90f000c4b42f98f45fb2f4b7a3e180a26d354abcd30fa48717930bf044af8e58

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-02-2024 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aurora/Aurora.exe
Size

1.1MB
MD5

38d563d90178c931132a5bd2dc05b76f
SHA1

4511b5462cddaf7835d20375f8e13087aedd3e5d
SHA256

a4cf6887caa6ca97d42659f9ab424c60cdfb41798f10bb429cb94379cd29ec83
SHA512

19810c3642d9d909a3632456c24837d021ffce267243e2d183f3c1ae3e8edd937df3e50ee26f3beae53a65a291283de801ee5581d7ac4582669879d8e97d9cfe
SSDEEP

24576:OlEXbCnFzRa860/IN7yUZoY/A6m9xzyysV2:5G9c3N7yUZoY/ALxz3sY

Score

10^/10

discovery spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Follow.pif

description pid process target process

PID 2372 created 1212 2372 Follow.pif Explorer.EXE
Drops startup file 1 IoCs

Processes:

RegAsm.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe RegAsm.exe
Executes dropped EXE 3 IoCs

Processes:

Follow.pifRegAsm.exeqemu-ga.exe

pid process

2372 Follow.pif
2348 RegAsm.exe
1108 qemu-ga.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.exeFollow.pifRegAsm.exe

pid process

2488 cmd.exe
2372 Follow.pif
2348 RegAsm.exe
2348 RegAsm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2576 tasklist.exe
2568 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2424 PING.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Follow.pifRegAsm.exe

pid process

2372 Follow.pif
2372 Follow.pif
2372 Follow.pif
2372 Follow.pif
2348 RegAsm.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Follow.pif

pid process

2372 Follow.pif
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

tasklist.exetasklist.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 2576 tasklist.exe
Token: SeDebugPrivilege 2568 tasklist.exe
Token: SeDebugPrivilege 2348 RegAsm.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Follow.pif

pid process

2372 Follow.pif
2372 Follow.pif
2372 Follow.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Follow.pif

pid process

2372 Follow.pif
2372 Follow.pif
2372 Follow.pif

description	pid	process	target process
PID 2372 created 1212	2372	Follow.pif	Explorer.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	RegAsm.exe

pid	process
2372	Follow.pif
2348	RegAsm.exe
1108	qemu-ga.exe

pid	process
2488	cmd.exe
2372	Follow.pif
2348	RegAsm.exe
2348	RegAsm.exe

pid	process
2576	tasklist.exe
2568	tasklist.exe

pid	process
2424	PING.EXE

pid	process
2372	Follow.pif
2372	Follow.pif
2372	Follow.pif
2372	Follow.pif
2348	RegAsm.exe

pid	process
2372	Follow.pif

description	pid	process
Token: SeDebugPrivilege	2576	tasklist.exe
Token: SeDebugPrivilege	2568	tasklist.exe
Token: SeDebugPrivilege	2348	RegAsm.exe

pid	process
2372	Follow.pif
2372	Follow.pif
2372	Follow.pif

pid	process
2372	Follow.pif
2372	Follow.pif
2372	Follow.pif

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

Aurora.execmd.exeFollow.pifRegAsm.exe

description	pid	process	target process
PID 2180 wrote to memory of 2488	2180	Aurora.exe	cmd.exe
PID 2180 wrote to memory of 2488	2180	Aurora.exe	cmd.exe
PID 2180 wrote to memory of 2488	2180	Aurora.exe	cmd.exe
PID 2180 wrote to memory of 2488	2180	Aurora.exe	cmd.exe
PID 2488 wrote to memory of 2576	2488	cmd.exe	tasklist.exe
PID 2488 wrote to memory of 2576	2488	cmd.exe	tasklist.exe
PID 2488 wrote to memory of 2576	2488	cmd.exe	tasklist.exe
PID 2488 wrote to memory of 2576	2488	cmd.exe	tasklist.exe
PID 2488 wrote to memory of 2516	2488	cmd.exe	findstr.exe
PID 2488 wrote to memory of 2516	2488	cmd.exe	findstr.exe
PID 2488 wrote to memory of 2516	2488	cmd.exe	findstr.exe
PID 2488 wrote to memory of 2516	2488	cmd.exe	findstr.exe
PID 2488 wrote to memory of 2568	2488	cmd.exe	tasklist.exe
PID 2488 wrote to memory of 2568	2488	cmd.exe	tasklist.exe
PID 2488 wrote to memory of 2568	2488	cmd.exe	tasklist.exe
PID 2488 wrote to memory of 2568	2488	cmd.exe	tasklist.exe
PID 2488 wrote to memory of 2396	2488	cmd.exe	findstr.exe
PID 2488 wrote to memory of 2396	2488	cmd.exe	findstr.exe
PID 2488 wrote to memory of 2396	2488	cmd.exe	findstr.exe
PID 2488 wrote to memory of 2396	2488	cmd.exe	findstr.exe
PID 2488 wrote to memory of 2868	2488	cmd.exe	cmd.exe
PID 2488 wrote to memory of 2868	2488	cmd.exe	cmd.exe
PID 2488 wrote to memory of 2868	2488	cmd.exe	cmd.exe
PID 2488 wrote to memory of 2868	2488	cmd.exe	cmd.exe
PID 2488 wrote to memory of 2556	2488	cmd.exe	cmd.exe
PID 2488 wrote to memory of 2556	2488	cmd.exe	cmd.exe
PID 2488 wrote to memory of 2556	2488	cmd.exe	cmd.exe
PID 2488 wrote to memory of 2556	2488	cmd.exe	cmd.exe
PID 2488 wrote to memory of 2472	2488	cmd.exe	cmd.exe
PID 2488 wrote to memory of 2472	2488	cmd.exe	cmd.exe
PID 2488 wrote to memory of 2472	2488	cmd.exe	cmd.exe
PID 2488 wrote to memory of 2472	2488	cmd.exe	cmd.exe
PID 2488 wrote to memory of 2372	2488	cmd.exe	Follow.pif
PID 2488 wrote to memory of 2372	2488	cmd.exe	Follow.pif
PID 2488 wrote to memory of 2372	2488	cmd.exe	Follow.pif
PID 2488 wrote to memory of 2372	2488	cmd.exe	Follow.pif
PID 2488 wrote to memory of 2424	2488	cmd.exe	PING.EXE
PID 2488 wrote to memory of 2424	2488	cmd.exe	PING.EXE
PID 2488 wrote to memory of 2424	2488	cmd.exe	PING.EXE
PID 2488 wrote to memory of 2424	2488	cmd.exe	PING.EXE
PID 2372 wrote to memory of 2348	2372	Follow.pif	RegAsm.exe
PID 2372 wrote to memory of 2348	2372	Follow.pif	RegAsm.exe
PID 2372 wrote to memory of 2348	2372	Follow.pif	RegAsm.exe
PID 2372 wrote to memory of 2348	2372	Follow.pif	RegAsm.exe
PID 2372 wrote to memory of 2348	2372	Follow.pif	RegAsm.exe
PID 2372 wrote to memory of 2348	2372	Follow.pif	RegAsm.exe
PID 2372 wrote to memory of 2348	2372	Follow.pif	RegAsm.exe
PID 2372 wrote to memory of 2348	2372	Follow.pif	RegAsm.exe
PID 2372 wrote to memory of 2348	2372	Follow.pif	RegAsm.exe
PID 2348 wrote to memory of 1108	2348	RegAsm.exe	qemu-ga.exe
PID 2348 wrote to memory of 1108	2348	RegAsm.exe	qemu-ga.exe
PID 2348 wrote to memory of 1108	2348	RegAsm.exe	qemu-ga.exe
PID 2348 wrote to memory of 1108	2348	RegAsm.exe	qemu-ga.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe
"C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Sen Sen.bat & Sen.bat & exit
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:2516

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
cmd /c md 22465
4⤵
PID:2868

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Publications + Pants + Lovers + Modes + Kenneth 22465\Follow.pif
4⤵
PID:2556

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Husband 22465\t
4⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22465\Follow.pif
22465\Follow.pif 22465\t
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
4⤵
- Runs ping.exe
PID:2424

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22465\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22465\RegAsm.exe
2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
3⤵
- Executes dropped EXE
PID:1108

