Overview

overview

9

Static

static

9

Aurora/Aurora.exe

windows7-x64

7

Aurora/Aurora.exe

windows10-2004-x64

7

Aurora/scr...ts.dll

windows7-x64

1

Aurora/scr...ts.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    141s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    21-02-2024 08:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Aurora/Aurora.exe

  • Size

    1.9MB

  • MD5

    9c927e0518912c1fd2239b91f934f981

  • SHA1

    67cc0c7ca7ebef409dcd7c069c91f1b7a631213e

  • SHA256

    bf71a9c4389f5cae7a52782889b61b22efb70c5150d2e4288c3bd9cce720fd13

  • SHA512

    c4a6ea2a2308c649901f4a895c747efd60f8d5325e3ffe6b6387d06041013eb542b780c5281ae6beee38d1d25c3b079d49b9abc835641684b256ad40d3c89001

  • SSDEEP

    24576:mTHjsbvemd2l+QU1e2B5KZxDvAR+MWwY:mTHwC+Qh2BoIQM

Score
7/10
spyware

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe
    "C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
        3⤵
        • Executes dropped EXE
        PID:2544
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1740

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Cab1D43.tmp
      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tar1D55.tmp
      Filesize

      171KB

      MD5

      9c0c641c06238516f27941aa1166d427

      SHA1

      64cd549fb8cf014fcd9312aa7a5b023847b6c977

      SHA256

      4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

      SHA512

      936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
      Filesize

      4KB

      MD5

      a5ce3aba68bdb438e98b1d0c70a3d95c

      SHA1

      013f5aa9057bf0b3c0c24824de9d075434501354

      SHA256

      9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

      SHA512

      7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

      Download Submit
    • memory/2544-64-0x000007FEF6080000-0x000007FEF6A6C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/2544-63-0x0000000000050000-0x0000000000058000-memory.dmp
      Filesize

      32KB

      Download
    • memory/3016-21-0x0000000002120000-0x0000000002160000-memory.dmp
      Filesize

      256KB

      Download
    • memory/3016-18-0x0000000000400000-0x0000000000462000-memory.dmp
      Filesize

      392KB

      Download
    • memory/3016-62-0x0000000074C70000-0x000000007535E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/3016-20-0x0000000074C70000-0x000000007535E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/3016-9-0x0000000000400000-0x0000000000462000-memory.dmp
      Filesize

      392KB

      Download
    • memory/3016-10-0x0000000000400000-0x0000000000462000-memory.dmp
      Filesize

      392KB

      Download
    • memory/3016-11-0x0000000000400000-0x0000000000462000-memory.dmp
      Filesize

      392KB

      Download
    • memory/3016-12-0x0000000000400000-0x0000000000462000-memory.dmp
      Filesize

      392KB

      Download
    • memory/3016-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3016-19-0x0000000000400000-0x0000000000462000-memory.dmp
      Filesize

      392KB

      Download
    • memory/3016-17-0x0000000000400000-0x0000000000462000-memory.dmp
      Filesize

      392KB

      Download
    • memory/3052-6-0x00000000011A0000-0x00000000011E0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/3052-16-0x00000000011A0000-0x00000000011E0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/3052-1-0x0000000074C70000-0x000000007535E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/3052-8-0x0000000000710000-0x0000000000716000-memory.dmp
      Filesize

      24KB

      Download
    • memory/3052-5-0x00000000011A0000-0x00000000011E0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/3052-4-0x0000000074C70000-0x000000007535E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/3052-3-0x0000000004990000-0x00000000049D4000-memory.dmp
      Filesize

      272KB

      Download
    • memory/3052-7-0x0000000000730000-0x000000000074A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3052-2-0x00000000011A0000-0x00000000011E0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/3052-0-0x0000000001210000-0x00000000013F8000-memory.dmp
      Filesize

      1.9MB

      Download