Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-02-2024 19:16
Behavioral task
behavioral1
Sample
Aurora V3.1.rar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Aurora V3.1.rar
Resource
win10v2004-20240221-en
Behavioral task
behavioral3
Sample
Aurora/Aurora.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Aurora/Aurora.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral5
Sample
Aurora/scripts/scripts.dll
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
Aurora/scripts/scripts.dll
Resource
win10v2004-20240221-en
Behavioral task
behavioral7
Sample
README.txt
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
README.txt
Resource
win10v2004-20240221-en
General
-
Target
Aurora/Aurora.exe
-
Size
1.1MB
-
MD5
38d563d90178c931132a5bd2dc05b76f
-
SHA1
4511b5462cddaf7835d20375f8e13087aedd3e5d
-
SHA256
a4cf6887caa6ca97d42659f9ab424c60cdfb41798f10bb429cb94379cd29ec83
-
SHA512
19810c3642d9d909a3632456c24837d021ffce267243e2d183f3c1ae3e8edd937df3e50ee26f3beae53a65a291283de801ee5581d7ac4582669879d8e97d9cfe
-
SSDEEP
24576:OlEXbCnFzRa860/IN7yUZoY/A6m9xzyysV2:5G9c3N7yUZoY/ALxz3sY
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Follow.pifdescription pid process target process PID 2372 created 1212 2372 Follow.pif Explorer.EXE -
Drops startup file 1 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe RegAsm.exe -
Executes dropped EXE 3 IoCs
Processes:
Follow.pifRegAsm.exeqemu-ga.exepid process 2372 Follow.pif 2348 RegAsm.exe 1108 qemu-ga.exe -
Loads dropped DLL 4 IoCs
Processes:
cmd.exeFollow.pifRegAsm.exepid process 2488 cmd.exe 2372 Follow.pif 2348 RegAsm.exe 2348 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2576 tasklist.exe 2568 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Follow.pifRegAsm.exepid process 2372 Follow.pif 2372 Follow.pif 2372 Follow.pif 2372 Follow.pif 2348 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Follow.pifpid process 2372 Follow.pif -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
tasklist.exetasklist.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 2576 tasklist.exe Token: SeDebugPrivilege 2568 tasklist.exe Token: SeDebugPrivilege 2348 RegAsm.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Follow.pifpid process 2372 Follow.pif 2372 Follow.pif 2372 Follow.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Follow.pifpid process 2372 Follow.pif 2372 Follow.pif 2372 Follow.pif -
Suspicious use of WriteProcessMemory 53 IoCs
Processes:
Aurora.execmd.exeFollow.pifRegAsm.exedescription pid process target process PID 2180 wrote to memory of 2488 2180 Aurora.exe cmd.exe PID 2180 wrote to memory of 2488 2180 Aurora.exe cmd.exe PID 2180 wrote to memory of 2488 2180 Aurora.exe cmd.exe PID 2180 wrote to memory of 2488 2180 Aurora.exe cmd.exe PID 2488 wrote to memory of 2576 2488 cmd.exe tasklist.exe PID 2488 wrote to memory of 2576 2488 cmd.exe tasklist.exe PID 2488 wrote to memory of 2576 2488 cmd.exe tasklist.exe PID 2488 wrote to memory of 2576 2488 cmd.exe tasklist.exe PID 2488 wrote to memory of 2516 2488 cmd.exe findstr.exe PID 2488 wrote to memory of 2516 2488 cmd.exe findstr.exe PID 2488 wrote to memory of 2516 2488 cmd.exe findstr.exe PID 2488 wrote to memory of 2516 2488 cmd.exe findstr.exe PID 2488 wrote to memory of 2568 2488 cmd.exe tasklist.exe PID 2488 wrote to memory of 