aurora | 24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4

Analysis

max time kernel
22s
max time network
153s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30-06-2023 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bz7KfahvU.exe
Size

5.4MB
MD5

e0d2634fe2b085685f0b71e66ac91ec9
SHA1

c03d6b2218ffff1957a91f64d15ee1cbb57726fd
SHA256

24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4
SHA512

48e72eccb385e282b419fe7116d6a0c7c0a6cd5ca482e57ae7b1b52440e347833d0aa9c15097bdeec8074b9a60d90843a5d4f20e4ce9d0595f3dc0a38b6fdde8
SSDEEP

49152:pyWMOEmrU4VWLP6zev05oej0EL9gCegK/efy5d8A45EG273LCV0UOQJUh9q101GF:Eq6PQn4/9GEp32VLV+h9sF

Score

10^/10

aurora persistence stealer

Malware Config

Extracted

Family

aurora

167.235.58.189:456

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Executes dropped EXE 3 IoCs

Processes:

runtime.exeruntime.exeruntime.exe

pid process

1172 runtime.exe
1180 runtime.exe
916 runtime.exe
Loads dropped DLL 6 IoCs

Processes:

taskeng.exe

pid process

692 taskeng.exe
692 taskeng.exe
692 taskeng.exe
692 taskeng.exe
692 taskeng.exe
692 taskeng.exe

pid	process
1172	runtime.exe
1180	runtime.exe
916	runtime.exe

pid	process
692	taskeng.exe
692	taskeng.exe
692	taskeng.exe
692	taskeng.exe
692	taskeng.exe
692	taskeng.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1bz7KfahvU.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtime_1 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\config\\runtime.exe"	1bz7KfahvU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtime_2 = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\config\\runtime.exe"	1bz7KfahvU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtime_3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\config\\runtime.exe"	1bz7KfahvU.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

572 schtasks.exe
1056 schtasks.exe
1592 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2000 powershell.exe
836 powershell.exe
1000 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2000 powershell.exe
Token: SeDebugPrivilege 836 powershell.exe
Token: SeDebugPrivilege 1000 powershell.exe

pid	process
572	schtasks.exe
1056	schtasks.exe
1592	schtasks.exe

pid	process
2000	powershell.exe
836	powershell.exe
1000	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

1bz7KfahvU.exepowershell.exepowershell.exepowershell.exetaskeng.exe

description	pid	process	target process
PID 2036 wrote to memory of 2000	2036	1bz7KfahvU.exe	powershell.exe
PID 2036 wrote to memory of 2000	2036	1bz7KfahvU.exe	powershell.exe
PID 2036 wrote to memory of 2000	2036	1bz7KfahvU.exe	powershell.exe
PID 2000 wrote to memory of 572	2000	powershell.exe	schtasks.exe
PID 2000 wrote to memory of 572	2000	powershell.exe	schtasks.exe
PID 2000 wrote to memory of 572	2000	powershell.exe	schtasks.exe
PID 2036 wrote to memory of 836	2036	1bz7KfahvU.exe	powershell.exe
PID 2036 wrote to memory of 836	2036	1bz7KfahvU.exe	powershell.exe
PID 2036 wrote to memory of 836	2036	1bz7KfahvU.exe	powershell.exe
PID 836 wrote to memory of 1056	836	powershell.exe	schtasks.exe
PID 836 wrote to memory of 1056	836	powershell.exe	schtasks.exe
PID 836 wrote to memory of 1056	836	powershell.exe	schtasks.exe
PID 2036 wrote to memory of 1000	2036	1bz7KfahvU.exe	powershell.exe
PID 2036 wrote to memory of 1000	2036	1bz7KfahvU.exe	powershell.exe
PID 2036 wrote to memory of 1000	2036	1bz7KfahvU.exe	powershell.exe
PID 1000 wrote to memory of 1592	1000	powershell.exe	schtasks.exe
PID 1000 wrote to memory of 1592	1000	powershell.exe	schtasks.exe
PID 1000 wrote to memory of 1592	1000	powershell.exe	schtasks.exe
PID 692 wrote to memory of 1172	692	taskeng.exe	runtime.exe
PID 692 wrote to memory of 1172	692	taskeng.exe	runtime.exe
PID 692 wrote to memory of 1172	692	taskeng.exe	runtime.exe
PID 692 wrote to memory of 1180	692	taskeng.exe	runtime.exe
PID 692 wrote to memory of 1180	692	taskeng.exe	runtime.exe
PID 692 wrote to memory of 1180	692	taskeng.exe	runtime.exe
PID 692 wrote to memory of 916	692	taskeng.exe	runtime.exe
PID 692 wrote to memory of 916	692	taskeng.exe	runtime.exe
PID 692 wrote to memory of 916	692	taskeng.exe	runtime.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1bz7KfahvU.exe
"C:\Users\Admin\AppData\Local\Temp\1bz7KfahvU.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
3⤵
- Creates scheduled task(s)
PID:572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
3⤵
- Creates scheduled task(s)
PID:1056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
3⤵
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\taskeng.exe
taskeng.exe {D7E8741E-54AD-40FF-962D-F4BA7510220D} S-1-5-21-1306246566-3334493410-3785284834-1000:FQMLBKKW\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:692

