Overview

overview

10

Static

static

10

1bz7KfahvUexe.exe

windows7-x64

10

1bz7KfahvUexe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2023 06:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1bz7KfahvUexe.exe

  • Size

    5.4MB

  • MD5

    e0d2634fe2b085685f0b71e66ac91ec9

  • SHA1

    c03d6b2218ffff1957a91f64d15ee1cbb57726fd

  • SHA256

    24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4

  • SHA512

    48e72eccb385e282b419fe7116d6a0c7c0a6cd5ca482e57ae7b1b52440e347833d0aa9c15097bdeec8074b9a60d90843a5d4f20e4ce9d0595f3dc0a38b6fdde8

  • SSDEEP

    49152:pyWMOEmrU4VWLP6zev05oej0EL9gCegK/efy5d8A45EG273LCV0UOQJUh9q101GF:Eq6PQn4/9GEp32VLV+h9sF

Score
10/10
aurorapersistencestealer

Malware Config

Extracted

Family

aurora

C2

167.235.58.189:456

Signatures

  • Aurora

    Aurora is a crypto wallet stealer written in Golang.

    stealeraurora
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1bz7KfahvUexe.exe
    "C:\Users\Admin\AppData\Local\Temp\1bz7KfahvUexe.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4172
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1456
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
        3⤵
        • Creates scheduled task(s)
        PID:2280
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
        3⤵
        • Creates scheduled task(s)
        PID:3932
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4300
      • C:\Windows\system32\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
        3⤵
        • Creates scheduled task(s)
        PID:4948
  • C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
    C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
    1⤵
    • Executes dropped EXE
    PID:3204
  • C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
    C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
    1⤵
    • Executes dropped EXE
    PID:3980
  • C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
    1⤵
    • Executes dropped EXE
    PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    64B

    MD5

    5caad758326454b5788ec35315c4c304

    SHA1

    3aef8dba8042662a7fcf97e51047dc636b4d4724

    SHA256

    83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

    SHA512

    4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    64B

    MD5

    446dd1cf97eaba21cf14d03aebc79f27

    SHA1

    36e4cc7367e0c7b40f4a8ace272941ea46373799

    SHA256

    a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

    SHA512

    a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
    Filesize

    283.2MB

    MD5

    1acfe2c4a7dec0662773401224716026

    SHA1

    92130322edefd66535e890337598bba41ded3e18

    SHA256

    2df8eecea3caf3f3f0723718b006cdd31d518e5d64b932126920872308b6a186

    SHA512

    5b3cae772190d46bd10c4fc4c77b68b135c359e7dd8343bb344a06a9e8a3b82a8e568e404535ff1d6766bbde2c3db98816a65d667faa99d93d03dd3fc35b068b

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
    Filesize

    269.6MB

    MD5

    31414c5df205d3f2a5e567199c8e3a6d

    SHA1

    a8a0e3d656c4f4c36f41ee95c77e334467af9991

    SHA256

    42bc459c0a8132f3acd0f1521422e14c2d17a84e20010c49098d93f94d967e2d

    SHA512

    9b74a695f4cd8da577d815feb004a862d3ae4165692e1f7cfb78d03f78a160a43e262855979bad2392f9d35e4b1abbe23bceef5103f0fcaa5aff3cc8ef6b55e2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
    Filesize

    414.8MB

    MD5

    c30141cf1f2f077d5222d576d22e870e

    SHA1

    3e309b7bda28e3a2c14c7321a49e3684db0b8167

    SHA256

    5e8c036de5858cb878335eac41f1c1fe06d1b9828c1dcd319763cad22b054d3c

    SHA512

    311ae8b573d0923aa1fc81099c841ab0789ecefb307274594ff1268f370184aee13511564a27f01906f089298d1e0b6690e5b73fd508419d7e6f625c75450573

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
    Filesize

    185.4MB

    MD5

    97561b51461a8b7c9ed6575f90ebea2c

    SHA1

    f089b12b9c253094ac72d1c05d473394738c857e

    SHA256

    105c14c356785566a764bb5b4bb7fe0fa71bf7dd1eaafb44a3ad4d06a9fe19a3

    SHA512

    f4d601169e329d8c025fbc466128ca127d729d499eda1bd79ba94588f478fb5a962a63d92fff45c12c7c26f34f894e8f614c08b3cef124c62d8291095ff3d1dc

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
    Filesize

    192.4MB

    MD5

    49fd26cc8e09d8da4e486ff9ce732671

    SHA1

    cc5c420e6e23cc50d9b3e2f672f49f850d83c203

    SHA256

    334c06b5a0cc0859d7d3dee55b3a7d5751dadb3f01a1b37d6f3341304a019899

    SHA512

    215d4e0c7a3f1c1cd3d72869dafd1c194b59e47def1d581cdce64c9c2333f700bf765432f4c1d5ff1a19e336f3f8c45eb035f71f07467610958529062f02a2aa

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jnpavkxj.01u.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
    Filesize

    281.6MB

    MD5

    bd6bacd2888a2c45330dac3f5bed60ce

    SHA1

    90a68879e16b4967b7b95690d929594918a58a61

    SHA256

    bdf34d8f69788f60329c78e21411fde680ec055f9ebdf84b82350243bb58dd06

    SHA512

    732b4a1fb9846e8f5abdbad1facb20b365592b7604588fc4d9eb66291aa4aefd91ece43c625a9d472fd2d4e97ff832c0a4866dad4c2bc28bef97437624695f05

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
    Filesize

    268.0MB

    MD5

    3a14b2a0f45c1a6e2a3edd2aa580f4bf

    SHA1

    b150bb69d34eee283486805b5c4569c756a98d5e

    SHA256

    9f3cb70e6457e0dde4427cc8bd0904509812a86750758c71040add5ea215b026

    SHA512

    e587220720a0b62f1e218b5e09a29afdc5aac077ad843135edb216384dcb1f4e0983f91ce0c80840eb8cbc7c0097fcfcc91e541296c14bc0258a316651fe6df2

    Download Submit
  • memory/1456-135-0x00000246A8860000-0x00000246A8882000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1456-146-0x00000246A6670000-0x00000246A6680000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1456-141-0x00000246A6670000-0x00000246A6680000-memory.dmp
    Filesize

    64KB

    Download