2568 2488 cmd.exe tasklist.exe PID 2488 wrote to memory of 2568 2488 cmd.exe tasklist.exe PID 2488 wrote to memory of 2568 2488 cmd.exe tasklist.exe PID 2488 wrote to memory of 2396 2488 cmd.exe findstr.exe PID 2488 wrote to memory of 2396 2488 cmd.exe findstr.exe PID 2488 wrote to memory of 2396 2488 cmd.exe findstr.exe PID 2488 wrote to memory of 2396 2488 cmd.exe findstr.exe PID 2488 wrote to memory of 2868 2488 cmd.exe cmd.exe PID 2488 wrote to memory of 2868 2488 cmd.exe cmd.exe PID 2488 wrote to memory of 2868 2488 cmd.exe cmd.exe PID 2488 wrote to memory of 2868 2488 cmd.exe cmd.exe PID 2488 wrote to memory of 2556 2488 cmd.exe cmd.exe PID 2488 wrote to memory of 2556 2488 cmd.exe cmd.exe PID 2488 wrote to memory of 2556 2488 cmd.exe cmd.exe PID 2488 wrote to memory of 2556 2488 cmd.exe cmd.exe PID 2488 wrote to memory of 2472 2488 cmd.exe cmd.exe PID 2488 wrote to memory of 2472 2488 cmd.exe cmd.exe PID 2488 wrote to memory of 2472 2488 cmd.exe cmd.exe PID 2488 wrote to memory of 2472 2488 cmd.exe cmd.exe PID 2488 wrote to memory of 2372 2488 cmd.exe Follow.pif PID 2488 wrote to memory of 2372 2488 cmd.exe Follow.pif PID 2488 wrote to memory of 2372 2488 cmd.exe Follow.pif PID 2488 wrote to memory of 2372 2488 cmd.exe Follow.pif PID 2488 wrote to memory of 2424 2488 cmd.exe PING.EXE PID 2488 wrote to memory of 2424 2488 cmd.exe PING.EXE PID 2488 wrote to memory of 2424 2488 cmd.exe PING.EXE PID 2488 wrote to memory of 2424 2488 cmd.exe PING.EXE PID 2372 wrote to memory of 2348 2372 Follow.pif RegAsm.exe PID 2372 wrote to memory of 2348 2372 Follow.pif RegAsm.exe PID 2372 wrote to memory of 2348 2372 Follow.pif RegAsm.exe PID 2372 wrote to memory of 2348 2372 Follow.pif RegAsm.exe PID 2372 wrote to memory of 2348 2372 Follow.pif RegAsm.exe PID 2372 wrote to memory of 2348 2372 Follow.pif RegAsm.exe PID 2372 wrote to memory of 2348 2372 Follow.pif RegAsm.exe PID 2372 wrote to memory of 2348 2372 Follow.pif RegAsm.exe PID 2372 wrote to memory of 2348 2372 Follow.pif RegAsm.exe PID 2348 wrote to memory of 1108 2348 RegAsm.exe qemu-ga.exe PID 2348 wrote to memory of 1108 2348 RegAsm.exe qemu-ga.exe PID 2348 wrote to memory of 1108 2348 RegAsm.exe qemu-ga.exe PID 2348 wrote to memory of 1108 2348 RegAsm.exe qemu-ga.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe"C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Sen Sen.bat & Sen.bat & exit3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c md 224654⤵
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Publications + Pants + Lovers + Modes + Kenneth 22465\Follow.pif4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Husband 22465\t4⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22465\Follow.pif22465\Follow.pif 22465\t4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22465\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22465\RegAsm.exe2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\HusbandFilesize
1.1MB
MD5986cff60faca382fbcf9d6632ec5b2c3
SHA11a9bf3750b4d93c8920e0fe60886df1cdbcbb208
SHA2568ef5b39ce66ab49df3e052b265d8adbecbbbcc8390f8aa992108671a7033bf8a
SHA512d811e0ac82c55e8470418e2dbe98032057e1550f9c1f65bb69f1b4bc5ada9a849d355e1b7502bb67f7b0524458df93cdce9218c750cbbc633e2cf95b4b106f6e
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\KennethFilesize
82KB