C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
2⤵
- Executes dropped EXE
PID:1172

C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
2⤵
- Executes dropped EXE
PID:1180

C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
2⤵
- Executes dropped EXE
PID:916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
Filesize
111.2MB

MD5
53b38f04e69f67a1654bb70dde356db4

SHA1
42d600c123be5308fd64382f5aa76b37b0dae911

SHA256
c59a69389b2df640d70c463f963d1692e4c710e3a71a516c7b96d63c553d1822

SHA512
aa430ff89cb1a98184fb3db23fc89be0bcf168b2639754c5902b911c574f913bd17e1b126871dd5711300200c564c554d9be33e16c19c7ea5c6e0c209f2122c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
Filesize
156.1MB

MD5
2b73d427c8ac7338b5a1715be099fbef

SHA1
51c634735c32afd3dfc487357f507eefb82ee314

SHA256
d1e392d3106d68c5a8b93462fbda23740cf163970504ee5ed465af565696bad9

SHA512
bbff2a4bd2e162c877a978e2cb5d1a2345aaf7550ad1fc7d6354aa717c560f6302f3894a42eef6a9cd09ec019f7ad7fda2347f8306314225a7d6ef9128b2dd81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
402.5MB

MD5
74b1df4af03f1d1935c531da07c0bfbb

SHA1
f6ccb8b4a5c34056aaa4df45fa0f16b382891fc9

SHA256
fe949194368d8fd57b102384ea6bb02850b091fef7f9d38998d5cec19f461329

SHA512
7745b9573dd6d5c25e5797928c83cfbd3f1fced4e3d87899a098bd21133bbc2a577b5bc4785028b7c0fdeddeb15607f98991c4d25e347b4f26d6c03366ff7ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
158.9MB

MD5
865221b9bdd367143b8f3cb416fbb595

SHA1
5bcd3fbf015ea9ddc28b3c3448dedc402731fb47

SHA256
f9202681e14813dbc18b15e2f5fcc07b9a0d6a6f68fcac6a2b606edae61136f0

SHA512
ee3738b499d96aeaf68124b78a0b1e61919c1be2c680788cc78f9008590955aae03a32720678498500533baf252ab1c8547322432ff29f2d9a76256c6ee16499

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
158.4MB

MD5
f0125d190de946e74414364b2dcc4b05

SHA1
eab6bfcec33e80e14cc16e8d808f4567490498a5

SHA256
66a3b3e7d2724034e295732b052b7fa28cfb2e0effe62c83b6ec2237d8040d47

SHA512
0d7c3ed9a09353fe0df926a166806cedf13ce870d7868b798346c79d329de1ece405b46c7f5a249932fb4545873dc6508573c29d683df8c4a5388b656fbaa399

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
a2aeec9e471320c628b368203fd81a4a

SHA1
1ca77f34d6c1b8eb0d25bfdce925cf6834ecadb8

SHA256
8e57fba9bc638bd4dd0e138b5cde3d6cd36377342c28f181bebe12c5c601f040

SHA512
2ac58ed90ee5ea0a0c748a4753b068669fffa4dd8c0592680f397ad170348bb2f46d93fa612b450086230119d2154e16fe5fe0c9a52baa3e10ae3aa1437375aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
a2aeec9e471320c628b368203fd81a4a

SHA1
1ca77f34d6c1b8eb0d25bfdce925cf6834ecadb8

SHA256
8e57fba9bc638bd4dd0e138b5cde3d6cd36377342c28f181bebe12c5c601f040

SHA512
2ac58ed90ee5ea0a0c748a4753b068669fffa4dd8c0592680f397ad170348bb2f46d93fa612b450086230119d2154e16fe5fe0c9a52baa3e10ae3aa1437375aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SBJ5GVALQKP0Q9P8KX8P.temp
Filesize
7KB

MD5
a2aeec9e471320c628b368203fd81a4a

SHA1
1ca77f34d6c1b8eb0d25bfdce925cf6834ecadb8

SHA256
8e57fba9bc638bd4dd0e138b5cde3d6cd36377342c28f181bebe12c5c601f040

SHA512
2ac58ed90ee5ea0a0c748a4753b068669fffa4dd8c0592680f397ad170348bb2f46d93fa612b450086230119d2154e16fe5fe0c9a52baa3e10ae3aa1437375aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
Filesize
148.2MB

MD5
c5d55111108f730ff9b3514faaa3f459

SHA1
0dab1db0524695e3519f5e775342773b8ae2e01c

SHA256
cbb9fe99c8d22e0ca138a5dd2edfa52b9b296cb499be534dd6dccd742af6daa8

SHA512
9e51397b5f8aa2ba827679932de593eb80afa7eb2aafc96a3fc2990907c80785f181b6ac3457d022d22bf0bac3cb60178c356144796d2e3c3ebf8cc7261eee7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
Filesize
156.2MB

MD5
fe35d8d623ec6e218ea44d5ad4d04890

SHA1
5cf368756c45ee31772f66b2073d226c4d73473c

SHA256
f67cbe1dcdbd784ef6f5de6d9b824f3fe548b3e16fb84bd2c30a7246a90f0d49

SHA512
b973cd8ac57995f56d06acb446be2fd9bc803c1e4489f3c6e1280cf66914b2066058175b745902c22bec257c8b2c7c089e319700cc69ba22a62968c768423417

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
Filesize
160.8MB

MD5
33f55f0d9e77853dd037e23fc78c0791

SHA1
072965f04fecec8acc1eb08f884e38e8977cdd2a

SHA256
f821d2f385e6f00ee14cbe8c8b435ed22029cb74578c9559a69628dd81411d62

SHA512
5bd8a1af811333f3e222e8e2d61490446c5f0b82a56e3053301f3212a37140b8751600c9a5a9f4bd07410f5eb2d340d8f252379fd654ac2ca9205046aa06fe5a

Download Submit
\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
Filesize
156.6MB

MD5
2bb4b96595ce629e12dbeda547236b63

SHA1
1ec3a519149047de6af22dc1a24c6b3a25aa05bc

SHA256
f31e5de2f85cd86773244c29f082927385c0dc1945bae162dfc5cf700fee2017

SHA512
bd55e633d8705da168b4ec4b4754940ef4f0b7efd31f5601734299cf520a2a34b18b921c3433d13e68b1ccb285e85c08e47a700845e8fddc24f48c867d0d9471

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
159.2MB

MD5
68571ccd3631ce72d47f5454243c1e13

SHA1
bd1cd9a9426e2d0d707a7aacb390a1fbea8b3b22

SHA256
143fb7ae2be811dd29e2d81295d81b4c0fcd594f5880609e421955dc65613f20

SHA512
d251237e16a946796c7cc5fb2f919ce8bd0c215f8d2d7158a1d9ec75fd24e5751de7e04b0f2722b427bc64b8512e9bc9c99105739a51ec8c5919a54efbd64a1f

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
159.1MB

MD5
de1e67c1a9010b22fd5f4f12f7fe7735

SHA1
964eeb96ec89cdeab5b9d97065124dffa8a19c91

SHA256
1f16d608593b3d9aca4e9affb7ca95c3a1c0e8ba944891ef2088212df2a02def

SHA512
dc1c9bd3bc94fa853283ffc483c6ea72b4b6d8d7c1d03de81be1f81e84644317f81bff86a01980f1b8d51b269159380be572e89e2f95843009b4b3abe98d4089

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
Filesize
158.6MB

MD5
384c2caffa5c34ab6097289b88052ec2

SHA1
08281664a117f2b9772d08f39262fd0aa8a0326c

SHA256
2db97bf4c30ecbb545833e76dd2d8a143aec96ec46e0f21e0335762963016b00

SHA512
38e738dbcb59f7cd3426991d6747128645084420a8f0c7ae10ef3e866f060b60ec11b017a9506e540abc6c3b9b8ba00c32631cc06638f0f3b7de9d7724f01141

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
Filesize
156.3MB

MD5
bca39d2f1d4d24593267cac8bbaeeb72

SHA1
5a6ee37b30d18cbd1c7048ddcd0d4fce08a94bdf

SHA256
9582f3b5bd7088817f478f7c5a2bf2b6c36a3b727d6a9926fd53a4a60d48f2c8

SHA512
b2962d1f28805e9700b6c6c4d122cbf90ceb6b0e0292126154bae9a30760a66a82382a09dced9c2c37535e0fac5173d55a5d20ebd48481682df1c3ef67b0bcf1

Download Submit
memory/836-73-0x000000001B340000-0x000000001B622000-memory.dmp

Filesize
2.9MB

Download
memory/836-74-0x0000000002010000-0x0000000002018000-memory.dmp

Filesize
32KB

Download
memory/836-75-0x0000000002874000-0x0000000002877000-memory.dmp

Filesize
12KB

Download
memory/836-76-0x000000000287B000-0x00000000028B2000-memory.dmp

Filesize
220KB

Download
memory/1000-86-0x000000000293B000-0x0000000002972000-memory.dmp

Filesize
220KB

Download
memory/1000-85-0x0000000002934000-0x0000000002937000-memory.dmp

Filesize
12KB

Download
memory/2000-60-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

Filesize
2.9MB

Download
memory/2000-62-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2000-63-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2000-64-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2000-65-0x00000000027F0000-0x0000000002870000-memory.dmp

Filesize
512KB

Download
memory/2000-61-0x00000000022F0000-0x00000000022F8000-memory.dmp

Filesize
32KB

Download