aurora | 24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4

Analysis

max time kernel
72s
max time network
154s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
01-07-2023 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bz7KfahvUexe.exe
Size

5.4MB
MD5

e0d2634fe2b085685f0b71e66ac91ec9
SHA1

c03d6b2218ffff1957a91f64d15ee1cbb57726fd
SHA256

24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4
SHA512

48e72eccb385e282b419fe7116d6a0c7c0a6cd5ca482e57ae7b1b52440e347833d0aa9c15097bdeec8074b9a60d90843a5d4f20e4ce9d0595f3dc0a38b6fdde8
SSDEEP

49152:pyWMOEmrU4VWLP6zev05oej0EL9gCegK/efy5d8A45EG273LCV0UOQJUh9q101GF:Eq6PQn4/9GEp32VLV+h9sF

Score

10^/10

aurora persistence stealer

Malware Config

Extracted

Family

aurora

167.235.58.189:456

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Executes dropped EXE 3 IoCs

Processes:

runtime.exeruntime.exeruntime.exe

pid process

1532 runtime.exe
1976 runtime.exe
928 runtime.exe
Loads dropped DLL 6 IoCs

Processes:

taskeng.exe

pid process

1948 taskeng.exe
1948 taskeng.exe
1948 taskeng.exe
1948 taskeng.exe
1948 taskeng.exe
1948 taskeng.exe

pid	process
1532	runtime.exe
1976	runtime.exe
928	runtime.exe

pid	process
1948	taskeng.exe
1948	taskeng.exe
1948	taskeng.exe
1948	taskeng.exe
1948	taskeng.exe
1948	taskeng.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1bz7KfahvUexe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtime_1 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\config\\runtime.exe"	1bz7KfahvUexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtime_2 = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\config\\runtime.exe"	1bz7KfahvUexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtime_3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\config\\runtime.exe"	1bz7KfahvUexe.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

360 schtasks.exe
1760 schtasks.exe
1344 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1836 powershell.exe
1104 powershell.exe
1620 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1836 powershell.exe
Token: SeDebugPrivilege 1104 powershell.exe
Token: SeDebugPrivilege 1620 powershell.exe

pid	process
360	schtasks.exe
1760	schtasks.exe
1344	schtasks.exe

pid	process
1836	powershell.exe
1104	powershell.exe
1620	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

1bz7KfahvUexe.exepowershell.exepowershell.exepowershell.exetaskeng.exe

description	pid	process	target process
PID 840 wrote to memory of 1836	840	1bz7KfahvUexe.exe	powershell.exe
PID 840 wrote to memory of 1836	840	1bz7KfahvUexe.exe	powershell.exe
PID 840 wrote to memory of 1836	840	1bz7KfahvUexe.exe	powershell.exe
PID 1836 wrote to memory of 360	1836	powershell.exe	schtasks.exe
PID 1836 wrote to memory of 360	1836	powershell.exe	schtasks.exe
PID 1836 wrote to memory of 360	1836	powershell.exe	schtasks.exe
PID 840 wrote to memory of 1104	840	1bz7KfahvUexe.exe	powershell.exe
PID 840 wrote to memory of 1104	840	1bz7KfahvUexe.exe	powershell.exe
PID 840 wrote to memory of 1104	840	1bz7KfahvUexe.exe	powershell.exe
PID 1104 wrote to memory of 1760	1104	powershell.exe	schtasks.exe
PID 1104 wrote to memory of 1760	1104	powershell.exe	schtasks.exe
PID 1104 wrote to memory of 1760	1104	powershell.exe	schtasks.exe
PID 840 wrote to memory of 1620	840	1bz7KfahvUexe.exe	powershell.exe
PID 840 wrote to memory of 1620	840	1bz7KfahvUexe.exe	powershell.exe
PID 840 wrote to memory of 1620	840	1bz7KfahvUexe.exe	powershell.exe
PID 1620 wrote to memory of 1344	1620	powershell.exe	schtasks.exe
PID 1620 wrote to memory of 1344	1620	powershell.exe	schtasks.exe
PID 1620 wrote to memory of 1344	1620	powershell.exe	schtasks.exe
PID 1948 wrote to memory of 1532	1948	taskeng.exe	runtime.exe
PID 1948 wrote to memory of 1532	1948	taskeng.exe	runtime.exe
PID 1948 wrote to memory of 1532	1948	taskeng.exe	runtime.exe
PID 1948 wrote to memory of 1976	1948	taskeng.exe	runtime.exe
PID 1948 wrote to memory of 1976	1948	taskeng.exe	runtime.exe
PID 1948 wrote to memory of 1976	1948	taskeng.exe	runtime.exe
PID 1948 wrote to memory of 928	1948	taskeng.exe	runtime.exe
PID 1948 wrote to memory of 928	1948	taskeng.exe	runtime.exe
PID 1948 wrote to memory of 928	1948	taskeng.exe	runtime.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1bz7KfahvUexe.exe
"C:\Users\Admin\AppData\Local\Temp\1bz7KfahvUexe.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
3⤵
- Creates scheduled task(s)
PID:360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
3⤵
- Creates scheduled task(s)
PID:1760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
3⤵
- Creates scheduled task(s)
PID:1344