MD5924b86096d7d8ec45ec0f96502f63714
SHA117e8dd51e3b3060ad58bcc8eb06a5e7af105bf70
SHA256041c917b3737d721afee0b4ea10e4c9c9af0f3af3abaef5514f4f4018e6be9ad
SHA51262b89cd1c8e8fedbfe95a3ddc35bdb4e3537fc9a60779a6016ddcbc077c1cda2fc9c63d51e28e20ca54154b53a5629bdb407a799d26f54be81c88313b76cd903
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\LoversFilesize
162KB
MD570a2d84c04d555dc3b79d71d94b9d086
SHA1e474d8f0d9c31cdf1033985d408e337b6e88c0e9
SHA256b539415140093c3e11841d194e1bf745515ebf6a372284d4763c24a8889f8b94
SHA512888c89b268c0db7a50d689d6b5c11cf22a7fe3d171d69021d2dc1b8eb8d0c8148c3f41ee177d96c0eff752ac80c6d10dc305326c8a49ffd88e864c7b6327006d
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\ModesFilesize
258KB
MD5f7e8f703c3919dce79843592c370cb29
SHA14dfe3363eb3b8373c859ba48ce176484949f807e
SHA2569b41b0904a3937684938c6aeb472e73a226bf364a40db8266c82b03949fb7023
SHA512acf78d656ada7a02fcf2412268b0a511d7de1273a9bf5dc9c762bb914828541403ca5c95e68dc713c12e348f976535f7cc0e848d536fd85ac01936b383c04021
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PantsFilesize
164KB
MD5113fddce24cc705356a6e8dea6cc8126
SHA142dfb99a728b57ec610839cdbb9bf9d781493e1f
SHA256297a0b0a0d232b93aaeb816ae0023baf7e2aa3fd82a442bbf97932f42eb41ad5
SHA5129f4d41fc2c3695766ae501d52eba35e813e4e7c47da5a92f31530b500ae015d8791856300eab3de960afa37fe3680270499a7713abe29ff9e50036440a499331
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PublicationsFilesize
258KB
MD5adf24a0e56e0795db70356eaf45c68f9
SHA162783308f82d1b67ff799e05ce63057a17e61cde
SHA256211d9d5ae01cb0591a840d277b1f419247801bdf47501e549c017f4417cb7c43
SHA5127ab6a7e8d4fa170f3bdf7492ec4f2de873fb5f531741b723c466adc284676d673718b72e1cc3ca7e0527d89f9950a9ab36e4f8be29cffb81a7a3168cba0b48b4
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\SenFilesize
10KB
MD547242484a4c4add80cfe70e5c9ef26e8
SHA14f54561e6fa3d8a25bcee54b1d82a249b417e2d6
SHA256739614fc4a8b39e85b5beee50e516d645ffcdae0c73492bebfe75b91d008eab3
SHA5125ba733ebb3ea953e58349e09acd211519b312a26649e036a8454af6282f6b355f7d15eeaf89c1d79aa742ae6504e3e052db1f932728c9b2459352b036533ab89
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22465\Follow.pifFilesize
924KB
MD5848164d084384c49937f99d5b894253e
SHA13055ef803eeec4f175ebf120f94125717ee12444
SHA256f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a
-
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22465\RegAsm.exeFilesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeFilesize
4KB
MD5a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1013f5aa9057bf0b3c0c24824de9d075434501354
SHA2569b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA5127446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79
-
memory/1108-48-0x000007FEF5690000-0x000007FEF607C000-memory.dmpFilesize
9.9MB
-
memory/1108-47-0x000007FEF5690000-0x000007FEF607C000-memory.dmpFilesize
9.9MB
-
memory/1108-46-0x00000000013D0000-0x00000000013D8000-memory.dmpFilesize
32KB
-
memory/2348-36-0x0000000000160000-0x00000000001F8000-memory.dmpFilesize
608KB
-
memory/2348-37-0x0000000000160000-0x00000000001F8000-memory.dmpFilesize
608KB
-
memory/2348-34-0x0000000000160000-0x00000000001F8000-memory.dmpFilesize
608KB
-
memory/2372-30-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/2372-28-0x0000000077610000-0x00000000776E6000-memory.dmpFilesize
856KB