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Husband
Filesize
1.1MB

MD5
986cff60faca382fbcf9d6632ec5b2c3

SHA1
1a9bf3750b4d93c8920e0fe60886df1cdbcbb208

SHA256
8ef5b39ce66ab49df3e052b265d8adbecbbbcc8390f8aa992108671a7033bf8a

SHA512
d811e0ac82c55e8470418e2dbe98032057e1550f9c1f65bb69f1b4bc5ada9a849d355e1b7502bb67f7b0524458df93cdce9218c750cbbc633e2cf95b4b106f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Kenneth
Filesize
82KB

MD5
924b86096d7d8ec45ec0f96502f63714

SHA1
17e8dd51e3b3060ad58bcc8eb06a5e7af105bf70

SHA256
041c917b3737d721afee0b4ea10e4c9c9af0f3af3abaef5514f4f4018e6be9ad

SHA512
62b89cd1c8e8fedbfe95a3ddc35bdb4e3537fc9a60779a6016ddcbc077c1cda2fc9c63d51e28e20ca54154b53a5629bdb407a799d26f54be81c88313b76cd903

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Lovers
Filesize
162KB

MD5
70a2d84c04d555dc3b79d71d94b9d086

SHA1
e474d8f0d9c31cdf1033985d408e337b6e88c0e9

SHA256
b539415140093c3e11841d194e1bf745515ebf6a372284d4763c24a8889f8b94

SHA512
888c89b268c0db7a50d689d6b5c11cf22a7fe3d171d69021d2dc1b8eb8d0c8148c3f41ee177d96c0eff752ac80c6d10dc305326c8a49ffd88e864c7b6327006d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Modes
Filesize
258KB

MD5
f7e8f703c3919dce79843592c370cb29

SHA1
4dfe3363eb3b8373c859ba48ce176484949f807e

SHA256
9b41b0904a3937684938c6aeb472e73a226bf364a40db8266c82b03949fb7023

SHA512
acf78d656ada7a02fcf2412268b0a511d7de1273a9bf5dc9c762bb914828541403ca5c95e68dc713c12e348f976535f7cc0e848d536fd85ac01936b383c04021

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Pants
Filesize
164KB

MD5
113fddce24cc705356a6e8dea6cc8126

SHA1
42dfb99a728b57ec610839cdbb9bf9d781493e1f

SHA256
297a0b0a0d232b93aaeb816ae0023baf7e2aa3fd82a442bbf97932f42eb41ad5

SHA512
9f4d41fc2c3695766ae501d52eba35e813e4e7c47da5a92f31530b500ae015d8791856300eab3de960afa37fe3680270499a7713abe29ff9e50036440a499331

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Publications
Filesize
258KB

MD5
adf24a0e56e0795db70356eaf45c68f9

SHA1
62783308f82d1b67ff799e05ce63057a17e61cde

SHA256
211d9d5ae01cb0591a840d277b1f419247801bdf47501e549c017f4417cb7c43

SHA512
7ab6a7e8d4fa170f3bdf7492ec4f2de873fb5f531741b723c466adc284676d673718b72e1cc3ca7e0527d89f9950a9ab36e4f8be29cffb81a7a3168cba0b48b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sen
Filesize
10KB

MD5
47242484a4c4add80cfe70e5c9ef26e8

SHA1
4f54561e6fa3d8a25bcee54b1d82a249b417e2d6

SHA256
739614fc4a8b39e85b5beee50e516d645ffcdae0c73492bebfe75b91d008eab3

SHA512
5ba733ebb3ea953e58349e09acd211519b312a26649e036a8454af6282f6b355f7d15eeaf89c1d79aa742ae6504e3e052db1f932728c9b2459352b036533ab89

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22465\Follow.pif
Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22465\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
memory/1108-48-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/1108-47-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/1108-46-0x00000000013D0000-0x00000000013D8000-memory.dmp

Filesize
32KB

Download
memory/2348-36-0x0000000000160000-0x00000000001F8000-memory.dmp

Filesize
608KB

Download
memory/2348-37-0x0000000000160000-0x00000000001F8000-memory.dmp

Filesize
608KB

Download
memory/2348-34-0x0000000000160000-0x00000000001F8000-memory.dmp

Filesize
608KB

Download
memory/2372-30-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2372-28-0x0000000077610000-0x00000000776E6000-memory.dmp

Filesize
856KB

Download