C:\Windows\system32\taskeng.exe
taskeng.exe {44864F99-AAB3-4D8F-BEAD-690D421E1828} S-1-5-21-3950455397-3229124517-1686476975-1000:NNDGNFRP\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
2⤵
- Executes dropped EXE
PID:1532

C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
2⤵
- Executes dropped EXE
PID:928

C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
2⤵
- Executes dropped EXE
PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
Filesize
137.4MB

MD5
43315e90d1e673ac5d8db519a306078d

SHA1
cdbdaf9d97cb9ab70cd0b1238100692ae7c57414

SHA256
017b3d34a58ee7d86964bf825a05d90664233266175b3eee2215e3344e839b63

SHA512
91343f3fe482a2e1bbc425dfcdebbc5287e7042310e0ebffcac97a0859fab8746b9a123e4297d5d8c3e0679b7768c78b0c091e67c0d770557dc1c23d3f1435e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
Filesize
174.8MB

MD5
f81be9c48900504e8402103b40f504a2

SHA1
004c87499359c3e671872271b88eb9b7670e2e26

SHA256
f97af7a92074374d6919cc887bf376541d3e5398483dac9d721fbc878466c4a7

SHA512
b96702acc92dc81239e6f45dfb2caf17c24952df3620ccab213c42a25c2161024b8717feb6d09bbd7008e4f9b5425c56ebebd8f49feb8ef297b308a1061cdc87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
308.1MB

MD5
9b659128ed33a8438e98fc52a2badabb

SHA1
a2e1c92ebaf7dac8474b585e8367c62fce9031cc

SHA256
1cdbf0d1ad7b14d07097a1ef1d02dc9e6d8840f14a12e2aaf96cf5b762cf5cde

SHA512
29f978982a693847caecb818874ae40b1eacf1ce56265917338a95bb3840d86af49ce182001f8fbf1878534dad77b08662344568a6f549be6d677284d6b8d085

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
177.4MB

MD5
e7c9f65d029f24eae1dee6815c5748aa

SHA1
46f6ce2301e4ab29857297984c776fa7329cb4ff

SHA256
5a3b41327df54901f1352aa1062c0516845544b53866253ff9dc25f57ce83665

SHA512
6cf923eceed3d1fa95733388b85d18a63957e49f091230cac2fc47672f1aaa01a9e24a42cc2429b7041a610083d9422f62fe17b8b051437b3548059b878bc61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
177.0MB

MD5
0987cf27024004a77edf91644a7d8097

SHA1
51259aa5c8f1d950f4ed962664e2427fb65bcd9a

SHA256
b178bb6dd24b2042965daa415b89cca24b7ce2c7bb7496d396d11e7142e1f018

SHA512
af94b1c634c151255280871f16a2b3b3ff27f5c661c2c996d5b3eb721d84a03c19a0795347f4bf27a73ef9357e02b638c70c740a1faf291fd9aef330129cc509

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
33d19fb71aab6d5f69e594480e7c44b3

SHA1
29575817e65acf7525b8fe8b58bb2ed4f1e0e240

SHA256
f1e94cbe54772c7ea2d6c7f75dcfe065cebf073e893508f78595e233d89e3126

SHA512
824d2b494581739741ad3e7b96b205e27bf26e9eb37657dc39e95d5b98bbcadb42908bd14307688ce90ea13528b8be58cdb2b8916be6a499c549be249010c58d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
33d19fb71aab6d5f69e594480e7c44b3

SHA1
29575817e65acf7525b8fe8b58bb2ed4f1e0e240

SHA256
f1e94cbe54772c7ea2d6c7f75dcfe065cebf073e893508f78595e233d89e3126

SHA512
824d2b494581739741ad3e7b96b205e27bf26e9eb37657dc39e95d5b98bbcadb42908bd14307688ce90ea13528b8be58cdb2b8916be6a499c549be249010c58d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S3V990FZ0FC7XMVYLIJ6.temp
Filesize
7KB

MD5
33d19fb71aab6d5f69e594480e7c44b3

SHA1
29575817e65acf7525b8fe8b58bb2ed4f1e0e240

SHA256
f1e94cbe54772c7ea2d6c7f75dcfe065cebf073e893508f78595e233d89e3126

SHA512
824d2b494581739741ad3e7b96b205e27bf26e9eb37657dc39e95d5b98bbcadb42908bd14307688ce90ea13528b8be58cdb2b8916be6a499c549be249010c58d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
Filesize
177.6MB

MD5
fa7f4a2d968ac0673574fbab9c368c37

SHA1
a5dea4518204b47c906c9904eae1b45b71c083e0

SHA256
a0b260ba2e4740a9984caeed98675c8983b476edee543edf467354592e7aadc6

SHA512
578849e90db1179a3cf09399b22f9a8ca117e481c6a5d8d2f6f1ed33abaf803f80a811112c27854fabf9eb02293246208ea50010ba239bf618ab8157b1506acf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
Filesize
174.0MB

MD5
ae40a447606914bacd536b060e4d2383

SHA1
1a8fca81d24786f0f0462423680c2ec36f001621

SHA256
80f764b404cd4600f49f38e8405b5aa281fd5e9ee18848ed54273b5f18a54227

SHA512
25bb4bbd8279b1ca819a2a29788088f9939bdd5de1d90a43036e2edaf1d222213d8d89b1f619d223e84838980a8884e598876f453b7b1fe8cae44f37339eacf5

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
Filesize
177.7MB

MD5
aa9043df8892e3c117f8bbbdefff3b18

SHA1
4249a0e232dcc06950563f707667dad56e8a0668

SHA256
b38a1cb6e292b6ebec7c581b2dba252ff6f6e06ec5664bdcee54b25fd2c7bdb1

SHA512
3511c0e2e05354666d3fffc3ac9d9c66eb834f09b00c3576f39c8a48e2ea9500be73445af96c8958ff6525acabbcdc26576e73f5eddde2cb45c0204ac10f6bee

Download Submit
\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
Filesize
178.8MB

MD5
29393e5930cf03e7decd9d69f44ffe43

SHA1
a97c14b126025f94f59a6a3ad209149572b4744d

SHA256
41ae394769aa99740be1ab0158a4a60f5da9881186864d21703074d22fe84e59

SHA512
434f6dfce08cb288423c91e36a888ae6a0ec3811175ea5bbaf86917707867747015c5357425e8757314713117269879d89a611247cab3e8f311e821cd2a4efd6

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
176.9MB

MD5
0d01c0d6482eab766d7a3583a86657a1

SHA1
54cb3d137dea489eaa20b443b775bed46207bf62

SHA256
c15ff27464eea3ad88313e82df70c94971fbce9ab8b805b9eadfebd244ff4f71

SHA512
434405bfd394f75045568b5d7c882fd6acdc26e6bfa2944e4b622047fef78bbf6a460f56510efcb0d744757e6af327e598aeab3bfa6ee22a758f7b7f62a05c7e

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
175.8MB

MD5
21a37c232867335f6713f6f52bfc0995

SHA1
76848ae7bbee9d0e26d5c19f40f6991a42c7404f

SHA256
9afeb7573c14772e4952cd7dffe8c5a7723d395441632798cf203ab41e350de4

SHA512
47d4c546f7f9afa84f350c80ac7af2038a570fc875a57f83a9766d7e9beba4e01a3fd598e32f9918d1c9f9af6e776a4b56c8f35892347c2c7f8613b43326dedb

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
Filesize
177.1MB

MD5
054312ccd7cc95deab948c933190ef0c

SHA1
d83a241d876c417623147f98e4eb3f3323c93532

SHA256
c8293d2f218e44f47b22f527053b3f06c4839b1d8347cc061c68b2c515ad20c4

SHA512
0fbac865ab419a585e61d1791522655670ed97d2ceb380ae066c8d5f2485a089a7848b2535e298902392e3e12a2032ffb15cccdb016157d11586270d2a1119d1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
Filesize
177.7MB

MD5
aa9043df8892e3c117f8bbbdefff3b18

SHA1
4249a0e232dcc06950563f707667dad56e8a0668

SHA256
b38a1cb6e292b6ebec7c581b2dba252ff6f6e06ec5664bdcee54b25fd2c7bdb1

SHA512
3511c0e2e05354666d3fffc3ac9d9c66eb834f09b00c3576f39c8a48e2ea9500be73445af96c8958ff6525acabbcdc26576e73f5eddde2cb45c0204ac10f6bee

Download Submit
memory/1104-72-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1104-74-0x000000000292B000-0x0000000002962000-memory.dmp

Filesize
220KB

Download
memory/1104-73-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/1104-71-0x000000001B170000-0x000000001B452000-memory.dmp

Filesize
2.9MB

Download
memory/1620-86-0x00000000024AB000-0x00000000024E2000-memory.dmp

Filesize
220KB

Download
memory/1620-85-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/1620-84-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/1620-83-0x00000000024A0000-0x0000000002520000-memory.dmp

Filesize
512KB

Download
memory/1836-60-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/1836-63-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/1836-62-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/1836-61-0x000000001B3A0000-0x000000001B682000-memory.dmp

Filesize
2.9MB

Download