1c6a450623b7f4bf18662c65e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
e68ed609b86472ac4eb3359510919d00

SHA1
d8a561986d504519930622f0167e91766c3a58ec

SHA256
44a604c6e04a1a9220f0a9c63bdb9a73125b980b1b8cb2a79351e396177f4471

SHA512
53ee3267b0894312e1a7d639727ffd9f93d443768a8c175ceed56d8e30fc1f5c413bbb036496645731600e776d0ab0a1a0da0fd613d5ff14731215ba7c623da0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
d47a56607bbb0ab322a8fef59659a7af

SHA1
77585df2671f946ad8dce8b39da8824b9347d0d8

SHA256
bb19077110792da500f4c88eaf8d6e20e3949651dcc29322b8662532569c2e32

SHA512
ace7cbdc4d690f9fee79c2b3af21c39f44039cbf3ad4c827e02a94772e84288cfbfb0c85e24f6f3c03222ab678224ae39dd1b5f7931d98e6eb39dd5d6b347d2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
2109e6fe98e7544113cb2ee90009b9bc

SHA1
bb7ffc0939300fc4eee0a3d589f770364ff84ce4

SHA256
f1e23d9e8ef466b91b9485907ae6dd6844262b4f0dad0c255275af2338263ee0

SHA512
cee0cdb15cb92b1f2ab223e2e74f13bd2248305fc1c67f07d7d4dba2faf39f4aac91d54ffa4a298022b83228ccce3acf463f58de50a1981fbc9b92daca4cc28c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
151KB

MD5
d267028a86c91e27c6cb70d444c46b91

SHA1
0ddeb8960c604abfc48810f8fde00ffcc3a8001e

SHA256
3333c13e8e7d24e7f6f2260d893e002f81fc6bc638c98f1796b73c126350face

SHA512
4d8d303c36e4aec4b9240ea7a00d6e31e733cb44529bc6f472fc95d3eb75da91b0775157fe0ec82d038b52ffb51a2750d0090c15e60a35b203b376c50d506a16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_4344_QTXWBTCLDMCMRWKS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit