aurora | 24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2023 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bz7KfahvU.exe
Size

5.4MB
MD5

e0d2634fe2b085685f0b71e66ac91ec9
SHA1

c03d6b2218ffff1957a91f64d15ee1cbb57726fd
SHA256

24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4
SHA512

48e72eccb385e282b419fe7116d6a0c7c0a6cd5ca482e57ae7b1b52440e347833d0aa9c15097bdeec8074b9a60d90843a5d4f20e4ce9d0595f3dc0a38b6fdde8
SSDEEP

49152:pyWMOEmrU4VWLP6zev05oej0EL9gCegK/efy5d8A45EG273LCV0UOQJUh9q101GF:Eq6PQn4/9GEp32VLV+h9sF

Score

10^/10

aurora persistence stealer

Malware Config

Extracted

Family

aurora

167.235.58.189:456

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Executes dropped EXE 3 IoCs

Processes:

runtime.exeruntime.exeruntime.exe

pid process

1272 runtime.exe
4136 runtime.exe
4872 runtime.exe

pid	process
1272	runtime.exe
4136	runtime.exe
4872	runtime.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1bz7KfahvU.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtime_1 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\config\\runtime.exe"	1bz7KfahvU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtime_2 = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\config\\runtime.exe"	1bz7KfahvU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtime_3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\config\\runtime.exe"	1bz7KfahvU.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4376 schtasks.exe
2276 schtasks.exe
2384 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2228 powershell.exe
2228 powershell.exe
4916 powershell.exe
4916 powershell.exe
4296 powershell.exe
4296 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2228 powershell.exe
Token: SeDebugPrivilege 4916 powershell.exe
Token: SeDebugPrivilege 4296 powershell.exe

pid	process
4376	schtasks.exe
2276	schtasks.exe
2384	schtasks.exe

pid	process
2228	powershell.exe
2228	powershell.exe
4916	powershell.exe
4916	powershell.exe
4296	powershell.exe
4296	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	4296	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1bz7KfahvU.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 3532 wrote to memory of 2228	3532	1bz7KfahvU.exe	powershell.exe
PID 3532 wrote to memory of 2228	3532	1bz7KfahvU.exe	powershell.exe
PID 2228 wrote to memory of 4376	2228	powershell.exe	schtasks.exe
PID 2228 wrote to memory of 4376	2228	powershell.exe	schtasks.exe
PID 3532 wrote to memory of 4916	3532	1bz7KfahvU.exe	powershell.exe
PID 3532 wrote to memory of 4916	3532	1bz7KfahvU.exe	powershell.exe
PID 4916 wrote to memory of 2276	4916	powershell.exe	schtasks.exe
PID 4916 wrote to memory of 2276	4916	powershell.exe	schtasks.exe
PID 3532 wrote to memory of 4296	3532	1bz7KfahvU.exe	powershell.exe
PID 3532 wrote to memory of 4296	3532	1bz7KfahvU.exe	powershell.exe
PID 4296 wrote to memory of 2384	4296	powershell.exe	schtasks.exe
PID 4296 wrote to memory of 2384	4296	powershell.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1bz7KfahvU.exe
"C:\Users\Admin\AppData\Local\Temp\1bz7KfahvU.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
3⤵
- Creates scheduled task(s)
PID:4376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
3⤵
- Creates scheduled task(s)
PID:2276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
3⤵
- Creates scheduled task(s)
PID:2384

C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
1⤵
- Executes dropped EXE
PID:4136

C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
1⤵
- Executes dropped EXE
PID:1272

C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
1⤵
- Executes dropped EXE
PID:4872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
Filesize
227.2MB

MD5
7d7fc05dffdd1920250b8f2aa4af3959

SHA1
0ae64733075203122be0baedd4eefca22fc1402a

SHA256
3ff2423d73a03b7113872e7154373fb346a826a7bd1f4cd7577e15764ce47ff8

SHA512
73daec7a287fa7119fe44cf71b3780c4c51159f5562a80e6e6da73206954cf76af513c85cd7684eb003141bacb7c1449366d7023fa6d4f37631dc53b6eaae68c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
Filesize
240.1MB

MD5
6be5a50b3f59c33f1090655dd5413087

SHA1
f91e8dee7e0fcf811ea791afdb59b7429bb4af75

SHA256
8f3f7ee6322657fd985c7d2f9fbdfa7d9a18ea45a807118360e3c37b88d40408

SHA512
34926c4bd88c0ca15c02ce7c24df0da2a76c9a21238ffc99a87c2ed916aaa6ca17f85c332b7490a9e4e90a0386582cd472790f00c195ce7865bf0dc2fa1bcf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
724.1MB

MD5
19607d9788d5ccab0bf2da92e9dc939e

SHA1
a5eabf95f32bbaf70e0f6ef4585658456a4ac90f

SHA256
c9aa04f5a65400002194f972a66fb29f3b81cf3c24d2858cea51aa4a36e28054

SHA512
fdb6bdbf15ddb3f00bcf8372e5a06a89b115e885f30bda3c741e2ee6d0d8c900407657379f74a682c2f7a14574287dd6914d80704386e55f8129f70cf4f89da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
308.4MB

MD5
58dd3684c6faa59b466271d47c3342b8

SHA1
1f26bd735dd55864a09adf6615593fd651abb0df

SHA256
6f7c7d0ba0978c2f1346ff8bdf94eb2b73ef5ebc7cbaa01381b2bd13bae2d7d6

SHA512
a4af80f27d8279a73907dfa8f231ea7ea16d00ee4101dd50d2ecc1a67b8c7f7eb2ad0a86f4f30ed12b4755dbf0745c53ffd097824816ea0aa5b8ab31e0de4187

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
314.4MB

MD5
67fdd395f9b30fd72e51882a1157bfd6

SHA1
33692b6d242becb78bf12640b35367b033504597

SHA256
e4d3685ab9d9ca9ba6385e741b4abe702b6dd748a6cf5a140eed196073f19c1d

SHA512
ac37f9840033c9e435a14371581f571d01d5b4bcc888d56297337ec33df745978a0e218db811491eb346e922da64821a925849d0fc0aa00b484c67f793e3d792

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iq5a4bb1.3dw.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
Filesize
307.2MB

MD5
683363ec7b13422690f20730c2eb6cc4

SHA1
fe7aa45b44992f0909395452c398fe335a2e359f

SHA256
2d690d531589bcca1643a03d770229ffdb48034454f0791788160d9fb9222ed0

SHA512
c8ed0891ed2abf81af958d7cfa5f871b89a7891b45084a5e5247551e1d4e4300aca71849636e95563bac6e12c01cf517a42910ebf8abeed5568b3580a168cceb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
Filesize
321.2MB

MD5
a9981b4e685d1035019b5bf811870602

SHA1
221d56a4da81cdba671c9e07b34e34cbeb609f46

SHA256
4646afae456c184f27fe5b61daed6db9ee9c5495cc37c400b8f71ebd966331c8

SHA512
f1c3ebefe6ef251dcbdaeafdef1534de3d6b588168d4d39b8f9b351d8ef649d3dbc269b7e2c1c5ec9adba897a69922a6e54f592c66c6d2178a17d397f05161d7

Download Submit
memory/2228-178-0x000001FD26270000-0x000001FD26280000-memory.dmp

Filesize
64KB

Download
memory/2228-147-0x000001FD26270000-0x000001FD26280000-memory.dmp

Filesize
64KB

Download
memory/2228-140-0x000001FD3F1C0000-0x000001FD3F1E2000-memory.dmp

Filesize
136KB

Download
memory/4296-174-0x000001B57E630000-0x000001B57E640000-memory.dmp

Filesize
64KB

Download
memory/4296-175-0x000001B57E630000-0x000001B57E640000-memory.dmp

Filesize
64KB

Download
memory/4296-176-0x000001B57E630000-0x000001B57E640000-memory.dmp

Filesize
64KB

Download